Renewing certificate failed zimbra 6

[buddhikeg]

Hi
I've installed zimbra on RHEL5 and It was working fine for about a year when it failed to start.
I'm running zimbra behind an adsl router with port forwarding enabled on that.
when I try to start the service it gives the following msg.

[zimbra@mail ~]$ zmcontrol start
Host mail.mail-server.com
Unable to determine enabled services from ldap.
Unable to determine enabled services. Cache is out of date or doesn't exist.
[zimbra@mail ~]$

some of the threads which discussed similar matters in the web said this caused due to wrong configuration of SPLIT DNS ! but since It worked really well for a year That seems to be doubtful here.

When i checked my certificate expiration using "/opt/zimbra/bin/zmcertmgr viewdeployedcrt" it showed that they are expired.


Im using ZCS v6.0.8

[zimbra@mail ~]$ zmcontrol -v

Release 6.0.8_GA_2661.RHEL5_20100820051652 RHEL5 FOSS edition.
[zimbra@mail ~]$

I used following link to recreate Zimbra certificates
Administration Console and CLI Certificate Tools - Zimbra :: Wiki

but when I run the 2nd step of "Single-Node Self-Signed Certificate" the command faild with following output !

[root@mail zimbra]# /opt/zimbra/bin/zmcertmgr createcrt -new -days 365
Validation days: 365
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20111212212528
** Generating a server csr for download self -new -keysize 1024
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20111212212528
** Retrieving Commercial CA cert from ldap...failed.
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
** Saving server config key zimbraSSLPrivateKey...failed.
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
[root@mail zimbra]#



It tries to Retrieve commercial Certificate. But I did installed the free version
and saving server config key zimbraSSLPrivatekey.... faild ??


Any Help Regarding the above matter would be Highly appriciated.

Thanx in Advanced !

[mutface]

I am having exactly the same problem.

Version : Release 6.0.8_GA_2661.RHEL5_64_20100820052503 CentOS5_64 FOSS edition.

[root@archive ~]# mv /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra_old
[root@archive ~]# /opt/zimbra/bin/zmcertmgr createca -new
** Creating directory /opt/zimbra/ssl/zimbra
** Creating directory /opt/zimbra/ssl/zimbra/ca
** Creating directory /opt/zimbra/ssl/zimbra/server
** Creating directory /opt/zimbra/ssl/zimbra/commercial
** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.
** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.
[root@archive ~]# /opt/zimbra/bin/zmcertmgr deployca
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
** Saving global config key zimbraCertAuthorityCertSelfSigned...failed.
** Saving global config key zimbraCertAuthorityKeySelfSigned...failed.
** Copying CA to /opt/zimbra/conf/ca...done.
[root@archive ~]# /opt/zimbra/bin/zmcertmgr deployca
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
** Saving global config key zimbraCertAuthorityCertSelfSigned...failed.
** Saving global config key zimbraCertAuthorityKeySelfSigned...failed.
** Copying CA to /opt/zimbra/conf/ca...done.
[root@archive ~]# /opt/zimbra/bin/zmcertmgr createcrt -new
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20111214161813
** Generating a server csr for download self -new -keysize 1024
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20111214161813
** Retrieving Commercial CA cert from ldap...failed.
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
** Saving server config key zimbraSSLPrivateKey...failed.
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
[root@archive ~]# /opt/zimbra/bin/zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate...failed.
** Saving server config key zimbraSSLPrivateKey...failed.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.


The following resource have proven to be useless thus far:-

Administration Console and CLI Certificate Tools - Zimbra :: Wiki
fix 1 year LDAP expiration error
ZCS 6 New self SSL
[SOLVED] New Cert install - LDAP "Unable to determine enabled services from ldap
Mta fail and others bugs after trying to regenerate another certificate
LDAP - Zimbra :: Wiki

Can anyone shed light on this problem?

