[SOLVED] Expired Cert in 5.0GA can cause mail Delivery failure

[ArcaneMagus]

Is there a log where the zmcertmgr commands show any progress/errors? As far as I can tell they are doing nothing for me (at least no files are being generated in /opt/zimbra/ssl). The admin gui for this task is also failing to generate a certificate.

[bobby]

run it as "bash -x ~/bin/zmcertmgr" and it will print each line as it executes

[ArcaneMagus]

Ok that got me past that problem (I am running on openSUSE 10.3 and had forgotten to change the get_plat_tag.sh file so the platform was listed as unknown which apparently is a problem for this command)
Unfortunately I am having an issue with the creation of the ca.pem file. It apparently grabs information from LDAP for the CA using the following command:

Code:

zmprov -l -- gacf zimbraCertAuthorityCertSelfSigned

However since step B was to remove this information from LDAP this step fails and creates a ca.pem of 0 size. This causes the steps after this to fail. Is there something I am missing that is supposed to recreate this information?

[dpward]

ArcaneMagus,

In addition to deleting zimbraCertAuthorityCertSelfSigned from LDAP, try also deleting zimbraCertAuthorityKeySelfSigned. Then try zmcertmgr createca again. I had the same problem as you, and that seemed to take care of it for me.

[ArcaneMagus]

Thank You!! That solved the problem for me as well I was about 2 minutes away from restoring the RC2 backup and trying again...

[tobru]

Here is a little summary of all steps:

(a) as root: cd /opt/zimbra/ssl; mkdir bak; mv * bak
(b) as zimbra:
(b1) to get the password: zmlocalconfig -s zimbra_ldap_password
(b2) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W

Code:

dn: cn=config,cn=zimbra
changetype:modify
delete: zimbraCertAuthorityCertSelfSigned
^D

(b3) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W

Code:

dn: cn=config,cn=zimbra
changetype:modify
delete: zimbraCertAuthorityKeySelfSigned
^D

(c) as root: run /opt/zimbra/bin/zmcertmgr createca
(d) as root: run /opt/zimbra/bin/zmcertmgr deployca
(e) as root: run /opt/zimbra/bin/zmcertmgr install self -new
(f) as root: su - zimbra zmcontrol stop; su - zimbra zmcontrol start

^D is Control-D

[tobru]

I could successfully resolve all troubles with receiving mails with the above steps.

After that I had another problem and had to restore the previous installation (RC1).

Then I upgraded again to GA and had the same problem with the STARTTLS Connect error. So I followed these steps once again, but it didn't work this time...

All commands are OK (createca, etc), no errors.

Code:

root@james:/opt/zimbra/ssl# /opt/zimbra/bin/zmcertmgr createca
** Creating directory /opt/zimbra/ssl/zimbra
** Creating directory /opt/zimbra/ssl/zimbra/ca
** Creating directory /opt/zimbra/ssl/zimbra/server
** Creating directory /opt/zimbra/ssl/zimbra/commercial
** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
** Retrieving CA private key from ldap...failed.
** Retrieving CA cert from ldap...failed.
** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.
** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.
root@james:/opt/zimbra/ssl# /opt/zimbra/bin/zmcertmgr deployca
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
** Saving CA in ldap...done.
** Copying CA to /opt/zimbra/conf/ca...done.
root@james:/opt/zimbra/ssl# /opt/zimbra/bin/zmcertmgr install self -new
** Generating a server csr for download
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20071230180147
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
** Installing Certificates from /opt/zimbra/ssl/zimbra/server/server.crt
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20071230180147
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Installing CA to /opt/zimbra/conf/ca...done.

But everything I see in the log is:

Code:

Dec 30 17:39:15 james postfix/smtpd[10154]: connect from mail.gmx.net[213.165.64.20]
Dec 30 17:39:23 james postfix/trivial-rewrite[10158]: error: dict_ldap_connect: Unable to set STARTTLS: -11: Connect error
Dec 30 17:39:23 james last message repeated 2 times
Dec 30 17:39:23 james postfix/trivial-rewrite[10158]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem
Dec 30 17:39:24 james postfix/smtpd[9651]: warning: problem talking to service rewrite: Success
Dec 30 17:39:24 james postfix/smtpd[10154]: warning: problem talking to service rewrite: Connection reset by peer
Dec 30 17:39:24 james postfix/master[9432]: warning: process /opt/zimbra/postfix-2.4.3.3z/libexec/trivial-rewrite pid 10158 exit status 1
Dec 30 17:39:24 james postfix/master[9432]: warning: /opt/zimbra/postfix-2.4.3.3z/libexec/trivial-rewrite: bad command startup -- throttling

Code:

127.0.0.1       localhost.localdomain localhost
10.0.0.4        james.tobru.ch james

Has anyone an idea what else could be wrong?

Thanks a lot
Best Regards,
Tobias

[ArcaneMagus]

Here's a silly question but did you restart Zimbra and/or the entire server? Postfix needs to re read the key from LDAP.

[JoshuaPrismon]

Note that I am seeing this problem even with certificates that have not yet expired. I am trying to figure out why right now.

[jholder]

Here are the circumstances under which this can happen:
Basically, if the CA cert has expired, certificate verification fails, even if the cert is valid the MTA can fail.