Zimbra

jholder · #31 (**permalink**) 01-01-2008, 01:44 PM

Try regenerating and that should fix your problem.

Sorry for the trouble.

PhishKiller · #32 (**permalink**) 01-01-2008, 03:59 PM

Does this problem/solution apply when you have new commercial certs installled? I do not want to regenerate any self-signed certification keys if this is only a problem with self-signed certs.

We upgraded from RC2 -> GA yesterday. I can download mail but have the same STARTTLS error and the server had not accepted any mail since the upgrade to GA

quanah · #33 (**permalink**) 01-01-2008, 04:09 PM

It depends --

Is the CA for your commercial cert expired? Is the CA cert installed correctly on both the LDAP server and the server with postfix? Is there an x509 hash for the CA cert in /opt/zimbra/conf/ca?

--Quanah

PhishKiller · #34 (**permalink**) 01-01-2008, 04:31 PM

The cert was purchased less than 30 days ago, it had better not be expired!

Here is what I see when I look at the certs in the Admin interface... is that at all helpful?

It worked with these certs fine before the upgrade. Do I need to re-install the certs, would that be of any possible benefit?

Code:

Server Name: mail.ourdomain.com

Certificate for Zimbra ldap Service:
Subject: 	/C=US/O=mail.ourdomain.com/OU=GT04757745/OU=See www.geotrust.com/resources/cps (c)07/OU=Domain Control Validated - QuickSSL(R)/CN=mail.ourdomain.com
Issuer:	/C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1
Validation Days: 	Dec 11 00:46:39 2007 GMT - Dec 11 00:46:39 2008 GMT
Subject Alternative Name: 	

Certificate for Zimbra mailboxd Service:
Subject: 	/C=US/O=mail.ourdomain.com/OU=GT04757745/OU=See www.geotrust.com/resources/cps (c)07/OU=Domain Control Validated - QuickSSL(R)/CN=mail.ourdomain.com
Issuer:	/C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1
Validation Days: 	Dec 11 00:46:39 2007 GMT - Dec 11 00:46:39 2008 GMT
Subject Alternative Name: 	

Certificate for Zimbra mta Service:
Subject: 	/C=US/O=mail.ourdomain.com/OU=GT04757745/OU=See www.geotrust.com/resources/cps (c)07/OU=Domain Control Validated - QuickSSL(R)/CN=mail.ourdomain.com
Issuer:	/C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1
Validation Days: 	Dec 11 00:46:39 2007 GMT - Dec 11 00:46:39 2008 GMT
Subject Alternative Name: 	

Certificate for Zimbra proxy Service:
Subject: 	/C=US/O=mail.ourdomain.com/OU=GT04757745/OU=See www.geotrust.com/resources/cps (c)07/OU=Domain Control Validated - QuickSSL(R)/CN=mail.ourdomain.com
Issuer:	/C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1
Validation Days: 	Dec 11 00:46:39 2007 GMT - Dec 11 00:46:39 2008 GMT
Subject Alternative Name:

Hm. .this is what I see in the /opt/zimbra/conf/ca directory. The date/time is from the upgrade. If I restore what was in my working conf/ca might that fix it?

Code:

-rw-r--r-- 1 zimbra zimbra 887 Dec 31 16:50 ca.key
-rw-r--r-- 1 zimbra zimbra 956 Dec 31 16:50 ca.pem
lrwxrwxrwx 1 root   root     6 Dec 31 16:50 f27d51ba.0 -> ca.pem

quanah · #35 (**permalink**) 01-01-2008, 04:46 PM

Is the ca.pem file the CA cert from your CA?

Xao · #36 (**permalink**) 01-01-2008, 05:04 PM

Not sure if you are getting the same issue I had, I had a valid cert (2 year) working fine until I upgrade to 5.0, from there everything would work except the send/recieve e-mail. From my understanding this will be fixed in version 5.0.1. I got around this error by turning off TLS from postfix and LDAP calls. I didn't see this as a big issue since I have it running in it's own VPS.

