fix 1 year LDAP expiration error

[runningtom8]

Greetings,

Does anyone know how to fix this one year anniversary LDAP error?
My server has stop working today due to LDAP fail from start up.

The server was installed Oct, 21 2010 last year. Today is Oct, 21 2011
so it stop working.

At the anniversary of the Zimbra installation. The server will stop working due
to LDAP error.


This has been happening to me for the last three years. Every year
I install a new version of Zimbra and lost all of my emails in order to go around this problem.


Doesn't anyone have a solution to this problem?


Thank you much,

Tom



******* Please see the error below ***********************
My server running the following version. I don't think it matter too much.
I got the same problem on version 5.x as well

Release 6.0.8_GA_2661.RHEL4_20100820031234 RHEL4 FOSS edition.



[zimbra@mail config]$ zmcontrol start
Host mail.i-english.net

Unable to determine enabled services from ldap.
Enabled services read from cache. Service list may be inaccurate.
Starting logger...Failed.
Starting logswatch...ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed)
zimbra logger service is not enabled! failed.


Starting mailbox...Done.
Starting antispam...Done.
Starting antivirus...Done.
Starting snmp...Done.
Starting spell...Done.
Starting mta...Done.
Starting stats...Done.

[phoenix]

Just regenerate your self-signed certificates.

[runningtom8]

Bill,

Thank you. You are going to make my family very happy for not lost all
of our email. How to regenerate your self-signed certificates. Is there a document some where.


Thank you,

Tom

[phoenix]

Go to the wiki (link at the top of this page) and search for the word "certificate".

[runningtom8]

I have ran the following command line and got some errors. Any idea?
Any help will be appreciate it. We need to keep to our soccer email distribution
list.

Tom



[root@mail bin]# ./zmcertmgr viewcsr self
subject=/C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.i-english.net
SubjectAltName=


I run this command and syntax:
[root@mail bin]# ./zmcertmgr createcsr self -new '/C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.i-english.net'


** Generating a server csr for download self -new /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.i-english.net
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20111021122658
** Retrieving Commercial CA cert from ldap...failed.
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
** Saving server config key zimbraSSLPrivateKey...failed.

[runningtom8]

Bill,

I can pay you or someone a fee to get this fix for me. From previous year experience
I just want to get to my email and email distribution list working again.

You can access my server via GoToMeeting session.

**** got erros when I generate a new key************

I listed the old certificate information:
./zmcertmgr viewcsr self
subject=/C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.i-english.net
SubjectAltName=


I create new certificate:
[root@mail bin]# ./zmcertmgr createcsr self -new '/C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.i-english.net'

** Generating a server csr for download self -new /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.i-english.net
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20111021122658
** Retrieving Commercial CA cert from ldap...failed.
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
** Saving server config key zimbraSSLPrivateKey...failed.


Let me know

Tom

[phoenix]

Which instructions did your follow, these? If they're not the ones you followed then use the instructions in there to generate the certificates.

[runningtom8]

Bill,

After I followed the instruction to create new certificate.

zmmailboxdctl is not running


Please below for more details.

I appreciate the time you took to response to the questions.

Tom




[root@mail bin]# ./zmcertmgr createca -new
** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.
** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.

[root@mail bin]# ./zmcertmgr createcrt -new -day 365
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20111021154849
** Generating a server csr for download self -new -keysize 1024
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20111021154849
** Retrieving Commercial CA cert from ldap...failed.
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
** Saving server config key zimbraSSLPrivateKey...failed.
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.

[root@mail bin]# ./zmcertmgr deployca
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
** Saving global config key zimbraCertAuthorityCertSelfSigned...failed.
** Saving global config key zimbraCertAuthorityKeySelfSigned...failed.
** Copying CA to /opt/zimbra/conf/ca...done.

[root@mail bin]# ./zmcertmgr viewdeployedcrt
::service mta::
notBefore=Oct 21 08:19:25 2010 GMT
notAfter=Oct 21 08:19:25 2011 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.i-english.net
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.i-english.net
SubjectAltName=
::service proxy::
notBefore=Oct 21 08:19:25 2010 GMT
notAfter=Oct 21 08:19:25 2011 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.i-english.net
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.i-english.net
SubjectAltName=
::service mailboxd::
notBefore=Oct 21 08:19:25 2010 GMT
notAfter=Oct 21 08:19:25 2011 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.i-english.net
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.i-english.net
SubjectAltName=
::service ldap::
notBefore=Oct 21 08:19:25 2010 GMT
notAfter=Oct 21 08:19:25 2011 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.i-english.net
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.i-english.net
SubjectAltName=
[root@mail bin]#






[zimbra@mail ~]$ zmcontrol status
Unable to determine enabled services from ldap.
Enabled services read from cache. Service list may be inaccurate.
Host mail.i-english.net
antispam Running
antivirus Running
ldap Running
logger Stopped
zmlogswatchctl is not running
mailbox Stopped
zmmailboxdctl is not running.
mta Running
snmp Running
spell Running
stats Running

[runningtom8]

Bill and anyone who want to help out.

Do you know of anyone who might want to help me out for a fee?

Please let me know soon (today). I realy need the information
from some of my mailing list.

Zimbra start to be a pain to use for the last three year. Every year I ran to the
same problem and there are very little assitance out there.

Tom

[ssatam]

Try the following steps,

(1) mv /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra_old
(2) /opt/zimbra/bin/zmcertmgr createca -new
(3) /opt/zimbra/bin/zmcertmgr deployca
(4) /opt/zimbra/bin/zmcertmgr createcrt -new
(5) /opt/zimbra/bin/zmcertmgr deploycrt self