Zimbra

xlntech · #1 (**permalink**) 06-03-2010, 09:22 PM

New install of Zimbra 6.0 on Ubuntu 8.04lts

Was working fine before adding a commercial ssl certificate.

First problem: How do I remove the certificate?

Second problem: Can I use an ssl cert with a different name than the actual hostname?

xlntech · #2 (**permalink**) 06-04-2010, 10:54 AM

Ok. So I uninstalled zimbra and have now re-installed. Here is what I did:
(names changed to protect the innocent)

1. Install Ubuntu 8.04LTS. Updated/Upgraded.

Hostname = wmail.mydomain.com

Added necessary prerequisites

2. Configured DNS

Added A record for wmail to mydomain.com (and reverse)

Added MX record for wmail.mydomain.com

3. Verified DNS

Code:

root@wmail:~#host wmail.mydomain.com
wmail.mydomain.com has address 172.16.50.1

Code:

root@wmail:~#dig mydomain.com mx

; <<>> DiG 9.4.2-P2.1 <<>> mydomain.com mx
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38558
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;mydomain.com.                 IN      MX

;; ANSWER SECTION:
mydomain.com.          3600    IN      MX      300 wmail.mydomain.com.

;; ADDITIONAL SECTION:
wmail.mydomain.com.    3600    IN      A       172.16.50.1

;; Query time: 5 msec
;; SERVER: 172.16.10.3#53(172.16.10.3)
;; WHEN: Fri Jun  4 13:40:48 2010
;; MSG SIZE  rcvd: 109

4. Install Zimbra - Release 6.0.6_GA_2330.UBUNTU8 UBUNTU8 FOSS edition.

Took all defaults

When it asked about the domain name I entered: mydomain.com and it found everything correctly.

5. Started Zimbra

Logged into web admin, everything fat/dumb/happy

Code:

zimbra@wmail:/root$ zmhostname
wmail.mydomain.com

6. Generated CSR

In web admin interface I generated the CSR for a commercial certificate

7. Generated Certificate on Godaddy & installed using zmcertmgr

Code:

root@wmail:~# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key ./wmail.mydomain.com.crt ./gd_bundle.crt 
** Verifying ./wmail.mydomain.com.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (./wmail.mydomain.com.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: ./wmail.mydomain.com.crt: OK
root@wmail:~# /opt/zimbra/bin/zmcertmgr deploycrt comm ./wmail.mydomain.com.crt ./gd_bundle.crt 
** Verifying ./wmail.mydomain.com.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (./wmail.mydomain.com.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: ./wmail.mydomain.com.crt: OK
** Copying ./wmail.mydomain.com.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain ./gd_bundle.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Saving server config key zimbraSSLCertificate...done.    
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.

root@wmail:~# su zimbra

zimbra@wmail:/root$ zmcontrol stop

Host wmail.mydomain.com
        Stopping stats...Done.
        Stopping mta...Done.
        Stopping spell...Done.
        Stopping snmp...Done.
        Stopping archiving...Done.
        Stopping antivirus...Done.
        Stopping antispam...Done.
        Stopping imapproxy...Done.
        Stopping memcached...Done.
        Stopping mailbox...Done.
        Stopping logger...Done.
        Stopping ldap...Done.

zimbra@wmail:/root$ zmcontrol start

Host wmail.mydomain.com
        Starting ldap...Done.
Unable to determine enabled services from ldap.
Enabled services read from cache. Service list may be inaccurate.
        Starting logger...Failed.
Starting logswatch...ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)
zimbra logger service is not enabled!  failed.

        Starting mailbox...Done.
        Starting antispam...Done.
        Starting antivirus...Done.
        Starting spell...Done.
        Starting mta...Done.
        Starting stats...Done.

Code:

root@wmail:~# /opt/zimbra/bin/zmcertmgr viewdeployedcrt

::service mta::
notBefore=Jun  4 17:25:29 2010 GMT
notAfter=Jun  3 20:57:40 2012 GMT
subject= /O=wmail.mydomain.com/OU=Domain Control Validated/CN=wmail.mydomain.com
issuer= /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
SubjectAltName= wmail.mydomain.com, www.wmail.mydomain.com
::service proxy::
notBefore=Jun  4 17:25:29 2010 GMT
notAfter=Jun  3 20:57:40 2012 GMT
subject= /O=wmail.mydomain.com/OU=Domain Control Validated/CN=wmail.mydomain.com
issuer= /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
SubjectAltName= wmail.mydomain.com, www.wmail.mydomain.com
::service mailboxd::
notBefore=Jun  4 17:25:29 2010 GMT
notAfter=Jun  3 20:57:40 2012 GMT
subject= /O=wmail.mydomain.com/OU=Domain Control Validated/CN=wmail.mydomain.com
issuer= /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
SubjectAltName= wmail.mydomain.com, www.wmail.mydomain.com
::service ldap::
notBefore=Jun  4 17:25:29 2010 GMT
notAfter=Jun  3 20:57:40 2012 GMT
subject= /O=wmail.mydomain.com/OU=Domain Control Validated/CN=wmail.mydomain.com
issuer= /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
SubjectAltName= wmail.mydomain.com, www.wmail.mydomain.com

Obviously I am doing something wrong as this seems to be a fairly straightforward process but I can't figure out what.

Can anyone help with this?

/x

xlntech · #3 (**permalink**) 06-07-2010, 07:19 AM

Has the entire community of Zimbra genii been stumped by this one? If so, is there a prize? (I hope so because otherwise this kind of stinks)

Have I somehow breached ettiquette rules that I'm not aware of? I swear I searched hi and low before posting my question. I saw some other people with similar problems that seem to have similar answers (none). Maybe there is a better forum to post this in?

I can use more smileys/emoticons if that helps.

/x

P.S. All said with a smile, absolutely no offense intended to anyone.

ewilen · #4 (**permalink**) 06-07-2010, 02:56 PM

Try generating the CSR via CLI. I just recently wrote up the procedure. In my case I used a UCC cert but you can probably just leave out the extra domain. I.e. no "/CN=$FQDN2"

http://www.zimbra.com/forums/install...t-renewal.html

xlntech · #5 (**permalink**) 06-10-2010, 08:12 AM

This is what I got when I tried that:

Code:

root@wmail:~# /opt/zimbra/bin/zmcertmgr createcsr comm -new -keysize 2048 "/C=cn/ST=st/L=city/O=Org/CN=wmail.domain.com"
** Generating a server csr for download comm -new -keysize 2048 /C=cn/ST=st/L=city/O=Org/CN=wmail.domain.com
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20100610110815 
** Creating server cert request /opt/zimbra/ssl/zimbra/commercial/commercial.csr...done.
** Saving server config key zimbraSSLPrivateKey...failed.

How do I remove the certificate just so I can get my system to start up again?

ewilen · #6 (**permalink**) 06-10-2010, 12:37 PM

Huh, I'm out of ideas...except maybe checking the permissions of files, or manually moving some of them out of the way. In other words, see if you can do something about /opt/zimbra/ssl/zimbra/commercial/commercial.key and maybe some of the other files mentioned in the output of the successful install example from my thread.

Also there may be a way to create the files in a location other than the default. It's not well documented but I came across it in one example or another.

Finally (for now) if you haven't read these links for creating a new self-signed cert, see:

Administration Console and CLI Certificate Tools - Zimbra :: Wiki
Administration Console and CLI Certificate Tools - Zimbra :: Wiki

xlntech · #7 (**permalink**) 06-10-2010, 02:15 PM

I completely uninstalled (again) zimbra and re-installed then did the entire SSL process from the CLI. Everything goes nice/happy until I try to restart the server then LDAP is hosed.

It's pretty obvious is that the problem has to do with LDAP access. I assume inter-process comm is also using SSL, if that is true do you know how I can disable that?

ewilen · #8 (**permalink**) 06-10-2010, 02:23 PM

Possibly you have run into Bug 46264 – ClassNotFoundException in LDAP code when trying to find EasySSLSocketFactory

Note comment 6.

xlntech · #9 (**permalink**) 06-11-2010, 06:55 AM

set ewilen_the_man_status=++

That helped.

I used zmlocalconfig to set the following:

Code:

zmlocalconfig -e ssl_allow_untrusted_certs=1
(that didn't actually fix it, I had to set ldap to not use ssl also)
zmlocalconfig -e ldap_master_url=ldap://wmail.inteltech.com:389
zmlocalconfig -e ldap_url=ldap://wmail.inteltech.com:389
zmlocalconfig -e ldap_port=389

I'm a little confused though. I tried setting ldaps according to that bug note and allowing untrusted certs; which only makes sense to me in that they are related; but that didn't help. So then I just set ldap to not use ssl and it worked. However, I tried setting the allow_untrusted back to false(0) and it quits working again. So my confusion: If I am configuring ldap not to use ssl, why does it care about the allow_untrusted setting at all? Or is that why we call it a bug and not a feature?

Either way I really appreciate you taking the time to help me on this one. I will start tracking your posts and if I can ever help I will.

/x

ewilen · #10 (**permalink**) 06-11-2010, 08:20 AM

You're welcome, glad to have helped!

I'm not an expert in this, but your previous note rang a bell.

About the setting for allow_untrusted, I can only guess that setting it to 1 as you did will make it work for a self-signed cert, and therefore setting it to 0 makes it stop working for you because you're using an self-signed cert. But I don't know exactly why the recommendation to set it to 0 is there. That is, is it specifically needed for Zimbra to start, or is it just there because if you allow untrusted certs, you may be defeating the purpose of using ldaps?

The support portal has somewhat more detailed info for what to do in a new install to 6.0.6. I.e., don't select ldaps during the install, then after install do

Code:

zmlocalconfig -e ldap_url=ldaps://mail.domain.com:636
zmlocalconfig -e ldap_master_url=ldaps://mail.domain.com:636
zmlocalconfig -e ldap_port=636
zmlocalconfig -e ldap_starttls_support=0
zmlocalconfig -e ssl_allow_untrusted_certs=0

Possibly the ldap_starttls_support=0 is the missing link. (It's mentioned in comment #13 of the bug, too, but not in a way that makes it clear how it relates to the workaround for 6.0.6.)

Zimbra

Downloads

Product Information

Toolbox

Why Join?