Zimbra + Debian + Xen = LDAP problems

[Tony Lewis]

Background:

I want Zimbra running under Xen. The fact that LDAP wants NPTL means that I need to use Debian 4.0 (etch) in the guest, because it has a Xen-friendly libc package (libc6-xen). Without this package, LDAP won't install.

When I install, LDAP fails to start. Using "sh -x" a lot, I see that /opt/zimbra/conf/slapd.{crt,key} don't exist. I assume they should get created during the installation, but something is going wrong.

The first symptom I see is that the local config sets "ldap_is_master' to false, and complains when I set the master URL to the same as the box I'm installing on. When I change this, I progress to the SSL errors above.

I run "sh -x /opt/zimbra/bin/zmcreatecert" and see (snipped):
-------------------------
+ openssl ca -out /opt/zimbra/ssl/ssl/server/server.crt -notext -config /opt/zimbra/ssl/ssl/zmssl.cnf -in /opt/zimbra/ssl/ssl/server/server.csr -keyfile /opt/zimbra/ssl/ssl/ca/ca.key -cert /opt/zimbra/ssl/ssl/ca/ca.pem -batch
Using configuration from /opt/zimbra/ssl/ssl/zmssl.cnf
unable to load CA private key
5140:error:0906D06C:PEM routines:PEM_read_bio:no start lineem_lib.c:642:Expecting: ANY PRIVATE KEY
unable to write 'random state'
+ openssl x509 -CA /opt/zimbra/ssl/ssl/ca/ca.pem -CAkey /opt/zimbra/ssl/ssl/ca/ca.key -CAserial /opt/zimbra/ssl/ssl/ca/ca.srl -req -in /opt/zimbra/ssl/ssl/server/tomcat.csr -extensions v3_req -extfile /opt/zimbra/ssl/ssl/zmssl.cnf -out /opt/zimbra/ssl/ssl/server/tomcat.crt -days 365
Signature ok
subject=/C=US/ST=NA/L=NA/O=Zimbra/OU=Zimbra/CN=zimbra.home
unable to load certificate
5141:error:0906D06C:PEM routines:PEM_read_bio:no start lineem_lib.c:642:Expecting: TRUSTED CERTIFICATE
unable to write 'random state'
+ cp /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/conf/slapd.crt
cp: cannot stat `/opt/zimbra/ssl/ssl/server/server.crt': No such file or directory

-------------------------

So, my certificates are stuffed, it would appear.

I *think* the root cause might be the SSL version. Native in Debian 4.0 is 0.9.8. The openssl package is linked to this, though libssl0.9.7 is still available. I downgraded openssl to run from sarge (i.e. the 0.9.7x version) before running the install, but it didn't seem to help. I can't get rid of libssl0.9.8 permanently, as many things depend on this.

I see reference to symlinking 0.9.8 to 0.9.7 but can't find an authoritative post or article. Is this what I need to do? Sounds harsh.

If it's useful, I can provide full logs.

Thanks,

Tony

[Tony Lewis]

It turns out it was because I cheated on the get_plat_tags.sh script. I edited the script itself to return DEBIAN3.1 when it found 4.0 in /etc/debian_release. However, that was only the script used for installation, not the script that was installed within the package.

Hence my system had no idea what platform it was on, and breaking badly.

The proper workaround, until Debian Etch (4.0) is a supported Zimbra platform, as mentioned elsewhere, is to append "3.1" to the end of /etc/debian_release *before* running the installation.