Results 1 to 2 of 2

Thread: SSL certificate renewal & recover from file system crash

  1. #1
    j2b's Avatar
    j2b
    j2b is offline Special Member
    Join Date
    Sep 2008
    Location
    Latvia
    Posts
    164
    Rep Power
    6

    Default [solved] SSL certificate renewal on stopped server & recover from file system crash

    Dear all,
    Have been searching forums, and could not find any relevant solution to my issue. Tonight, I suffered file system crash in multi-server installation of our ZCS servers (v6.0.10 OSS in this case 32bit Ubuntu 8.04). After FS recovery, I was trying to start mailbox server, which didn't succeed. Following investigation, noticed, that LDAP server is not started, and turned to that task - start LDAP, which was not successfull too.

    Code:
    $ zmcontrol start
    Host ldap.example.com
        Starting ldap...Done.
    Failed.
    /opt/zimbra/bin/ldap: line 56: kill: (6303) - No such process
    /opt/zimbra/openldap/sbin/slapd: /opt/zimbra/cyrus-sasl-2.1.23.3z/lib/libsasl2.so.2: no version information available (required by /usr/lib/libldap_r-2.4.so.2)
    /opt/zimbra/bin/ldap: line 56: kill: (6303) - No such process
    /opt/zimbra/openldap/sbin/slapd: /opt/zimbra/cyrus-sasl-2.1.23.3z/lib/libsasl2.so.2: no version information available (required by /usr/lib/libldap_r-2.4.so.2)
    /opt/zimbra/bin/ldap: line 56: kill: (6303) - No such process
    /opt/zimbra/openldap/sbin/slapd: /opt/zimbra/cyrus-sasl-2.1.23.3z/lib/libsasl2.so.2: no version information available (required by /usr/lib/libldap_r-2.4.so.2)
    /opt/zimbra/bin/ldap: line 56: kill: (6303) - No such process
    /opt/zimbra/openldap/sbin/slapd: /opt/zimbra/cyrus-sasl-2.1.23.3z/lib/libsasl2.so.2: no version information available (required by /usr/lib/libldap_r-2.4.so.2)
    /opt/zimbra/bin/ldap: line 56: kill: (6303) - No such process
    /opt/zimbra/openldap/sbin/slapd: /opt/zimbra/cyrus-sasl-2.1.23.3z/lib/libsasl2.so.2: no version information available (required by /usr/lib/libldap_r-2.4.so.2)
    /opt/zimbra/bin/ldap: line 56: kill: (6303) - No such process
    /opt/zimbra/openldap/sbin/slapd: /opt/zimbra/cyrus-sasl-2.1.23.3z/lib/libsasl2.so.2: no version information available (required by /usr/lib/libldap_r-2.4.so.2)
    /opt/zimbra/bin/ldap: line 56: kill: (6303) - No such process
    /opt/zimbra/openldap/sbin/slapd: /opt/zimbra/cyrus-sasl-2.1.23.3z/lib/libsasl2.so.2: no version information available (required by /usr/lib/libldap_r-2.4.so.2)
    Failed to start slapd.  Attempting debug start to determine error.
    config error processing cn=config: <olcTLSCRLCheck> handler exited with -1
    /var/log/zimbra.log displays similar info, but with slight additional details:

    Code:
    Jan 16 16:24:07 ldap-1 slapd[15235]: @(#) $OpenLDAP: slapd 2.4.23 (Jun 30 2010 12:22:04) $ ^Iroot@build25.lab.zimbra.com:/home/build/p4/GNR/ThirdParty/openldap/openldap-2.4.23.2z/servers/slapd 
    Jan 16 16:24:08 ldap-1 slapd[15235]: config error processing cn=config: <olcTLSCRLCheck> handler exited with -1 
    Jan 16 16:24:08 ldap-1 slapd[15235]: slapd stopped. 
    Jan 16 16:24:08 ldap-1 slapd[15235]: connections_destroy: nothing to destroy.
    Investigating further I followed to an issue, that it may be due to invalid self signetd SSL certificates, which are deployed inside our system (e.g. frontside is run on apache with its own commercial SSL). And for time being, that these servers were planned to de-comission, nobody turned attention to these certs, as well as there are no sufficient backup available. (I know, shame on me) But still we have to get these servers back, to access mail archive.

