Results 1 to 7 of 7

Thread: Issue with SSL Certifcation renewals, production environment down

  1. #1
    jwh99 is offline Member
    Join Date
    Jun 2011
    Posts
    12
    Rep Power
    4

    Default SOLVED Issue with SSL Certifcation renewals, production environment down

    My issues started last week when my ldap SSL certifications expired. I have attempted to renew them and I get the error below.

    Saving server config key zimbraSSLCertificate...failed.
    ** Saving server config key zimbraSSLPrivateKey...failed.

    I have been all through the forums and none of the solutions seem to have worked. I have edited the zmcertmgr file and made the following changes

    #Default subject with the RDN values
    SUBJECT="/C=US/ST=N\/A/L=N\/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=bestpricehomes"
    validation_days=3650

    and I still get the error

    [root@mailbag zimbra]# /opt/zimbra/bin/zmcertmgr createcrt self -new
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20130428152241
    ** Retrieving server config key zimbraSSLCertificate...failed.
    ** Retrieving server config key zimbraSSLPrivateKey...failed.
    ** Generating a server csr for download self -keysize 1024
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20130428152248
    ** Retrieving Commercial CA cert from ldap...failed.
    ** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done

    I have been all over the forums and I am getting blocked at every turn. I really think the issue might be the same for each problem but I have been down
    for a week and am out of ideas. I have included as much data as I could, does anyone have an idea?


    My load
    (7.1.4_GA_2555_CentOS5_64)

    I turned off the firewall.

    [root@mailbag conf]# lsmod | grep ip_tables
    [root@mailbag conf]#


    I then tired to back up the /opt/zimbra directory and reinstall the package. I then get these errors.

    Reload /.install -platform-override

    Installing LDAP configuration database...done.
    ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.naming.CommunicationException localhost:389)
    ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.naming.CommunicationException localhost:389)
    Setting defaults...ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.naming.CommunicationException localhost:389)
    done.


    I believe these errors are from the fact I can't telnet to localhost 389.

    Telnet
    [root@mailbag opt]# telnet localhost 389
    Trying 127.0.0.1...
    telnet: connect to address 127.0.0.1: Connection refused
    telnet: Unable to connect


    root@mailbag conf]# nmap localhost -p 389

    Starting Nmap 4.11 ( Nmap - Free Security Scanner For Network Exploration & Security Audits. ) at 2013-04-28 15:39 EDT
    Interesting ports on localhost.localdomain (127.0.0.1):
    PORT STATE SERVICE
    389/tcp closed ldap

    Yet the host name to 389 works.

    [root@mailbag conf]# nmap mailbag -p 389

    Starting Nmap 4.11 ( Nmap - Free Security Scanner For Network Exploration & Security Audits. ) at 2013-04-28 15:38 EDT
    Interesting ports on mailbag.bestpricehomes.net (24.106.184.4):
    PORT STATE SERVICE
    389/tcp open ldap

    [root@mailbag conf]# nmap localhosts

    Starting Nmap 4.11 ( Nmap - Free Security Scanner For Network Exploration & Security Audits. ) at 2013-04-28 16:47 EDT
    Interesting ports on mailbag.bestpricehomes.net (24.106.184.4):
    Not shown: 1676 closed ports
    PORT STATE SERVICE
    22/tcp open ssh
    111/tcp open rpcbind
    389/tcp open ldap
    772/tcp open cycleserv2

    Nmap finished: 1 IP address (1 host up) scanned in 0.


    DNS

    [root@mailbag ~]# dig bestpricehomes.net any

    ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5_7.1 <<>> bestpricehomes.net any
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39787
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;bestpricehomes.net. IN ANY

    ;; ANSWER SECTION:
    bestpricehomes.net. 7200 IN A 24.106.184.4
    bestpricehomes.net. 7200 IN SOA NS27.WORLDNIC.COM. namehost.WORLDNIC.COM. 113042713 10800 3600 604800 3600
    bestpricehomes.net. 7200 IN MX 10 mailbag.bestpricehomes.net.
    bestpricehomes.net. 7200 IN NS NS27.WORLDNIC.COM.
    bestpricehomes.net. 7200 IN NS ns28.WORLDNIC.COM.

    ;; Query time: 142 msec
    ;; SERVER: 24.25.5.60#53(24.25.5.60)
    ;; WHEN: Sun Apr 28 14:08:57 2013
    ;; MSG SIZE rcvd: 171



    [root@mailbag ~]# dig bestpricehomes.net mx

    ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5_7.1 <<>> bestpricehomes.net mx
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5677
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;bestpricehomes.net. IN MX

    ;; ANSWER SECTION:
    bestpricehomes.net. 7200 IN MX 10 mailbag.bestpricehomes.net.