Here is what I did to get it working:
http://www.zimbra.com/forums/install...s-upgrade.html

Quote:

Originally Posted by PhishKiller

Does this problem/solution apply when you have new commercial certs installled? I do not want to regenerate any self-signed certification keys if this is only a problem with self-signed certs.

We upgraded from RC2 -> GA yesterday. I can download mail but have the same STARTTLS error and the server had not accepted any mail since the upgrade to GA

PhishKiller · #37 (**permalink**) 01-01-2008, 05:31 PM

Quote:

Originally Posted by quanah

Is the ca.pem file the CA cert from your CA?

Yes.

Here are some dumps from it:

[root@mail ssl]# openssl x509 -in /opt/zimbra/ssl/zimbra/ca/ca.pem -noout -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
b9:cd:24:77:e9:24:ba:0f
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=CA, L=San Mateo, O=Zimbra, OU=Zimbra Collaboration Suite, CN=mail.ourdomain.com
Validity
Not Before: Dec 11 00:13:50 2007 GMT
Not After : Dec 10 00:13:50 2008 GMT

After much searching I found this flag that can be set in the conf for ldap and added the following line:

vi ./openldap-2.3.39.6z/etc/openldap/ldap.conf

# Added this to stop effin LDAP START_TLS errors - dad 01-JAN-2008
TLS_REQCERT never

I see log entries that lead me to believe that mail is flowing in, and three test messages I sent a while ago JUST appeared in one of the test accounts.

So.. maybe 5.0.1 will fix the problem with unexpired commercial certs or do I really have some other problem that this just happened to work with?

.....

Klug · #38 (**permalink**) 01-02-2008, 01:07 AM

Quote:

Originally Posted by PhishKiller

Yes.

I don't think so.

Quote:

Originally Posted by PhishKiller

Here are some dumps from it:

Code:

[root@mail ssl]# openssl x509 -in /opt/zimbra/ssl/zimbra/ca/ca.pem -noout -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            b9:cd:24:77:e9:24:ba:0f
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=CA, L=San Mateo, O=Zimbra, OU=Zimbra Collaboration Suite, CN=mail.ourdomain.com

That's not your commercial certificate, it's coming from Zimbra (look at the issuer).

I got the same problem with Zimbra's own tools : when trying to upgrade to a new self-signed certificate, the ca.pem file date changed but not the content.

You should retry the whole steps (clear the LDAP, clear the certs directory, etc).
Or maybe just putting the correct ca.pem (the one from your commercial certificate issuer) in the directory would "fix" things (as it's not the one the cert is waiting for).

PhishKiller · #39 (**permalink**) 01-02-2008, 05:50 AM

Ah.. yes.. I do believe you are right. The certs shown in the UI looked right.. I did think it odd the address but since we used the build in CSR generator I thought that might have been auto-inserted.

Neat..

I wonder what happened to the .pem we installed. I checked the full backup and the file contents looked the same. Maybe it never really worked and it was functioning via a 'bug' in the cert.

Thanks.. I'll look at this all again.

tobru · #40 (**permalink**) 01-02-2008, 08:30 AM

Quote:

Originally Posted by ArcaneMagus

Here's a silly question but did you restart Zimbra and/or the entire server? Postfix needs to re read the key from LDAP.

I only restarted the zimbra. step (f)

I tried all procedures several times, but no success until now.
Also the workaround with "TLS_REQCERT never" in ldap.conf did not change anything. But now I have a working workaround, thanks to Xao:

Quote:

Originally Posted by Xao

[...]So I did a 'vi /opt/zimbra/conf/lda' From there every entry that had the line:

start_tls = yes

I changed to

start_tls = no[...]

Not perfect, but now it runs and I can receive and send mails.
I hope that this troubles with the certificates will be fixed in 5.0.1! =)

Regards,
Tobias

Zimbra

Downloads

Product Information

Toolbox

Why Join?