Results 1 to 6 of 6

Thread: Rebuilding localconfig.xml the hard way

  1. #1
    YakkoWarner is offline Active Member
    Join Date
    Feb 2011
    Posts
    25
    Rep Power
    4

    Angry Rebuilding localconfig.xml the hard way

    Ok, I managed to screw up my email server. Release 7.2.1_GA_2790.DEBIAN5_64 DEBIAN5_64 FOSS edition.

    I noticed one of my email clients complaining about a certificate error, so I logged in to the web client and viewed the certificates in IE. There were two, and the root one expired today. Ok, no problem, I just need to update the certificates, I thought. But when I opened up the admin console, I saw the certificates for the four services (mta, proxy, mailboxd, and ldap) were set to expire next year, and I didn't see any reference to the root cert that was causing my issue.

    So I found this thread for updating certificates, and tried running the steps involved.

    Now, I'm not entirely sure how I managed to screw this up so completely, but I kept getting an error when the services tried to come back up, starting with LDAP, reporting a strange error: "ldap_url and ldap_master_url cannot be the same on an ldap replica". A whole lot of searching revealed that the culprit was probably the localconfig.xml file, and when I looked at it, somewhere along the way it had been completely wiped out. (I think it was when I saw "Host localhost" being reported and found a thread saying this should be a real FQDN, and I set it while logged in as root. At least, I later found hints that this might be the case, and the fact that the only setting that remained in localconfig.xml was the hostname is a big clue.)

    The certificates thread referenced above suggests that reinstalling the current version on top of itself will do the work of recreating certificates as needed, so I tried going down that path. Unbeknownst to me at the time, the first thing the upgrade process does is copy your current localconfig.xml into a .saveconfig directory, so I ended up overwriting that (my only potential backup copy) with the mostly-empty config when I tried to upgrade it over itself.

    I moved my installation to a new directory and reinstalled a fresh installation, just so I could get a working localconfig.xml file. This mostly worked, though the passwords stored in localconfig.xml for LDAP are different than what they should be. Right after I see "Starting ldap...Done", the line "Unable to determine enabled services from ldap" gives me a clue that something's wrong. The logger service is the most helpful in showing this, as when it attempts to start, it shows a message "LDAP: error code 49 - Invalid Credentials".

    There are six instances of the password in the localconfig.xml, for the keys ldap_postfix_password, ldap_amavis_password, ldap_replication_password, ldap_root_password, ldap_nginx_password, and zimbra_ldap_password, and they're all identical, which gives me hope that if I manage to find one, I'll find them all. Or, if there were a way to reset them all, then I could put that value into the localconfig.xml entries and be done.

    Running zmldappasswd, though, gives me the error "TLS: SSL connect attempt failed with unknown errorerror:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed". Thinking it may be the certificates issue, I tried the script from that other forum thread yet again, but it was not successful (failed to set keys such as zimbraSSLCertificate, and invalid credentials from LDAP running zmupdateauthkeys). Fortunately, I managed not to wipe the localconfig.xml file again.

    So this seems to be the last step in getting my server back. Can anyone assist in resetting the LDAP passwords before I tear what's left of my hair out?
    Last edited by YakkoWarner; 07-09-2013 at 12:34 AM. Reason: don't need MySql help

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,569
    Rep Power
    57

    Default

    Quote Originally Posted by YakkoWarner View Post
    So this seems to be the last step in getting my server back. (There may be another step in resetting the MySql passwords, too, but I haven't even started looking at that yet.) Can anyone assist in resetting the LDAP (and maybe the MySql) passwords before I tear what's left of my hair out?
    What about this: site:zimbra.com +reset +"ldap password" - Yahoo! Search Results
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    YakkoWarner is offline Active Member
    Join Date
    Feb 2011
    Posts
    25
    Rep Power
    4

    Default

    Edited to remove the request for MySql help; I found the answer from MySql on this page, using ps -F to get the full command line used to start MySql (including the data directories needed to follow the instructions).

  4. #4
    YakkoWarner is offline Active Member
    Join Date
    Feb 2011
    Posts
    25
    Rep Power
    4

    Default

    Quote Originally Posted by phoenix View Post
    From Resetting LDAP and MySQL Passwords, running zmldappasswd -r newrootpass gives me this:
    Code:
    Updating local config and LDAP
    TLS: SSL connect attempt failed with unknown errorerror:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.
    Which leads me back to those certificates, where everything succeeds except these two steps:
    Code:
    /opt/zimbra/conf# /opt/zimbra/bin/zmcertmgr createcrt self -new
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20130709015023
    ** Retrieving server config key zimbraSSLCertificate...failed.
    ** Retrieving server config key zimbraSSLPrivateKey...failed.
    ** Generating a server csr for download self -keysize 1024
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20130709015028
    ** Retrieving Commercial CA cert from ldap...failed.
    ** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
    ** Saving server config key zimbraSSLPrivateKey...failed.
    ** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
    ...
    /opt/zimbra/conf# /opt/zimbra/bin/zmcertmgr deploycrt self
    ** Saving server config key zimbraSSLCertificate...failed.
    ** Saving server config key zimbraSSLPrivateKey...failed.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
    ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
    ** Installing CA to /opt/zimbra/conf/ca...done.
    From Setting zimbra admin password in LDAP, running the ldapmodify command gives me this:
    Code:
    Enter LDAP Password: ********
    ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
    (or "Invalid credentials" if I just use the domain name without the ldap:// prefix and :389 suffix that comes out of ldap_master_url).

