[SOLVED] Argh Commercial Certificates after a 4.10 > 5.0 FOSS upgrade!

Ok, I'm at my wits end and it looks like there have been a number of the issues with this. I can't seem to find any real solution, hopefully someone can help here.

Before the upgrade everything had been working fine with a 2 year GoDaddy commercial certificate.

After I did the upgrade, everything looked fine, then I saw these errors in the log file:

Dec 30 13:18:44 webmail postfix/trivial-rewrite[12042]: error: dict_ldap_connect: Unable to set STARTTLS: -11: Connect error
Dec 30 13:18:44 webmail last message repeated 2 times
Dec 30 13:18:44 webmail postfix/trivial-rewrite[12042]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem
Dec 30 13:18:45 webmail postfix/master[12029]: warning: process /opt/zimbra/postfix-2.4.3.3z/libexec/trivial-rewrite pid 12042 exit status 1
Dec 30 13:18:45 webmail postfix/master[12029]: warning: /opt/zimbra/postfix-2.4.3.3z/libexec/trivial-rewrite: bad command startup -- throttling

I found in bugzilla or another message to regenerate a self-signed certificate by doing:
[root@webmail ssl]# /opt/zimbra/bin/zmcertmgr createca
** Creating directory /opt/zimbra/ssl/zimbra
** Creating directory /opt/zimbra/ssl/zimbra/ca
** Creating directory /opt/zimbra/ssl/zimbra/server
** Creating directory /opt/zimbra/ssl/zimbra/commercial
** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
** Retrieving CA private key from ldap...done.
** Retrieving CA cert from ldap...done.
[root@webmail ssl]# /opt/zimbra/bin/zmcertmgr deployca
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
** Saving CA in ldap...done.
** Copying CA to /opt/zimbra/conf/ca...done.
[root@webmail ssl]# /opt/zimbra/bin/zmcertmgr install self -new

This worked fine in getting things working, the SSL webpage still had the correct commercial certificate installed so no errors there, however, while the SSL Cert was installed on the MTA now, it was the self-signed which prompts up a warning box the first time you try and send an email out through a fat mail client. I need it to use the purchased commercial cert.

So I did the following:
[root@webmail ssl]# /opt/zimbra/bin/zmcertmgr install com -new

I looked at what files it was looking for:
1) Default <certfile> is /opt/zimbra/ssl/zimbra/server/server.crt for server and /opt/zimbra/ssl/zimbra/commercial/commercial.crt for commercial
2) Default <subject> is "/C=US/ST=N_A/L=N_A/O=Zimbra Collaboration Suite/CN=webmail.intotheoven.com"
3) Default <validation_days> is 365.
4) install self is to install the certificates using self signed csr is in /opt/zimbra/ssl/zimbra/server
5) install comm is to install the certificates using commercially signed certificate in /opt/zimbra/ssl/zimbra/commercial
6) default <csr_file> is
7) for verifycrt, by default for self priv_key is /opt/zimbra/ssl/zimbra/server/server.key and the certfile is /opt/zimbra/ssl/zimbra/server/server.crt, for comm priv_key is /opt/zimbra/ssl/zimbra/commercial/commercial.key and the certfile is /opt/zimbra/ssl/zimbra/commercial/commercial.crt

I found the back-up of those files, copied them into the appropriate directory, then ran the:
[root@webmail ssl]# /opt/zimbra/bin/zmcertmgr install com -new

It failed with an error, so I re-ran it with '-x' to see the output, here is where it failed:
+ '[' '!' -f /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt ']'
+ echo 'XXXXX ERROR: /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt does not exist.'
XXXXX ERROR: /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt does not exist.

So I copied my .crt to the temp dir and it ran fine:
[root@webmail commercial]# sh /opt/zimbra/bin/zmcertmgr install comm -new
** Installing Certificates from /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20071230130845
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Installing CA to /opt/zimbra/conf/ca...done.

Hopes were setup high here, but then again same error as above:

Dec 30 13:18:44 webmail postfix/trivial-rewrite[12042]: error: dict_ldap_connect: Unable to set STARTTLS: -11: Connect error
Dec 30 13:18:44 webmail last message repeated 2 times
Dec 30 13:18:44 webmail postfix/trivial-rewrite[12042]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem
Dec 30 13:18:45 webmail postfix/master[12029]: warning: process /opt/zimbra/postfix-2.4.3.3z/libexec/trivial-rewrite pid 12042 exit status 1
Dec 30 13:18:45 webmail postfix/master[12029]: warning: /opt/zimbra/postfix-2.4.3.3z/libexec/trivial-rewrite: bad command startup -- throttling

This is very irritating as I can not send mail through the server on my iPhone with a self-signed cert.

Any assistance would GREATLY be appreciated!

Here is the result of a:
/opt/zimbra/bin/zmcertmgr viewdeployedcrt all
::service mta::
notBefore=Jul 30 20:25:48 2007 GMT
notAfter=Jul 29 20:25:48 2009 GMT
subject= /O=webmail.intotheoven.com/OU=Domain Validated/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/CN=webmail.intotheoven.com
issuer= /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Server CA/emailAddress=server-certs@thawte.com
SubjectAltName=
::service proxy::
notBefore=Jul 30 20:25:48 2007 GMT
notAfter=Jul 29 20:25:48 2009 GMT
subject= /O=webmail.intotheoven.com/OU=Domain Validated/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/CN=webmail.intotheoven.com
issuer= /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Server CA/emailAddress=server-certs@thawte.com
SubjectAltName=
::service mailboxd::
notBefore=Jul 30 20:25:48 2007 GMT
notAfter=Jul 29 20:25:48 2009 GMT
subject= /O=webmail.intotheoven.com/OU=Domain Validated/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/CN=webmail.intotheoven.com
issuer= /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Server CA/emailAddress=server-certs@thawte.com
SubjectAltName=
::service ldap::
notBefore=Jul 30 20:25:48 2007 GMT
notAfter=Jul 29 20:25:48 2009 GMT
subject= /O=webmail.intotheoven.com/OU=Domain Validated/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/CN=webmail.intotheoven.com
issuer= /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Server CA/emailAddress=server-certs@thawte.com
SubjectAltName=

HELP!:eek:

I think I could get this problem if I knew where to turn off Postfix trying to lookup the address rewrites in LDAP via TLS and back to the anonymous lookups of 4.10.

I thought it might be related to my certificate being past the one year mark, well I just purchased another certificate because I need to get this thing going and I'm in the exact same boat. I even installed the cert through the webinterface.

Everything starts fine, can access IMAP, HTTPS (web), but I just can't send or receive any e-mail while I'm getting this error:

Dec 31 15:33:01 webmail postfix/trivial-rewrite[14070]: fatal: ldap:/opt/zimbra/conf/ldap-vmd.cf(0,lock|fold_fix): table lookup problem
Dec 31 15:33:01 webmail postfix/trivial-rewrite[14071]: error: dict_ldap_connect: Unable to set STARTTLS: -11: Connect error
Dec 31 15:33:01 webmail last message repeated 2 times
Dec 31 15:33:01 webmail postfix/trivial-rewrite[14071]: fatal: ldap:/opt/zimbra/conf/ldap-vmd.cf(0,lock|fold_fix): table lookup problem
Dec 31 15:33:02 webmail postfix/qmgr[7320]: warning: problem talking to service rewrite: Success
Dec 31 15:33:02 webmail postfix/master[7310]: warning: process /opt/zimbra/postfix-2.4.3.3z/libexec/trivial-rewrite pid 14061 exit status 1
Dec 31 15:33:02 webmail postfix/master[7310]: warning: /opt/zimbra/postfix-2.4.3.3z/libexec/trivial-rewrite: bad command startup -- throttling


Seriously, if anyone has any ideas, I would appreciate it.

http://www.zimbra.com/forums/install...y-failure.html

Quote:

---

Originally Posted by jholder

http://www.zimbra.com/forums/install...y-failure.html

---

Ok maybe I'm missing something here, I have tried that before and again just now. It works fine if I'm just self-signing a cert. But as soon as I try and add in a Commercial Cert (two year), it does the exact same thing again.

If at that point I do a 'zmcertmgr install self' I can get back up and running, but as soon as I do the commercial, I get the postfix/ldap errors. :confused:

ah, okay. I think you're hitting:
Bug 23294 - commercial certs fail to install

Yep, I have referenced that too, same thing. The last entry in there is they have everything working (as do I), except they haven't had a chance to see if the postfix->ldap communication has been fixed.

I can tell you over here, it's not.

Any ideas or log entries I can assist with? Everything is running, there is nothing out of the ordinary except this in the zimbra.log

ec 31 20:36:53 webmail postfix/trivial-rewrite[30620]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem
Dec 31 20:36:53 webmail postfix/trivial-rewrite[30621]: error: dict_ldap_connect: Unable to set STARTTLS: -11: Connect error
Dec 31 20:36:53 webmail last message repeated 2 times
Dec 31 20:36:53 webmail postfix/trivial-rewrite[30621]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem
Dec 31 20:36:54 webmail postfix/qmgr[26010]: warning: problem talking to service rewrite: Success
Dec 31 20:36:54 webmail postfix/master[26006]: warning: process /opt/zimbra/postfix-2.4.3.3z/libexec/trivial-rewrite pid 30614 exit status 1
Dec 31 20:36:54 webmail postfix/master[26006]: warning: /opt/zimbra/postfix-2.4.3.3z/libexec/trivial-rewrite: bad command startup -- throttling

Quote:

---

Originally Posted by jholder

ah, okay. I think you're hitting:
Bug 23294 - commercial certs fail to install

---

It's fixed in 5.0.1
Since it's new years, only poor saps like me are in the forums :) so I may not have any luck getting any type of workaround.

Ok, problem still exists, but I thought, if it's having a problem with the TLS to LDAP, let's just turn off the TLS to LDAP.

So I did a 'vi /opt/zimbra/conf/lda' From there every entry that had the line:

start_tls = yes

I changed to

start_tls = no


I was then able to get it up and going until v5.0.1 comes out and fixes it!

BTW. I did the change after a 'zmcontrol start' then did a '/opt/zimbra/postfix/sbin postfix/stop' & '/opt/zimbra/postfix/sbin/postfix start' while the system was up and running, not sure if it will survive a restart as some configurations are written on each time.

If it does, I'll know how to fix it, but I don't plan on touching this darn thing for sometime.

Thanks for help jholder! Very much appreciated! 12:03am on NY, now that wasn't too fun. ;)

Ok, just to confirm, the settings do not hold after a 'zmcontrol stop; zmcontrol start'.

You have to start it up, do a 'vi /opt/zimbra/conf/ldap*' and rechange all the TLS entries back to no, then restart postfix again.

Hope this helps someone else before the next release!

Thanks Xao,
I had a commercial cert and was freaking out after the upgrade. This helped out a bunch.

PS - postfix reload will undo the changes and you'll have to do them again. Not something people do everyday, but if you didn't think about it - it would be a pain in the butt.

Bruce