Problem with Certificate can cause MTA Failure

From Zimbra :: Wiki

Jump to: navigation, search

Contents

Issue: Problem with Certificate can cause MTA Failure

Symptom

When MTA starts up, user will receive the following message in the /var/log/zimbra.log file:

Error:
  postfix/trivial-rewrite[6172]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem
  postfix/trivial-rewrite[19377]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem
  postfix/trivial-rewrite[19378]: error: dict_ldap_connect: Unable to set STARTTLS: -11: Connect error


Then the MTA (postfix) will stop functioning resulting in mail delivery failure (via lmtp and smtp).

Common Cause

CA chain can be appended in reverse creating invalid Certificate [ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ]

The above error may also be seen when you are hitting [ http://bugzilla.zimbra.com/show_bug.cgi?id=22468 ]. In this case, the following Workaround would not work.


Workaround [5.0.1_GA or later]

For Single-server and Multi-server ldap masters

   (a) Run as root: /opt/zimbra/bin/zmcertmgr createca -new
   (b) Run as root: /opt/zimbra/bin/zmcertmgr deployca
   (c) Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self -new
   (d) Run as root: su - zimbra zmcontrol stop; su - zimbra zmcontrol start
  • Note, for zcs version 5.0.6 (c) should be Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self

For Multi-Server: Run this on all other systems in the multi-server setup

After doing the steps listed above on the ldap master, log into any different systems running postfix:

   (a) Run as root: su - zimbra zmcontrol stop
   (b) Run as root: /opt/zimbra/bin/zmcertmgr deployca 
   (c) Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self -new
   (d) Run as root: su - zimbra zmcontrtol start
  • Note, for zcs version 5.0.6 (c) should be Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self

Workaround [5.0.0_GA]

Read this post: http://www.zimbra.com/forums/administrators/13927-if-you-have-trouble-zimbra-5-0-read.html

Alternate: http://www.zimbra.com/forums/installation/13898-argh-commercial-certificates-after-4-10-5-0-foss-upgrade.html

   (a) Run as root: cd /opt/zimbra/ssl; mkdir /tmp/ssl.bak; mv * /tmp/ssl.bak
   (a1) Run as root: cd /opt/zimbra/conf/ca; mkdir /tmp/ca.bak; mv * /tmp/ca.bak
   (b) Run this as zimbra:
   (b1) To get the password: zmlocalconfig -s zimbra_ldap_password
   (b2) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W
   Code:
   dn: cn=config,cn=zimbra
   changetype:modify
   delete: zimbraCertAuthorityCertSelfSigned      [Hit Enter Twice here]
   ^D
   (b3) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W
   Code:
   dn: cn=config,cn=zimbra
   changetype:modify
   delete: zimbraCertAuthorityKeySelfSigned      [Hit Enter Twice here]
   ^D
   (c) as root: run /opt/zimbra/bin/zmcertmgr createca
   (d) as root: run /opt/zimbra/bin/zmcertmgr deployca
   (e) as root: run /opt/zimbra/bin/zmcertmgr install self -new
   (f) as root: su - zimbra zmcontrol stop; su - zimbra zmcontrol start
   ^D is Control-D
  • Note, for zcs version 5.0.6 (e) should be Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self

For Multi-Server MTA: Run this on the systems which are running postfix

After doing the steps listed above on the ldap master, log into any different systems running postfix:

   (a) Run as root: su - zimbra zmcontrol stop
   (b) Run as root: cd /opt/zimbra/ssl; mkdir /tmp/ssl.bak; mv * /tmp/ssl.bak
   (c) Run as root: cd /opt/zimbra/conf/ca; mkdir /tmp/ca.bak; mv * /tmp/ca.bak
   (d) Run as root: run /opt/zimbra/bin/zmcertmgr createca
   (This will download the new CA from the LDAP server)
   (e) Run as root: run /opt/zimbra/bin/zmcertmgr deployca 
   (f) Run as root: su - zimbra zmcontrtol start

For LDAP replicas: Run this on the systems that are LDAP replicas

After doing the steps listed above on the ldap master, log into any different systems running postfix:

   (a) Run as root: su - zimbra zmcontrol stop
   (b) Run as root: cd /opt/zimbra/ssl; mkdir /tmp/ssl.bak; mv * /tmp/ssl.bak
   (c) Run as root: cd /opt/zimbra/conf/ca; mkdir /tmp/ca.bak; mv * /tmp/ca.bak
   (d) Run as root: run /opt/zimbra/bin/zmcertmgr createca
   (This will download the new CA from the LDAP server)
   (e) Run as root: /opt/zimbra/bin/zmcertmgr deployca
   (f) Run as root: /opt/zimbra/bin/zmcertmgr install self -new
   (g) Run as root: su - zimbra; zmcontrol start
  • Note, for zcs version 5.0.6 (f) should be Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self

References

http://www.zimbra.com/forums/installation/13762-solved-expired-cert-5-0ga-can-cause-mail-delivery-failure.html

[ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ] - an expired CA cert will block mail delivery after upgrading to 5.0.0


Verified Against: Zimbra Collaboration Suite 5.0 Date Created: 01/02/2008
Article ID: http://wiki.zimbra.com/index.php?title=Problem_with_Certificate_can_cause_MTA_Failure Date Modified: 09/22/2008
Personal tools