    I suspect, that this issue is connected with the fact, that LDAP server can not very CA, which may be due to old certs. But regular recreation of new self signed certs ask for running LDAP server, to be deployed correctly. This turned out on fact, that deploycrt and deployca didn't run without an error:

    ...deploycrt self error:

    Code:
    ** Saving server config key zimbraSSLCertificate...failed.
    ** Saving server config key zimbraSSLPrivateKey...failed.
    ...deployca error:

    Code:
    ** Saving global config key zimbraCertAuthorityCertSelfSigned...failed.
    ** Saving global config key zimbraCertAuthorityKeySelfSigned...failed.
    Still ...viewdeployedcrt mostly looks OK, despite errors on failed export, as mailbox is running on the other server:

    Code:
    ::service mta::
    notBefore=Jan 16 13:47:18 2012 GMT
    notAfter=Jan 15 13:47:18 2013 GMT
    subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=ldap.example.com
    issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=ldap.example.com
    SubjectAltName= 
    ::service proxy::
    notBefore=Jan 16 13:47:18 2012 GMT
    notAfter=Jan 15 13:47:18 2013 GMT
    subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=ldap.example.com
    issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=ldap.example.com
    SubjectAltName= 
    ::service mailboxd::
    XXXXX ERROR: failed to export /opt/zimbra/mailboxd/etc/mailboxd.pem from keystore.
    
    keytool error: java.lang.RuntimeException: Usage error, /opt/zimbra/conf/keystore is not a legal command
    
    XXXXX ERROR: /opt/zimbra/mailboxd/etc/mailboxd.pem does not exist
    ::service ldap::
    notBefore=Jan 16 13:47:18 2012 GMT
    notAfter=Jan 15 13:47:18 2013 GMT
    subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=ldap.example.com
    issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=ldap.example.com
    SubjectAltName=
    ...keytool command does not run throught too, giving an error, that root alias nor zimbra alias is not correct.

    Does anybody had an issue, where new certificates should be installed on non-running ZCS instance? Is it at all possible?

    If not, the only data I have is files in /opt/zimbra... folders. Does such situation may lead to server recovery at all?
    Last edited by j2b; 01-16-2012 at 12:26 PM.

  2. #2
    j2b's Avatar
    j2b
    j2b is offline Special Member
    Join Date
    Sep 2008
    Location
    Latvia
    Posts
    164
    Rep Power
    6

    Default

    Please do not bother, as I've solved this issue quite magically. Just run ./install.sh -s over the data (e.g. without configuration and setup), and everything started to work without loss of any data.

    To be honest, I did changed certs (self signed) and despite their deployment didn't go without any error, it turned out to be correct from Zimbra Admin UI screen. And in addition, I had to run e2fsck on device. Please be sure, if somebody tries to do the same, that this is not warrantied method, as well as doing e2fsck requires unmounting device and changing system to single user mode (init 1).

    Reboot is needed.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Recreating new SSL commercial certificate
    By dhawal in forum Administrators
    Replies: 0
    Last Post: 12-19-2011, 09:45 PM
  2. Replace SSL Certificate
    By awilly in forum Administrators
    Replies: 2
    Last Post: 11-06-2011, 10:41 AM
  3. [SOLVED] Mailserver down when send file attach of 50Mb
    By ZMilton in forum Administrators
    Replies: 20
    Last Post: 04-10-2008, 11:44 AM
  4. Self-Signed SSL Certificate Causing Crash
    By VxJasonxV in forum Administrators
    Replies: 1
    Last Post: 12-06-2007, 01:24 PM
  5. M3 problem with shares
    By titangears in forum Users
    Replies: 4
    Last Post: 01-12-2006, 01:01 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •