| Welcome to the Zimbra :: Forums! | |
Welcome, if you would like to post a comment please register.
We also encourage you to explore all things Zimbra with our team and members of the community.
|
 | | 
12-05-2011, 08:54 PM
| | |  Updating certificate
I appear to have messed up my LDAP installation. My certificate expired recently and although I have followed the instructions here, I can't get the system to respond. Here's the output with the failure points in bold. I have been battling this for hours so any help would be much appreciated. Code: root@mail:~# zmcertmgr createca -new
** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.
** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.
root@mail:~# zmcertmgr createcrt -new -days 1096
Validation days: 1096
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20111125234313
** Generating a server csr for download self -new -keysize 1024
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20111125234313
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
** Saving server config key zimbraSSLPrivateKey...failed.
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
root@mail:~# zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate...failed.
** Saving server config key zimbraSSLPrivateKey...failed.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
root@mail:~# zmcertmgr deployca
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
** Saving global config key zimbraCertAuthorityCertSelfSigned...failed.
** Saving global config key zimbraCertAuthorityKeySelfSigned...failed.
** Copying CA to /opt/zimbra/conf/ca...done.
root@mail:~# zmcertmgr viewdeployedcrt
::service mta::
notBefore=Nov 26 04:43:17 2011 GMT
notAfter=Nov 26 04:43:17 2014 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.example.com
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.example.com
SubjectAltName=
::service proxy::
notBefore=Nov 26 04:43:17 2011 GMT
notAfter=Nov 26 04:43:17 2014 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.example.com
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.example.com
SubjectAltName=
::service mailboxd::
notBefore=Nov 26 04:43:17 2011 GMT
notAfter=Nov 26 04:43:17 2014 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.example.com
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.example.com
SubjectAltName=
::service ldap::
notBefore=Nov 26 04:43:17 2011 GMT
notAfter=Nov 26 04:43:17 2014 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.example.com
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.example.com
SubjectAltName=
root@mail:~# keytool -import -alias root -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /opt/zimbra/conf/ca/ca.pem
Certificate already exists in keystore under alias <my_ca>
Do you still want to add it? [no]: yes
Certificate was added to keystore
root@mail:~# su - zimbra
zimbra@mail:~$ zmcontrol stop
start
Host mail.example.com
Stopping stats...Done.
Stopping mta...Done.
Stopping spell...Done.
Stopping snmp...Done.
Stopping archiving...Done.
Stopping antivirus...Done.
Stopping antispam...Done.
Stopping imapproxy...Done.
Stopping memcached...Done.
Stopping mailbox...Done.
Stopping logger...Done.
Stopping ldap...Done.
zimbra@mail:~$ zmcontrol start
Host mail.example.com
Starting ldap...Done.
Unable to determine enabled services from ldap.
Unable to determine enabled services. Cache is out of date or doesn't exist.
zimbra@mail:~$  |
12-06-2011, 07:06 AM
| | |  Still failing
I tried what you suggested... the output is below, again with the failing lines in bold. I think the root of the problem is the error "LDAP: error code 49 - Invalid Credentials"; I assume that failure to authentic against LDAP is the cause of everything else. Pretty much anything to do with setting or retrieving certificates in LDAP is failing.
One thing I found in the posts I was wandering through is the question "Did you change the host name?". The answer is yes, I did, but if there's a configuration file I need to update somewhere I don't know where it is. The DNS is set correctly; there's only a single interface and the entry for the new host name is in DNS and resolves properly. Code: # sh /tmp/doit
Host mail.example.com
Stopping stats...Done.
Stopping mta...Done.
Stopping spell...Done.
Stopping snmp...Done.
Stopping archiving...Done.
Stopping antivirus...Done.
Stopping antispam...Done.
Stopping imapproxy...Done.
Stopping memcached...Done.
Stopping mailbox...Done.
Stopping logger...Done.
Stopping ldap...Done.
** Creating directory /opt/zimbra/ssl/zimbra
** Creating directory /opt/zimbra/ssl/zimbra/ca
** Creating directory /opt/zimbra/ssl/zimbra/server
** Creating directory /opt/zimbra/ssl/zimbra/commercial
** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.
** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
** Copying CA to /opt/zimbra/conf/ca...done.
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20111126094850
** Retrieving server config key zimbraSSLCertificate...failed.
** Retrieving server config key zimbraSSLPrivateKey...failed.
** Generating a server csr for download self -keysize 1024
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20111126094856
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
** Saving server config key zimbraSSLPrivateKey...failed.
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
** Saving server config key zimbraSSLCertificate...failed.
** Saving server config key zimbraSSLPrivateKey...failed.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
Host mail.example.com
Starting ldap...Done.
Unable to determine enabled services from ldap.
Unable to determine enabled services. Cache is out of date or doesn't exist.
** Saving server config key zimbraSSLCertificate...failed.
** Saving server config key zimbraSSLPrivateKey...failed.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
** Saving global config key zimbraCertAuthorityCertSelfSigned...failed.
** Saving global config key zimbraCertAuthorityKeySelfSigned...failed.
** Copying CA to /opt/zimbra/conf/ca...done.
ERROR: service.FAILURE (system failure: unable to list all servers) (cause: javax.naming.AuthenticationException [LDAP: error code 49 - Invalid Credentials])
Updating /opt/zimbra/.ssh/authorized_keys
::service mta::
notBefore=Nov 26 14:48:59 2011 GMT
notAfter=Nov 26 14:48:59 2021 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.example.com
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.example.com
SubjectAltName=
::service proxy::
notBefore=Nov 26 14:48:59 2011 GMT
notAfter=Nov 26 14:48:59 2021 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.example.com
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.example.com
SubjectAltName=
::service mailboxd::
notBefore=Nov 26 14:48:59 2011 GMT
notAfter=Nov 26 14:48:59 2021 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.example.com
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.example.com
SubjectAltName=
::service ldap::
notBefore=Nov 26 14:48:59 2011 GMT
notAfter=Nov 26 14:48:59 2021 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.example.com
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.example.com
SubjectAltName= |
12-06-2011, 08:26 AM
| | Zimbra Consultant & Moderator | |
Posts: 20,315
| |
Quote:
Originally Posted by kdean  One thing I found in the posts I was wandering through is the question "Did you change the host name?". The answer is yes, I did, but if there's a configuration file I need to update somewhere I don't know where it is. The DNS is set correctly; there's only a single interface and the entry for the new host name is in DNS and resolves properly. | Just for confirmation, go to the Split DNS wiki article and run all the commands in the 'Verify...' section and post the output here.
__________________
Regards
Bill
|
12-06-2011, 09:30 AM
| | | Split DNS verification
Except for a search-and-replace on my domain, here's the output: Code: root@mail:/opt/zimbra/bin# dig example.com mx
; <<>> DiG 9.4.2-P2.1 <<>> example.com mx
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32729
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;example.com. IN MX
;; AUTHORITY SECTION:
example.com. 2592000 IN SOA mail.example.com. hostmaster.mail.example.com. 10118 43200 3600 3600000 2592000
;; Query time: 1 msec
;; SERVER: 192.168.150.193#53(192.168.150.193)
;; WHEN: Tue Dec 6 12:20:31 2011
;; MSG SIZE rcvd: 84
root@mail:/opt/zimbra/bin# dig example.com any
; <<>> DiG 9.4.2-P2.1 <<>> example.com any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26960
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;example.com. IN ANY
;; ANSWER SECTION:
example.com. 2592000 IN SOA mail.example.com. hostmaster.mail.example.com. 10118 43200 3600 3600000 2592000
example.com. 2592000 IN NS mail.example.com.
;; ADDITIONAL SECTION:
mail.example.com. 2592000 IN A 192.168.150.193
;; Query time: 1 msec
;; SERVER: 192.168.150.193#53(192.168.150.193)
;; WHEN: Tue Dec 6 12:20:46 2011
;; MSG SIZE rcvd: 114
root@mail:/opt/zimbra/bin# host $(hostname)
mail.example.com has address 192.168.150.193
mail.example.com mail is handled by 10 mail.example.com.
root@mail:/opt/zimbra/bin# cat /etc/resolv.conf
search example.com
nameserver 127.0.0.1
root@mail:/opt/zimbra/bin# cat /etc/hosts
127.0.0.1 localhost.localdoamin localhost
192.168.150.193 mail.example.com Zimbra mail
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts |
12-06-2011, 09:43 AM
| | Zimbra Consultant & Moderator | |
Posts: 20,315
| |
According to that output you have no MX record for your server and your hosts file should have the line with the LAN IP formatted like this: Code: 192.168.150.193 mail.example.com mail
__________________
Regards
Bill
|
12-06-2011, 10:13 AM
| | |
I fixed the hosts file by removing the spurious entry. However, there is no need for me to have an MX record for my mail server because there is never any mail that will be sent to that domain. |
12-06-2011, 12:09 PM
| | |
Here's the Split DNS verification output, with a new resolv.conf pointing to Google's public DNS so that I can resolve everything properly. The problem authenticating against LDAP still exists.
It seems to me that the authentication problem is likely the root of all the other issues I'm having. Can someone tell me how to diagnose the authentication problem? I have downloaded and installed Softerra LDAP Administrator but logging in as anonymous doesn't show me anything useful. Code: root@mail:~# dig example.com mx
; <<>> DiG 9.4.2-P2.1 <<>> example.com mx
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53424
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;example.com. IN MX
;; AUTHORITY SECTION:
example.com. 2592000 IN SOA mail.example.com. hostmaster.mail.example.com. 10118 43200 3600 3600000 2592000
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Dec 6 14:56:23 2011
;; MSG SIZE rcvd: 84
root@mail:~# dig example.com any
; <<>> DiG 9.4.2-P2.1 <<>> example.com any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60594
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;example.com. IN ANY
;; ANSWER SECTION:
example.com. 2592000 IN SOA mail.example.com. hostmaster.mail.example.com. 10118 43200 3600 3600000 2592000
example.com. 2592000 IN NS mail.example.com.
;; ADDITIONAL SECTION:
mail.example.com. 2592000 IN A 192.168.150.193
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Dec 6 14:56:25 2011
;; MSG SIZE rcvd: 114
root@mail:~# host $(hostname)
mail.example.com has address 192.168.150.193
mail.example.com mail is handled by 10 mail.example.com.
root@mail:~# cat /etc/resolv.conf
nameserver 127.0.0.1
nameserver 8.8.8.8
root@mail:~# cat /etc/hosts
127.0.0.1 localhost.localdoamin localhost
192.168.150.193 mail.example.com mail
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts |
12-06-2011, 12:15 PM
| | |
I went through localconfig.xml and found the following entries (password masked): Code: ...
<key name="zimbra_ldap_userdn">
<value>uid=zimbra,cn=admins,cn=zimbra</value>
</key>
...
<key name="zimbra_ldap_password">
<value>XXXXXXXX</value>
</key>
... When I use that user DN and password in Softerra, I get "The supplied credential is invalid". Am I looking at the right entries? If so, why is the password not working? Is there a way to reset the various Zimbra user DNs and passwords? |
12-07-2011, 05:42 AM
| | |
Using the Softerra LDAP client, I connect to the LDAP server with anonymous credentials. When I do so, I see the attached. In particular, as you can see in the bottom left of the image, there are no subnodes of the root. Furthermore, neither of the two objects have child nodes.
As far as I can tell from the slapd.conf file, anonymous read-only access is enabled, so I should be able to see all of my mailbox users, should I not?
At some point during my wild gyrations to get everything fixed before posting here, I think I ran zmldapinit. Would that have wiped out my users?
This is a development environment only to it's not a big deal if so, but how can I get my system back to the point where I can actually use it? | | Thread Tools | Search this Thread | | | | | Display Modes |  Linear Mode | | Why Join? Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.   |
Bugzilla
Wiki
Source