    ;; Query time: 62 msec
    ;; SERVER: 24.25.5.60#53(24.25.5.60)
    ;; WHEN: Sun Apr 28 14:09:40 2013
    ;; MSG SIZE rcvd: 60


    /etc/hosts
    [root@mailbag ~]# cat /etc/hosts
    # Do not remove the following line, or various programs
    # that require network functionality will fail.
    127.0.0.1 localhost.localdomain localhost
    #::1 localhost6.localdomain6 localhost6
    24.106.184.4 mailbag.bestpricehomes.net mailbag


    [zimbra@mailbag ~]$ zmcontrol status
    Unable to determine enabled services from ldap.
    Unable to determine enabled services. Cache is out of date or doesn't exist.
    [zimbra@mailbag ~]$


    Attempt to reload the same version back onto the server after coping the /opt/zimbra directory out of the way.




    [root@mailbag ~]# /opt/zimbra/bin/zmcertmgr deploycrt self
    ** Saving server config key zimbraSSLCertificate...failed.
    ** Saving server config key zimbraSSLPrivateKey...failed.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
    ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
    ** Installing CA to /opt/zimbra/conf/ca...done.


    [root@mailbag ~]# /opt/zimbra/bin/zmcertmgr verifycrt self
    ** Verifying /opt/zimbra/ssl/zimbra/server/server.crt against /opt/zimbra/ssl/z imbra/server/server.key
    Certificate (/opt/zimbra/ssl/zimbra/server/server.crt) and private key (/opt/zi mbra/ssl/zimbra/server/server.key) match.
    Valid Certificate: /opt/zimbra/ssl/zimbra/server/server.crt: OK
    [root@mailbag ~]# /opt/zimbra/bin/zmcertmgr verifycrt self
    ** Verifying /opt/zimbra/ssl/zimbra/server/server.crt against /opt/zimbra/ssl/zimbra/server/server.key
    Certificate (/opt/zimbra/ssl/zimbra/server/server.crt) and private key (/opt/zimbra/ssl/zimbra/server/server.key) match.
    Valid Certificate: /opt/zimbra/ssl/zimbra/server/server.crt: OK



    Reload /.install -platform-override

    Installing LDAP configuration database...done.
    ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.naming.CommunicationException localhost:389)
    ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.naming.CommunicationException localhost:389)
    Setting defaults...ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.naming.CommunicationException localhost:389)
    done.




    [root@mailbag ~]# /opt/zimbra/bin/zmcertmgr createca -new
    ** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
    ** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.
    ** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.

    [root@mailbag ~]# /opt/zimbra/bin/zmcertmgr deployca -localonly
    ** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
    ** Copying CA to /opt/zimbra/conf/ca...done.

    [root@mailbag ~]# /opt/zimbra/bin/zmcertmgr createcrt self -new
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20130428150609
    ** Retrieving server config key zimbraSSLCertificate...failed.
    ** Retrieving server config key zimbraSSLPrivateKey...failed.
    ** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.

    [root@mailbag ~]# /opt/zimbra/bin/zmcertmgr deploycrt self
    ** Saving server config key zimbraSSLCertificate...failed.
    ** Saving server config key zimbraSSLPrivateKey...failed.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...failed.

    XXXXX ERROR: failed to create jetty.pkcs12
    unable to load private key
    46953544903024:error:0906D06C:PEM routines:PEM_read_bio:no start lineem_lib.c:696:Expecting: ANY PRIVATE KEY

    [zimbra@mailbag ~]$ ldap status
    slapd running pid: 20238
    [zimbra@mailbag ~]$



    -rw-r----- 1 zimbra zimbra 969 Apr 28 14:36 slapd.crt
    -rw-r----- 1 zimbra zimbra 916 Apr 28 14:36 slapd.key
    -rw-r----- 1 zimbra zimbra 969 Apr 28 14:36 smtpd.crt
    -rw-r----- 1 zimbra zimbra 916 Apr 28 14:36 smtpd.key


    [root@mailbag conf]# nmap mailbag -p 389

    Starting Nmap 4.11 ( Nmap - Free Security Scanner For Network Exploration & Security Audits. ) at 2013-04-28 15:38 EDT
    Interesting ports on mailbag.bestpricehomes.net (24.106.184.4):
    PORT STATE SERVICE
    389/tcp open ldap

    [root@mailbag conf]# nmap localhost -p 389

    Starting Nmap 4.11 ( Nmap - Free Security Scanner For Network Exploration & Security Audits. ) at 2013-04-28 15:39 EDT
    Interesting ports on localhost.localdomain (127.0.0.1):
    PORT STATE SERVICE
    389/tcp closed ldap

    zmlocalconfig > /tmp/jim
    ldap_dit_naming_rdn_attr_xmppcomponent =
    ldap_dit_naming_rdn_attr_zimlet =
    ldap_host = mailbag.bestpricehomes.net
    ldap_is_master = true
    ldap_master_url = ldap://mailbag.bestpricehomes.net:389
    ldap_nginx_password = *
    ldap_overlay_accesslog_logpurge = 01+00:00 00+04:00
    ldap_overlay_syncprov_checkpoint = 20 10
    ldap_overlay_syncprov_sessionlog = 500
    ldap_port = 389
    ldap_postfix_password = *
    ldap_read_timeout = 30000
    ldap_replication_password = *
    ldap_root_password = *
    ldap_starttls_required = true
    ldap_starttls_supported = 1
    ldap_url = ldap://mailbag.bestpricehomes.net:389
    localized_client_msgs_directory = ${mailboxd_directory}/webapps/zimbra/WEB-INF/classes/messages
    localized_msgs_directory = ${zimbra_home}/conf/msgs
    Last edited by jwh99; 05-02-2013 at 06:36 AM.

  2. #2
    jwh99 is offline Member
    Join Date
    Jun 2011
    Posts
    12
    Rep Power
    4

    Default

    Nobody Has any ideas? I am so dead in the water. Will VMWARE offer any pay support on the Open Source Product?

  3. #3
    ccelis5215 is offline Elite Member
    Join Date
    Jun 2011
    Location
    Caracas Venezuela
    Posts
    462
    Rep Power
    4

    Default

    I have been all through the forums and none of the solutions seem to have worked. I have edited the zmcertmgr file and made the following changes

    #Default subject with the RDN values
    SUBJECT="/C=US/ST=N\/A/L=N\/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=bestpricehomes"
    validation_days=3650
    Did you try recreate the selfsigned certificate with no modifying any file?

    ccelis

  4. #4
    jwh99 is offline Member
    Join Date
    Jun 2011
    Posts
    12
    Rep Power
    4

    Default

    I have tried to create it without modifying the file. Same issue. I have even backed up the /opt/zimbra directory and did an install.sh --platform-override and it fails with this error.
    ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.naming.CommunicationException localhost:389)

    I really think my problem is localhost is not listening on port 389. However I don't want to get too focused on that but it really seems it is communication. It might be worth saying that this is on VMWARE.

  5. #5
    Bill Brock is offline Outstanding Member
    Join Date
    May 2007
    Location
    Oklahoma
    Posts
    703
    Rep Power
    9

    Default

    After creating the new CA using the CLI, I always go to the GUI to generate a new CRS and self signed certificate. It installs without issue using the GUI. Have you tried the GUI?

  6. #6
    jwh99 is offline Member
    Join Date
    Jun 2011
    Posts
    12
    Rep Power
    4

    Default

    I am a newbee to Zimbra so bare with me, but if LDAP is down I can't get to to the GUI can I? I have not been able to connect even from the console.

  7. #7
    jwh99 is offline Member
    Join Date
    Jun 2011
    Posts
    12
    Rep Power
    4

    Default Solution

    OK Ladies and Gentlemen after over 40 hours of pain, I got the Certs to load but I am now missing 3 months of emails across all mailboxs. However here is what I did.

    This issue, based on one fourm was this error when preforming this command was based on the fact Ldap was not running.
    /opt/zimbra/bin/zmcertmgr deploycrt self

    Saving server config key zimbraSSLCertificate...failed.
    ** Saving server config key zimbraSSLPrivateKey...failed

    If LDAP is down because of the certs, then the new certs will never load.

    SO Sports Fans I found this command buried in a fourm and said as a last resort do this. It allows zimbra to come up with out certs

    Tip: For a short-term workaround, set localconfig key ssl_allow_untrusted_certs to true from false.

    zmlocalconfig -e ssl_allow_untrusted_certs=true

    After that Zimbra would come up and I was able to run this command with no errors.

    /opt/zimbra/bin/zmcertmgr deploycrt self


    Summary for those like myself who searched vague solutions at 3:00 AM here ya go.

    First run
    zmlocalconfig -e ssl_allow_untrusted_certs=true

    Then start Zimbra
    zmcontrol start ** This is also a good time to pray to the Supreme Being of your choice. **

    When everything comes backup up * Note the power of positive thinking*

    You have two choices, pull up the admin console and in the left panel click on certifications and once it pulls up the certs, takes a couple of seconds. Click on install. Follow the instructions.

    Else for the command line folks.

    # /opt/zimbra/bin/zmcertmgr createca -new
    # /opt/zimbra/bin/zmcertmgr deployca -localonly
    #/opt/zimbra/bin/zmcertmgr createcrt self -new
    # /opt/zimbra/bin/zmcertmgr deploycrt self

    Then IMPORTANT regardless of which method you preformed you still need to reset the server to use certificates.

    zmlocalconfig -e ssl_allow_untrusted_certs=false

    Bounce zimbra

    zmcontrol stop
    Would not hurt to do the prayer thing again.
    zmcontrol start

    At this point you should be good to go, hopefully without the 3 months of lost mail that is server wide like I have. Missing from 2/2/13 to present and I am currently spinning up an Exchange Environment and am getting off this Micky Mouse software.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 3
    Last Post: 04-29-2010, 03:09 AM
  2. Replies: 7
    Last Post: 07-27-2008, 03:48 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •