Zimbra Collaboration Suite Appliance died on me

[alex vmguru.nl]

also, zmsshkeygen still gives me the same error:

zimbra@zimbra:~$ zmsshkeygen
Generating public/private dsa key pair.
Your identification has been saved in /opt/zimbra/.ssh/zimbra_identity.
Your public key has been saved in /opt/zimbra/.ssh/zimbra_identity.pub.
The key fingerprint is:
b0:3f:aa:67:b0:66:6a:e3:32:78:eb:60:db:8a:37:4a zimbra.infra.local
ERROR: service.FAILURE (system failure: unable to lookup server by name: zimbra.infra.local message: [LDAP: error code 49 - Invalid Credentials]) (cause: javax.naming.AuthenticationException [LDAP: error code 49 - Invalid Credentials])
zimbra@zimbra:~$

As I mentioned before, the localconfig.xml file suddenly was empty. In this file, the passwords are set for LDAP access. Now when I look at the error message above, it stats that the credentials are invalid. Could there be a relation here?

[alex vmguru.nl]

Apparently I have a very complicated issue.. or so it seems..?

Clues anyone..?

[alex vmguru.nl]

so, since nobody had a clue what to do, I decided to build a new server parallel to the appliance edition and move the data. I installed zimbra, kept the config exactly the same, used the same license file, same passwords etc. and moved the data.

before moving the data, the server worked fine, no problems. I could log on and configure the server. After migrating the users and the data, I also migrated all my problems. Hurray..BUT I get more info now.

So, we still have the locally installed DNS who points all MX records to the internal address of the zimbra server. I migrated the LDAP entries but I left the rest of the config behind. Now I get this when I start the server:

zimbra@zimbra:~$ zmcontrol start
Host zimbra.infra.local
Unable to determine enabled services from ldap.
Enabled services read from cache. Service list may be inaccurate.
Starting logger...Failed.
Starting logswatch...ERROR: service.FAILURE (system failure: unable to lookup server by name: zimbra.infra.local message: [LDAP: error code 49 - Invalid Credentials]) (cause: javax.naming.AuthenticationException [LDAP: error code 49 - Invalid Credentials])
zimbra logger service is not enabled! failed.


Starting convertd...Done.
Starting mailbox...Done.
Starting memcached...Done.
Starting antispam...Done.
Starting antivirus...Done.
Starting snmp...Done.
Starting spell...Done.
Starting mta...Done.
Starting stats…Done.

When I try to generate new certificates, I run into the next problems:

root@zimbra:/opt/zimbra/bin# ./zmcertmgr createcrt -new -days 365Validation days: 365
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20101028020457
** Generating a server csr for download self -new -keysize 1024
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20101028020457
** Retrieving Commercial CA cert from ldap...failed.
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
** Saving server config key zimbraSSLPrivateKey...failed.
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
root@zimbra:/opt/zimbra/bin# ./zmcertmgr deploycrt self** Saving server config key zimbraSSLCertificate...failed.
** Saving server config key zimbraSSLPrivateKey...failed.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...failed.

Exception in thread "main" java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(Java KeyStore.java:771)
at sun.security.provider.JavaKeyStore$JKS.engineLoad( JavaKeyStore.java:38)
at java.security.KeyStore.load(KeyStore.java:1185)
at com.zimbra.cert.MyPKCS12Import.main(MyPKCS12Import .java:98)
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(Java KeyStore.java:769)
... 3 more

** Installing CA to /opt/zimbra/conf/ca…done.

So, I still stand with my previous remark that the problem is not within the name resolution but somewhere in the LDAP config. Also, when I run zmsshkeygen, the problem still occurs:
Generating public/private dsa key pair.
Your identification has been saved in /opt/zimbra/.ssh/zimbra_identity.
Your public key has been saved in /opt/zimbra/.ssh/zimbra_identity.pub.
The key fingerprint is:
fc:c6:95:a6:db:a4:65:cb:ea:32:10:60:16:5b:14:1c zimbra.infra.local
The key's randomart image is:
+--[ DSA 1024]----+
| .+Eo |
| +o. |
| o.. |
| .. . |
| .S + |
| . o + |
| . = + |
| o. O . |
| +=.+ |
+-----------------+
ERROR: service.FAILURE (system failure: unable to lookup server by name: zimbra.infra.local message: [LDAP: error code 49 - Invalid Credentials]) (cause: javax.naming.AuthenticationException [LDAP: error code 49 - Invalid Credentials])

so, I am still stuck, even with a band new server, with the same trouble not getting forward.

I hope anyone has a suggestion..?

Any help is greatly appreciated.

Cheers,
Alex

[rdlal]

well.. i'm no zimbra expert nor ldap, but i'd say that's password mismatch

you could nmap that box to see opened ports, and check if ldap is accepting connections..
or simply telnet localhost 389

if you're unable to do that, your ldap is not up

if it responds, you can try resetting it (zmldappassword --help) and try again

also you could try moving your old data to your fresh install, but not the ldap configuration folder, and see how it goes.

im pretty sure this is not the "best practice solution", but you might be able to troubleshoot and actually find the problem.

zmprov gas should work now, and show you active servers, otherwise you'll get ldap error

Best of luck

[alex vmguru.nl]

well, I'm not completely up2date but the problem definitely was within the LDAP database. In the end Zimbra gave excellent service because an engineer of Zimbra spent a lot of time fixing our Zimbra box.

Why it died is still a mystery though, and this bothers me a lot. But I guess we will never know.

But, I must say, a big hand for Zimbra for fixing our box!

[pete irvine]

what did the zimbra engineer do to fix your box ?