JDK max certificate chain length

Revision as of 06:32, 20 April 2024 by Rnoti (talk | contribs) (→‎how to update Max certificate chain Length)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

how to update Max certificate chain Length

   KB 24603        Last updated on 2024-04-20  

(0 votes)


FATAL [main] [] system - failed to initialize LDAP client
com.zimbra.cs.ldap.LdapException: LDAP error: : The connection reader was unable to successfully complete TLS negotiation:    javax.net.ssl.SSLProtocolException: The certificate chain length (12) exceeds the maximum allowed length (10)


zclient.IO_ERROR (Unable to get resource from 'https://mail.zimbra.com/home/user@zimbra.com/?fmt=tgz' : The certificate chain length (11) exceeds the  maximum allowed length (10)) (cause: javax.net.ssl.SSLProtocolException The certificate chain length (11) exceeds the maximum allowed length (10))


Increase the certificate chain length. Note: Run these commands in the mailbox server.

Get: Existing value of the mailboxd java options, and zimbra java options.

zmlocalconfig mailboxd_java_options
zmlocalconfig zimbra_zmjava_options

Set: Update mailboxd java options with Djdk.tls.maxCertificateChainLength

zmlocalconfig -e mailboxd_java_options="-server -Dhttps.protocols=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2 -Djdk.tls.maxCertificateChainLength=15 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl= -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.security.egd=file:/dev/./urandom --add-opens java.base/java.lang=ALL-UNNAMED -Djava.net.preferIPv4Stack=true -Dcom.redhat.fips=false"
zmlocalconfig -e zimbra_zmjava_options="-Xmx256m -Dhttps.protocols=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2 -Djava.net.preferIPv4Stack=true -Djdk.tls.maxCertificateChainLength=15"
zmmailboxdctl restart
Submitted by: Raghu Noti
Verified Against: ZCS 9, 10 Date Created: 2024-01-24
Article ID: https://wiki.zimbra.com/index.php?title=JDK_max_certificate_chain_length Date Modified: 2024-04-20

Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search