    Seems like every other result ends up coming back to one of those two pages.

  5. #5
    YakkoWarner is offline Active Member
    Join Date
    Feb 2011
    Posts
    25
    Rep Power
    4

    Default

    As an addendum, running zmldappasswd newrootpass to reset all the other passwords seems to work (at least no error is reported, just the message "Updating local config and LDAP"), but when everything is done and I try zmcontrol start, I get:
    Code:
            Starting ldap...Done.
    Unable to determine enabled services from ldap.
    Enabled services read from cache. Service list may be inaccurate.
            Starting zmconfigd...Done.
            Starting logger...Failed.
    Starting logswatch...ERROR: service.FAILURE (system failure: unable to lookup server by name: cumorah.puddlestheshark.local message: [LDAP: error code 49 - Invalid Credentials]) (cause: javax.naming.AuthenticationException [LDAP: error code 49 - Invalid Credentials])
    zimbra logger service is not enabled!  failed.
    
    
            Starting mailbox...Done.
            Starting memcached...Done.
            Starting antispam...Done.
            Starting antivirus...Done.
            Starting snmp...Done.
            Starting spell...Done.
            Starting mta...Done.
            Starting stats...Done.
    Plus I found entries like this in /var/log/mail.log, which makes me think the passwords didn't get updated at all:
    postfix/proxymap[29747]: warning: dict_ldap_connect: Unable to bind to server ldap://<servername>:389 as uid=zmpostfix,cn=appaccts,cn=zimbra: 49 (Invalid credentials)

    And I still can't connect with a web browser nor my email clients.
    Last edited by YakkoWarner; 07-09-2013 at 01:30 AM.

  6. #6
    YakkoWarner is offline Active Member
    Join Date
    Feb 2011
    Posts
    25
    Rep Power
    4

    Default

    I think I'm getting a little closer.

    I edited the file data/ldap/config/cn=config/olcDatabase={0}config.ldif and changed the olcRootPW. I was then able to use ldapmodify to change each of the user entries:
    Code:
    dn: uid=zmreplica,cn=admins,cn=zimbra
    changetype: modify
    replace: userPassword
    userPassword: ******
    -
    dn: uid=zmpostfix,cn=appaccts,cn=zimbra
    changetype: modify
    replace: userPassword
    userPassword: ******
    -
    dn: uid=zmamavis,cn=appaccts,cn=zimbra
    changetype: modify
    replace: userPassword
    userPassword: ******
    -
    dn: uid=zmnginx,cn=appaccts,cn=zimbra
    changetype: modify
    replace: userPassword
    userPassword: ******
    -
    dn: uid=zmbes-searcher,cn=appaccts,cn=zimbra
    changetype: modify
    replace: userPassword
    userPassword: ******
    -
    dn: uid=zimbra,cn=admins,cn=zimbra
    changetype: modify
    replace: userPassword
    userPassword: ******
    -
    using the password that I attempted to set with zmldappasswd (which was correctly set in the localconfig.xml file). The server starts up now, and the website is responding. Oddly enough, when I view the certificates in the browser, only one appears (the one with the longer expiration date), rather than one that is the child of one expired certificate.

    Seeing as it is now quarter after 4 in the morning, I'm going to call it good for now and get some sleep. However, email clients (connecting by secure IMAP) are still complaining about the certificates, and I fear for when I have to try and update the certs again....

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. LDAP and localconfig.xml
    By pete irvine in forum Administrators
    Replies: 1
    Last Post: 08-01-2011, 08:10 PM
  2. localconfig.xml nuked!
    By leSasch in forum Administrators
    Replies: 1
    Last Post: 12-09-2010, 12:21 AM
  3. Help rebuilding local calendar and address data
    By spruce in forum General Questions
    Replies: 0
    Last Post: 05-24-2010, 05:18 PM
  4. [SOLVED] Need help rebuilding from DB, Store and Openldap
    By mossholderm in forum Installation
    Replies: 3
    Last Post: 04-28-2009, 07:45 PM
  5. rebuilding mysql data
    By cangeceiro in forum Administrators
    Replies: 1
    Last Post: 12-06-2006, 03:23 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •