Page 1 of 7 123 ... LastLast
Results 1 to 10 of 66

Thread: [SOLVED] Expired Cert in 5.0GA can cause mail Delivery failure

  1. #1
    Klug's Avatar
    Klug is offline Moderator
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,316
    Rep Power
    13

    Default [SOLVED] Expired Cert in 5.0GA can cause mail Delivery failure

    Hi guys.

    I upgraded my OSS server this morning (CentoS 4.5) and it just refuses mail...

    I have lots of errors in the zimbra.log :
    Code:
     postfix/trivial-rewrite[9811]: fatal: ldap://opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem
    error: dict_ldap_connect: Unable to set STARTTLS: -11: Connect error
    And
    Code:
    postfix/smtpd[8439]: warning: problem talking to service rewrite: Success
    postfix/master[7626]: warning: process /opt/zimbra/postfix-2.4.3.3z/libexec/trivial-rewrite pid 9809 exit status
    I found nothing (yet) on the forum...
    Last edited by Klug; 12-21-2007 at 01:51 PM.

  2. #2
    jholder's Avatar
    jholder is offline Former Zimbran
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    20

    Default

    Can you post your whole log file?

    Attach to thread.

    Quanah is going to post some instructions for info he needs.

  3. #3
    quanah is online now Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,276
    Rep Power
    10

    Default

    This can happen if your CA Cert has expired. Are there lines about startTLS failing for postfix? Something along the lines of:

    postfix/trivial-rewrite[20583]: error: dict_ldap_connect: Unable to set STARTTLS: -11: Connect error
    If that's the case, then you will need to kill your old CA cert in LDAP, and then generate a new one, using the zmcertmgr tool.

    --Quanah
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  4. #4
    Klug's Avatar
    Klug is offline Moderator
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,316
    Rep Power
    13

    Default

    Quote Originally Posted by quanah View Post
    This can happen if your CA Cert has expired.
    My (self signed) cert is actually expired, you are right.

    I'm creating a new one right away.
    Last edited by Klug; 12-21-2007 at 02:03 PM.

  5. #5
    Klug's Avatar
    Klug is offline Moderator
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,316
    Rep Power
    13

    Default

    New certificate (/opt/zimbra/bin/zmcertmgr install self -new) did not fix it.

    Clean log attached.
    Attached Files Attached Files

  6. #6
    Klug's Avatar
    Klug is offline Moderator
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,316
    Rep Power
    13

    Default

    I tried to create a new certificate through the AdminUI.

    Here's what I got :
    Code:
    Your certificate was not installed due to the error : system failure: XXXXX ERROR: failed to create jetty.pkcs12

  7. #7
    quanah is online now Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,276
    Rep Power
    10

    Default

    I've not done it via the adminUI. What I had to do was:

    (a) cd /opt/zimbra/ssl; mkdir bak; mv * bak
    (b) Kill the CA Cert in LDAP via an ldapmodify operation on cn=config,cn=zimbra

    (c) run /opt/zimbra/bin/zmcertmgr createca
    (d) run /opt/zimbra/bin/zmcertmgr deployca
    (e) run /opt/zimbra/bin/zmcertmgr install self -new

    --Quanah
    Last edited by quanah; 12-22-2007 at 01:12 PM.
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  8. #8
    Klug's Avatar
    Klug is offline Moderator
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,316
    Rep Power
    13

    Default

    I only made "d" (/opt/zimbra/bin/zmcertmgr install self -new) and the new certs appear correctly in the Admin UI.

    I tried ldapmodify but was not successfull (either root or zimbra user) :
    Code:
    $ ldapmodify
    ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
    Here's the result of step b, c and d :
    Code:
    [root@zimbra-oss bin]# /opt/zimbra/bin/zmcertmgr createca
    [root@zimbra-oss bin]# /opt/zimbra/bin/zmcertmgr deployca
    ** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
    ** Saving CA in ldap...done.
    ** Copying CA to /opt/zimbra/conf/ca...done.
    [root@zimbra-oss bin]# /opt/zimbra/bin/zmcertmgr install self -new
    ** Installing Certificates from /opt/zimbra/ssl/zimbra/server/server.crt
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20071221223132
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
    ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Installing CA to /opt/zimbra/conf/ca...done.
    Same problem after restart.

    BTW, the error in post #6 is related to a change I tried to the CA (changing from "Zimbra Collaboration Suite" to my company).
    Last edited by Klug; 12-21-2007 at 02:35 PM.

  9. #9
    quanah is online now Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,276
    Rep Power
    10

    Default

    The syntax is:

    Code:
    ldapmodify -x -h  -D "uid=zimbra,cn=admins,cn=zimbra" -W
    dn: cn=config,cn=zimbra
    changetype:modify
    delete: zimbraCertAuthorityCertSelfSigned
    ^D
    This will prompt you for the zimbra admin password, which you can get from running:
    Code:
    zmlocalconfig -s zimbra_ldap_password
    --Quanah
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  10. #10
    quanah is online now Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,276
    Rep Power
    10

    Default

    Oh, and the ^D is a Control-D.

    --Quanah
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

Page 1 of 7 123 ... LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Problems with port 25
    By yogiman in forum Installation
    Replies: 57
    Last Post: 06-13-2011, 01:55 PM
  2. Replies: 7
    Last Post: 02-03-2011, 07:01 AM
  3. Issues...
    By timothyalangorman in forum Administrators
    Replies: 3
    Last Post: 11-19-2007, 10:43 AM
  4. fresh install down may be due to tomcat
    By gon in forum Installation
    Replies: 10
    Last Post: 07-25-2007, 08:09 AM
  5. receiveing mail
    By maybethistime in forum Administrators
    Replies: 15
    Last Post: 12-09-2005, 04:55 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •