[SOLVED] ldap errors

[ewilen]

After installing an SSL certificate and restarting the server, I keep getting this error

Code:

[zimbra@zimbra ~]$ zmcontrol start
Host zimbra.mprinc.com
	Starting ldap...Done.
Unable to determine enabled services from ldap.
Enabled services read from cache. Service list may be inaccurate.

Aside from that, Zimbra is starting okay, but I don't know if it will continue to do so. I know there's some standard info that needs to be posted in situations like this but first some background and additional notes.

• Initial install went fine with zimbra.mprinc.com.
• Later created two domains: mprinc.com and connectedcalifornia.org.
• Virtual hosts for the two are zimbra.mprinc.com and zimbra.connectedcalifornia.org, respectively.
• Did not alter mx records for mprinc.com and connectedcalifornia.org as those are currently pointing to a live server. I would like to leave those records in place until transition to Zimbra.
• When creating the CSR for zimbra.mprinc.com, I entered zimbra.connectedcalifornia.org as a Subject Alternate Name
• However when I view the cert in Zimra, the Subject Alternate Name is "zimbra.mprinc.com, www.zimbra.mprinc.com" (maybe GoDaddy doesn't allow SANs with the type of cert I bought?)

With that out of the way,

Code:

[zimbra@zimbra log]$ cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1		localhost.localdomain localhost
99.147.40.125	zimbra.mprinc.com zimbra
::1		localhost6.localdomain6 localhost6
[zimbra@zimbra log]$ cat /etc/resolv.conf
search mprinc.com
nameserver 99.147.40.124
nameserver 68.94.156.1
nameserver 68.94.157.1
[zimbra@zimbra log]$ dig mprinc.com mx

; <<>> DiG 9.3.4-P1 <<>> mprinc.com mx
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56200
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; QUESTION SECTION:
;mprinc.com.			IN	MX

;; ANSWER SECTION:
mprinc.com.		10800	IN	MX	10 mail.mprinc.com.
mprinc.com.		10800	IN	MX	20 mx2.mprinc.com.

;; AUTHORITY SECTION:
mprinc.com.		10800	IN	NS	ns1.sbcglobal.net.
mprinc.com.		10800	IN	NS	ns.mprinc.com.

;; ADDITIONAL SECTION:
mail.mprinc.com.	10800	IN	A	99.147.40.124
mx2.mprinc.com.		10800	IN	A	99.147.40.84
ns.mprinc.com.		10800	IN	A	99.147.40.124

;; Query time: 1 msec
;; SERVER: 99.147.40.124#53(99.147.40.124)
;; WHEN: Thu Jun  4 18:01:04 2009
;; MSG SIZE  rcvd: 165

[zimbra@zimbra log]$ dig connectedcalifornia.org mx

; <<>> DiG 9.3.4-P1 <<>> connectedcalifornia.org mx
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4083
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 6

;; QUESTION SECTION:
;connectedcalifornia.org.	IN	MX

;; ANSWER SECTION:
connectedcalifornia.org. 86400	IN	MX	50 smtp.connectedcalifornia.org.
connectedcalifornia.org. 86400	IN	MX	75 mx2.mprinc.com.

;; AUTHORITY SECTION:
connectedcalifornia.org. 5025	IN	NS	ns19b.nameservers.net.
connectedcalifornia.org. 5025	IN	NS	ns19a.nameservers.net.

;; ADDITIONAL SECTION:
smtp.connectedcalifornia.org. 19328 IN	A	99.147.40.124
mx2.mprinc.com.		10800	IN	A	99.147.40.84
ns19a.nameservers.net.	4990	IN	A	161.58.134.98
ns19a.nameservers.net.	4990	IN	A	161.58.75.72
ns19b.nameservers.net.	4990	IN	A	198.170.241.2
ns19b.nameservers.net.	4990	IN	A	161.58.134.114

;; Query time: 85 msec
;; SERVER: 99.147.40.124#53(99.147.40.124)
;; WHEN: Thu Jun  4 18:01:12 2009
;; MSG SIZE  rcvd: 243

[zimbra@zimbra log]$ dig zimbra.mprinc.com mx

; <<>> DiG 9.3.4-P1 <<>> zimbra.mprinc.com mx
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6944
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;zimbra.mprinc.com.		IN	MX

;; ANSWER SECTION:
zimbra.mprinc.com.	10800	IN	MX	10 zimbra.mprinc.com.

;; AUTHORITY SECTION:
mprinc.com.		10800	IN	NS	ns.mprinc.com.
mprinc.com.		10800	IN	NS	ns1.sbcglobal.net.

;; ADDITIONAL SECTION:
zimbra.mprinc.com.	10800	IN	A	99.147.40.125
ns.mprinc.com.		10800	IN	A	99.147.40.124

;; Query time: 0 msec
;; SERVER: 99.147.40.124#53(99.147.40.124)
;; WHEN: Thu Jun  4 18:01:23 2009
;; MSG SIZE  rcvd: 131

[zimbra@zimbra log]$ dig mprinc.com any

; <<>> DiG 9.3.4-P1 <<>> mprinc.com any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50088
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 3

;; QUESTION SECTION:
;mprinc.com.			IN	ANY

;; ANSWER SECTION:
mprinc.com.		10800	IN	MX	10 mail.mprinc.com.
mprinc.com.		10800	IN	MX	20 mx2.mprinc.com.
mprinc.com.		10800	IN	A	199.237.238.185
mprinc.com.		10800	IN	SOA	ns.mprinc.com. ewilen.mprinc.com. 1183161117 10800 3600 1209600 10800
mprinc.com.		10800	IN	NS	ns.mprinc.com.
mprinc.com.		10800	IN	NS	ns1.sbcglobal.net.

;; ADDITIONAL SECTION:
mail.mprinc.com.	10800	IN	A	99.147.40.124
mx2.mprinc.com.		10800	IN	A	99.147.40.84
ns.mprinc.com.		10800	IN	A	99.147.40.124

;; Query time: 0 msec
;; SERVER: 99.147.40.124#53(99.147.40.124)
;; WHEN: Thu Jun  4 18:01:33 2009
;; MSG SIZE  rcvd: 224

[zimbra@zimbra log]$ dig connectedcalifornia.org any

; <<>> DiG 9.3.4-P1 <<>> connectedcalifornia.org any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41110
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 2, ADDITIONAL: 6

;; QUESTION SECTION:
;connectedcalifornia.org.	IN	ANY

;; ANSWER SECTION:
connectedcalifornia.org. 86372	IN	MX	75 mx2.mprinc.com.
connectedcalifornia.org. 86372	IN	MX	50 smtp.connectedcalifornia.org.
connectedcalifornia.org. 84040	IN	SOA	feed19.nameservers.net. hostmaster.rapidsite.net. 2009060419 7200 3600 604800 86400
connectedcalifornia.org. 4997	IN	NS	ns19a.nameservers.net.
connectedcalifornia.org. 4997	IN	NS	ns19b.nameservers.net.
connectedcalifornia.org. 67004	IN	A	198.106.189.123

;; AUTHORITY SECTION:
connectedcalifornia.org. 4997	IN	NS	ns19b.nameservers.net.
connectedcalifornia.org. 4997	IN	NS	ns19a.nameservers.net.

;; ADDITIONAL SECTION:
smtp.connectedcalifornia.org. 19300 IN	A	99.147.40.124
mx2.mprinc.com.		10800	IN	A	99.147.40.84
ns19a.nameservers.net.	4962	IN	A	161.58.75.72
ns19a.nameservers.net.	4962	IN	A	161.58.134.98
ns19b.nameservers.net.	4962	IN	A	161.58.134.114
ns19b.nameservers.net.	4962	IN	A	198.170.241.2

;; Query time: 0 msec
;; SERVER: 99.147.40.124#53(99.147.40.124)
;; WHEN: Thu Jun  4 18:01:40 2009
;; MSG SIZE  rcvd: 351

[zimbra@zimbra log]$ dig zimbra.mprinc.com any

; <<>> DiG 9.3.4-P1 <<>> zimbra.mprinc.com any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21307
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1

;; QUESTION SECTION:
;zimbra.mprinc.com.		IN	ANY

;; ANSWER SECTION:
zimbra.mprinc.com.	10800	IN	A	99.147.40.125
zimbra.mprinc.com.	10800	IN	MX	10 zimbra.mprinc.com.

;; AUTHORITY SECTION:
mprinc.com.		10800	IN	NS	ns1.sbcglobal.net.
mprinc.com.		10800	IN	NS	ns.mprinc.com.

;; ADDITIONAL SECTION:
ns.mprinc.com.		10800	IN	A	99.147.40.124

;; Query time: 0 msec
;; SERVER: 99.147.40.124#53(99.147.40.124)
;; WHEN: Thu Jun  4 18:01:45 2009
;; MSG SIZE  rcvd: 131

[zimbra@zimbra log]$ host `hostname`
zimbra.mprinc.com has address 99.147.40.125
zimbra.mprinc.com mail is handled by 10 zimbra.mprinc.com.

If there is a problem with the cert for zimbra.mprinc.com I could re-key, and if necessary/possible I could have a spare cert I could use for zimbra.connectedcalifornia.org instead of using a SAN.

[ewilen]

Well, no answers here so I contacted support, spoke to someone there via email.

He suggested moving /opt/zimbra/log/.zmcontrol.cache and restarting.

When I did this, I had to issue zmcontrol start twice to get zimbra going, but it did start. I.e.,

Code:

[zimbra@zimbra log]$ zmcontrol start
Host zimbra.mprinc.com
	Starting ldap...Done.
Unable to determine enabled services from ldap.
Unable to determine enabled services. Cache is out of date or doesn't exist.
[zimbra@zimbra log]$ zmcontrol start
Host zimbra.mprinc.com
	Starting logger...Done.
	Starting convertd...Done.
	Starting mailbox...

It seems I can also start ldap separately with ldap start, then wait a bit and do zmcontrol start.

So apparently ldap is just slow to respond the first time, but once the cache has been built, this isn't a problem. I'll mark this solved but if anyone has any more insights, I'd appreciate it.

[ewilen]

Another user has reported the same issue with a GoDaddy cert: ZCS 6.0rc1 & godaddy SSL cert problems

I'm still seeing this after changing my GoDaddy cert to one that allows multiple Subject Alternative Names.