[GWilliams]

Hi,

I've recently had loads of certificate related queries and have learnt quite a substantial amount thanks to awesome NE support. Have you looked at the following link:

[SOLVED] SOLVED: Zimbra 6.0.1 stop working if SSL certificate is expired

Also, please post the output of:

/opt/zimbra/bin/zmcertmgr viewdeployedcrt

Thanks.

[buddhikeg]

Hi GWilliams,

Thank you very much for the prompt reply.
I've tried what you have said but still with no luck.

The problem occurs when I regenerate the certificates.
As I mentioned in my first initial message The STEP1 of the regenerating certificate runs well.
but on step two (/opt/zimbra/bin/zmcertmgr createcrt -new -days 365)

It tries to Retrieve a Commercial CA cert from LDAP and FAILS the process.( The output is displayed in my first message)

When I go through the whole process of regenerating certificates (regardless of the errors), the output of
/opt/zimbra/bin/zmcertmgr viewdeployedcrt

Looks like this

[root@mail log]# /opt/zimbra/bin/zmcertmgr viewdeployedcrt
::service mta::
notBefore=Dec 18 15:13:41 2011 GMT
notAfter=Dec 17 15:13:41 2012 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.mail-server.com
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.mail-server.com
SubjectAltName=
::service proxy::
notBefore=Dec 18 15:13:41 2011 GMT
notAfter=Dec 17 15:13:41 2012 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.mail-server.com
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.mail-server.com
SubjectAltName=
::service mailboxd::
notBefore=Dec 18 15:13:41 2011 GMT
notAfter=Dec 17 15:13:41 2012 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.mail-server.com
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.mail-server.com
SubjectAltName=
::service ldap::
notBefore=Dec 18 15:13:41 2011 GMT
notAfter=Dec 17 15:13:41 2012 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.mail-server.com
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.mail-server.com
SubjectAltName=
[root@mail log]#


And When Tryed to stop and start zimbra ,


[zimbra@mail ~]$ zmcontrol stop
Host mail.mail-server.com
Stopping stats...Done.
Stopping mta...Done.
Stopping spell...Done.
Stopping snmp...Done.
Stopping archiving...Done.
Stopping antivirus...Done.
Stopping antispam...Done.
Stopping imapproxy...Done.
Stopping memcached...Done.
Stopping mailbox...Done.
Stopping logger...Done.
Stopping ldap...Done.
[zimbra@mail ~]$ zmcontrol start
Host mail.mail-server.com
Starting ldap...Done.
Unable to determine enabled services from ldap.
Unable to determine enabled services. Cache is out of date or doesn't exist.
[zimbra@mail ~]$

Can Anybody Help ???
Thanx in Advanced.. !!!

[GWilliams]

Hi buddhikeg,

Have you moved your cert folder to an alternate location and tried again?

As root:
mkdir -p /root/backup/ssl/zimbra
mv /opt/zimbra/ssl/zimbra /root/backup/ssl/zimbra
cd /opt/zimbra/bin/
zmcertmgr createca -new
zmcertmgr createcrt -new -days 365
zmcertmgr deploycrt self
zmcertmgr deployca
zmcertmgr viewdeployedcrt

I really hope this works for you.

Regards.

[buddhikeg]

Hi GWilliams,

thank you for the quick reply agian

I did that too but the problem still exists !
I think the problem is it tries to create commercial CA ! The output of what you've said is like this

first I moved the cert folder using following commands


mkdir -p /root/backup/ssl/zimbra
mv /opt/zimbra/ssl/zimbra /root/backup/ssl/zimbra

Then When I run the first step the output was like this,

[root@mail zimbra]# cd /opt/zimbra/bin/
[root@mail bin]# ./zmcertmgr createca -new
** Creating directory /opt/zimbra/ssl/zimbra
** Creating directory /opt/zimbra/ssl/zimbra/ca
** Creating directory /opt/zimbra/ssl/zimbra/server
** Creating directory /opt/zimbra/ssl/zimbra/commercial
** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.
** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.

from above output u can see it creates a folder for COMMERCIAL CA too !
But like i said before my zimbra version is

[zimbra@mail ~]$ zmcontrol -v


Release 6.0.8_GA_2661.RHEL5_20100820051652 RHEL5 FOSS edition.

[zimbra@mail ~]$


Also when i run the other steps the output was like this

[root@mail bin]# ./zmcertmgr createcrt -new -days 365
Validation days: 365
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20111219132931
** Generating a server csr for download self -new -keysize 1024
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20111219132931
** Retrieving Commercial CA cert from ldap...failed.
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
** Saving server config key zimbraSSLPrivateKey...failed.
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.

[root@mail bin]# ./zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate...failed.
** Saving server config key zimbraSSLPrivateKey...failed.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.

[root@mail bin]# ./zmcertmgr deployca
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
** Saving global config key zimbraCertAuthorityCertSelfSigned...failed.
** Saving global config key zimbraCertAuthorityKeySelfSigned...failed.
** Copying CA to /opt/zimbra/conf/ca...done.

[root@mail bin]# ./zmcertmgr viewdeployedcrt
::service mta::
notBefore=Dec 19 07:59:38 2011 GMT
notAfter=Dec 18 07:59:38 2012 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.mail-server.com
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.mail-server.com
SubjectAltName=
::service proxy::
notBefore=Dec 19 07:59:38 2011 GMT
notAfter=Dec 18 07:59:38 2012 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.mail-server.com
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.mail-server.com
SubjectAltName=
::service mailboxd::
notBefore=Dec 19 07:59:38 2011 GMT
notAfter=Dec 18 07:59:38 2012 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.mail-server.com
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.mail-server.com
SubjectAltName=
::service ldap::
notBefore=Dec 19 07:59:38 2011 GMT
notAfter=Dec 18 07:59:38 2012 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.mail-server.com
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.mail-server.com
SubjectAltName=
[root@mail bin]#

and when i try to stop and start zimbra at the end Its like this,

[root@mail bin]# su - zimbra
[zimbra@mail ~]$ zmcontrol stop
Host mail.mail-server.com
Stopping stats...Done.
Stopping mta...Done.
Stopping spell...Done.
Stopping snmp...Done.
Stopping archiving...Done.
Stopping antivirus...Done.
Stopping antispam...Done.
Stopping imapproxy...Done.
Stopping memcached...Done.
Stopping mailbox...Done.
Stopping logger...Done.
Stopping ldap...Done.
[zimbra@mail ~]$ zmcontrol start
Host mail.mail-server.com
Starting ldap...Done.
Unable to determine enabled services from ldap.
Unable to determine enabled services. Cache is out of date or doesn't exist.
[zimbra@mail ~]$

Thank you again for any help !!!

[mutface]

Even tried this:-
Split DNS - Zimbra :: Wiki

But still get this:-
[root@archive etc]# /opt/zimbra/bin/zmcertmgr createca
** Retrieving Commercial CA cert from ldap...failed.

[root@archive etc]# /opt/zimbra/bin/zmcertmgr createcrt -new -days 365
Validation days: 365
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20111219165540
** Generating a server csr for download self -new -keysize 1024
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20111219165540
** Retrieving Commercial CA cert from ldap...failed.
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
** Saving server config key zimbraSSLPrivateKey...failed.
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.

Any help??

[GWilliams]

Hi guys,

Just wondering... I've also read somewhere before (can't remember where) that you should move the .rnd file as well... Sorry that I didn't post that previously.

mv /opt/zimbra/ssl/.rnd /root/backup/ssl/

Once that is done, please try the re-creation again.

Thanks,

[buddhikeg]

Hi GWilliams,

Thank you for the quick reply again,

I did the whole process back again with .rnd file backup, But the result is same.

What I am still wondering is why does it try to retrieve Commercial CA cert from ldap ?? and Saving server config key zimbraSSLcert/privatekey fails ??


Thank you so much for any help ???

[wooby]

I am also facing the same issue and any help is hgighlt appreciated and expected..