Problems with Zimbra installation on OS X Server - LDAP and Tomcat

[mezza]

Hi,

I've installed Zimbra on Mac OS X Server 10.4.9 and the basic MTA and IMAP and POP services are all working well.

However, I'm having significant difficulties with getting the web interface to work correctly and any help would be appreciated. I'm trying to use Zimbra with the Apache 1.3 server that comes preinstalled since that's running other static and dynamic sites.

I've also noticed two unusual issues:

A. when trying to restart tomcat in between using zmprov to change settings it complains that it can't connect to the Slapd. Eg:

Code:

$sudo -u zimbra /opt/zimbra/bin/tomcat restart
problem reading config from ldap. Make sure ldap is running.

Slapd is definitely running, as is seen if I issue:

Code:

$sudo -u zimbra /opt/zimbra/bin/ldap status
slapd running pid: 372

B. The tomcat configuration file in /opt/zimbra/tomcat/conf/server.xml.in is buggy. The SSL section directives are delimited by badly formed comments which causes that entire section to be ignored.

HTML Code:

<!-- HTTPSBEGIN
        <Connector port="%%zimbraMailSSLPort%%"
                   acceptCount="1024" URIEncoding="UTF-8"
                   enableLookups="false"
                   compression="on"
                   compressionMinSize="1024"
                   compressableMimeType="text/html,text/plain,text/css"
                   noCompressionUserAgents=".*MSIE 6.*"
                   maxThreads="100" minSpareThreads="100" maxSpareThreads="100"
                   scheme="https" secure="true"
                   ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA,SSL_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"
                   clientAuth="false" sslProtocol="TLS"
                   keystoreFile="/opt/zimbra/tomcat/conf/keystore" keystorePass="zimbra"/>
        HTTPSEND -->

Easy enough to fix, but odd. This prompted me to uninstall and reinstall Zimbra and this is reproducible.

Here's my installation procedure and setup:

1. Downloaded the install-mac.sh posted on the wiki as well as the Zimbra 4.5.3_GA_733 disk image

2. Installed using:

Code:

sudo ./install-mac.sh -d zcs-4.5.3_GA_733.MACOSX.dm

g

3. When I get to the zmsetup phase, just accept defaults except set the web server mode to 'mixed' and set zimbraMailPort and zimbraMailSSLPort to 8080 and 8443 respectively (to avoid any potential issues with Tomcat trying to bind to ports which Apache has bound to already)

4. Add ProxyPass and ProxyReversePass directives to the virtual hosts files created by using ServerAdmin eg:

Code:

        ServerName AAA.XXX.XXX
        ServerAdmin XXX@AAA.XXX.XXX
        DocumentRoot "/Library/WebServer/Documents"
        DirectoryIndex index.html index.php
        CustomLog "/var/log/httpd/access_log" "%h %l %u %t \"%r\" %>s %b"
        ErrorLog "/var/log/httpd/error_log"
        ErrorDocument 404 /error.html
        ProxyPass / http://AAA.XXX.XXX:8080/
        ProxyPassReverse / http://AAA.XXX.XXX:8080/
        LogLevel warn

And exactly the same for 443->8443:

Code:

        ServerName AAA.XXX.XXX
        ServerAdmin XXX@AAA.XXX.XXX
        DocumentRoot "/Library/WebServer/Documents"
        DirectoryIndex index.html index.php
        CustomLog "/var/log/httpd/access_log" "%h %l %u %t \"%r\" %>s %b"
        ErrorLog "/var/log/httpd/error_log"
        ErrorDocument 404 /error.html
        ProxyPass / https://AAA.XXX.XXX:8443/
        ProxyPassReverse / https://AAA.XXX.XXX:8443/
        LogLevel warn

With the setup as above, I can connect to the Zimbra webmail interface on port 80, but it doesn't redirect me to 443.

Doing a

Code:

curl -i http://localhost:8080

on the deployment box gives me the response I expect, but

Code:

curl -i -k https://localhost:8443

gives me:

Code:

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Expires: Tue, 24 Jan 2000 17:46:50 GMT
Cache-control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
Location: http://localhost:8080/?initMode=https
Content-Type: text/html
Content-Length: 0
Date: Fri, 16 Mar 2007 12:18:20 GMT

Any ideas what's going on?

Thanks in advance.

mezza

[jholder]

Ahh 10.4.9 has lots of reported issues in general. I've heard numerous problems with it causing crashes, etc. (Not specifically related to zimbra)

Have you run the zmsetup script?

[mezza]

I did a fresh reinstall on OS X Server, ensuring that the web server was NOT running when I did so. This time, all seems fine and Zimbra's webmail interface is responding to requests on ports 8080 and 8443 after running the zmsetup.pl script, during which I set the mail mode to 'mixed' to force HTTPS authentication.

At this point

Code:

curl -i http://FQDN:8080

gets me a 302 redirect as expected to https://FQDN:8443, and

Code:

curl -i -k https://FQDN:8443

gives me the login page on the server.

The Apache proxying also works fine, and the only issue I'm dealing with is how to handle the 302 redirection from 8443 to 8080 for the login page.

There is still the issue with restarting Tomcat, which is that it claims not to be able to find the running slapd process. So I did a restart using /opt/zimbra/bin/zmcontrol stop and start instead.

Now, without having changed anything on the configuration,

Code:

curl -i http://FQDN:8080

gets me the insecure login page!?

Code:

curl -i -k https://FQDN:8443

gets me nothing!?

So after all this, I am currently unable to get Zimbra to respond to ports 8080 and 8443 correctly.

Any help welcome.

[mezza]

Ok. Did a fresh reinstall of Zimbra (again). Set webmail ports to 8080 and 8443 (SSL) and set mode to 'mixed'.

Zimbra web interface responds on ports 8080 and 8443 as expected and

Code:

curl -i http://FQDN:8080

gets me a 302 redirect as expected to https://FQDN:8443.

The Apache Proxy and ProxyPass directives in my original post work fine, and all I'm contending with is how to get the 302 redirects between the secure and insecure ports working properly with a RewriteRule or Redirect directive (more on that later).

Very very concerningly,

Code:

sudo /opt/zimbra/bin/tomcat restart

is still complaining about not being able to reach the LDAP server, and after doing so, Zimbra's webmail interface no longer responds on port 8443, instead of which I get the login page on port 8080. The same thing happens if I use /opt/zimbra/bin/zmcontrol to restart Zimbra.

The only way I am able to get the webmail working again is to rerun the zmsetup.pl script.

Any ideas on what's going on?

Back to the RewriteRule, can anyone tell me why this doesn't work:

HTML Code:

<VirtualHost XXX.XXX.XXX.XXX:80>
        ServerName FQDN
        ServerAdmin XXX@FQDN2
        DocumentRoot "/Library/WebServer/Documents"
        DirectoryIndex index.html index.php
        CustomLog "/var/log/httpd/access_log" "%h %l %u %t \"%r\" %>s %b"
        ErrorLog "/var/log/httpd/error_log"
        ErrorDocument 404 /error.html
        Redirect abacus https://FQDN/
        ProxyPass /abacus !
        ProxyPass / http://FQDN:8080/
        ProxyPassReverse / http://FQDN:8080/
        ProxyPassReverse /abacus/ https://FQDN:8443/
        LogLevel warn
</VirtualHost>

All I'm doing is to try and get the initial 302 redirect to https://FQDN:8443 to be rewritten to http://FQDN/abacus/... and then to catch that with a redirect rule to pass it to https://FQDN. Currently, as I have the insecure and secure ports set to 8080 and 8443, all the redirects are between those two ports when trying to login.

[jholder]

What does your hosts file look like?
-john

[mezza]

Hi John,

127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
XX.XX.XX.XX FQDN

Regards,

mezza

[jholder]

Try
127.0.0.1 localhost.localdomain localhost
x.x.x.x hostname.domain hostname

[mezza]

John,

Updated /etc/hosts to ONLY contain the entries you suggested and rebooted the server.

Then ran

Code:

sudo -u zimbra /opt/zimbra/bin/zmcontrol start

and checked to see whether the Zimbra webmail interface was running on port 8443 but got no response:

Code:

$ curl -i -k https://localhost
curl: (7) couldn't connect to host

I've now restored the /etc/hosts file to it's original, and restarted the server and then started up Zimbra by running the zmsetup.pl script (which seems to be the ONLY way to get Zimbra to start up correctly on my machine).

BR

Mezza

[jholder]

We don't' bind to localhost in all cases.
What about the fqdn?

[mezza]

Hi John.

No joy. After a

Code:

sudo -u zimbra /opt/zimbra/bin/zmcontrol restart

there is no response to port 8443 from the webmail.

Seems to be that there's something that the zmsetup.pl script does that the zmcontrol wrapper script doesn't. Afraid my Perl's useless, but do you know what it might be?

Mezza