JDK max certificate chain length
how to update Max certificate chain Length
Problem
FATAL [main] [] system - failed to initialize LDAP client com.zimbra.cs.ldap.LdapException: LDAP error: : The connection reader was unable to successfully complete TLS negotiation: javax.net.ssl.SSLProtocolException: The certificate chain length (12) exceeds the maximum allowed length (10)
Or,
zclient.IO_ERROR (Unable to get resource from 'https://mail.zimbra.com/home/user@zimbra.com/?fmt=tgz' : The certificate chain length (11) exceeds the maximum allowed length (10)) (cause: javax.net.ssl.SSLProtocolException The certificate chain length (11) exceeds the maximum allowed length (10))
Solution
Increase the certificate chain length. Note: Run these commands in the mailbox server.
Get: Existing value of the mailboxd java options, and zimbra java options.
zmlocalconfig mailboxd_java_options zmlocalconfig zimbra_zmjava_options
Set: Update mailboxd java options with Djdk.tls.maxCertificateChainLength
zmlocalconfig -e mailboxd_java_options="-server -Dhttps.protocols=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2 -Djdk.tls.maxCertificateChainLength=15 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl= -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.security.egd=file:/dev/./urandom --add-opens java.base/java.lang=ALL-UNNAMED -Djava.net.preferIPv4Stack=true -Dcom.redhat.fips=false" zmlocalconfig -e zimbra_zmjava_options="-Xmx256m -Dhttps.protocols=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2 -Djava.net.preferIPv4Stack=true -Djdk.tls.maxCertificateChainLength=15" zmmailboxdctl restart
| Submitted by: Raghu Noti |
