Problem with Certificate can cause MTA Failure: Difference between revisions
(→Issue: Cannot install a Commercial Certificate in Zimbra 5.0 [Bug 23294]: Removing second section, which wasn't relevant to article, and splitting to a new article) |
No edit summary |
||
(3 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
=Issue: Problem with Certificate can cause MTA Failure= | {{Archive}}=Issue: Problem with Certificate can cause MTA Failure= | ||
=Symptom= | |||
When MTA starts up, user will receive the following message in the /var/log/zimbra.log file: | When MTA starts up, user will receive the following message in the /var/log/zimbra.log file: | ||
Line 13: | Line 13: | ||
Then the MTA (postfix) will stop functioning resulting in mail delivery failure (via lmtp and smtp). | Then the MTA (postfix) will stop functioning resulting in mail delivery failure (via lmtp and smtp). | ||
=Common Cause= | |||
CA chain can be appended in reverse creating invalid Certificate [ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ] | CA chain can be appended in reverse creating invalid Certificate [ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ] | ||
Line 20: | Line 20: | ||
=Workaround [5.0.1_GA or later]= | |||
==For Single-server and Multi-server ldap masters== | |||
(a) Run as root: /opt/zimbra/bin/zmcertmgr createca -new | (a) Run as root: /opt/zimbra/bin/zmcertmgr createca -new | ||
Line 30: | Line 30: | ||
* Note, for zcs version 5.0.6 (c) should be Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self | * Note, for zcs version 5.0.6 (c) should be Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self | ||
==For Multi-Server: Run this on all other systems in the multi-server setup== | |||
After doing the steps listed above on the ldap master, log into any different systems running postfix: | After doing the steps listed above on the ldap master, log into any different systems running postfix: | ||
Line 40: | Line 40: | ||
* Note, for zcs version 5.0.6 (c) should be Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self | * Note, for zcs version 5.0.6 (c) should be Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self | ||
=Workaround [5.0.0_GA]= | |||
Read this post: http://www.zimbra.com/forums/administrators/13927-if-you-have-trouble-zimbra-5-0-read.html | Read this post: http://www.zimbra.com/forums/administrators/13927-if-you-have-trouble-zimbra-5-0-read.html | ||
Line 69: | Line 69: | ||
* Note, for zcs version 5.0.6 (e) should be Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self | * Note, for zcs version 5.0.6 (e) should be Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self | ||
==For Multi-Server MTA: Run this on the systems which are running postfix== | |||
After doing the steps listed above on the ldap master, log into any different systems running postfix: | After doing the steps listed above on the ldap master, log into any different systems running postfix: | ||
Line 81: | Line 81: | ||
(f) Run as root: su - zimbra zmcontrtol start | (f) Run as root: su - zimbra zmcontrtol start | ||
==For LDAP replicas: Run this on the systems that are LDAP replicas== | |||
After doing the steps listed above on the ldap master, log into any different systems running postfix: | After doing the steps listed above on the ldap master, log into any different systems running postfix: | ||
Line 96: | Line 96: | ||
* Note, for zcs version 5.0.6 (f) should be Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self | * Note, for zcs version 5.0.6 (f) should be Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self | ||
=References= | |||
http://www.zimbra.com/forums/installation/13762-solved-expired-cert-5-0ga-can-cause-mail-delivery-failure.html | http://www.zimbra.com/forums/installation/13762-solved-expired-cert-5-0ga-can-cause-mail-delivery-failure.html | ||
[ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ] - an expired CA cert will block mail delivery after upgrading to 5.0.0 | [ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ] - an expired CA cert will block mail delivery after upgrading to 5.0.0 | ||
Line 107: | Line 106: | ||
{{Article Footer|Zimbra Collaboration Suite 5.0|01/02/2008}} | {{Article Footer|Zimbra Collaboration Suite 5.0|01/02/2008}} | ||
[[Category:Troubleshooting | [[Category:Troubleshooting Certificates]] | ||
[[Category:Troubleshooting MTA]] | |||
[[Category:MTA]] |
Latest revision as of 12:37, 24 March 2015
Issue: Problem with Certificate can cause MTA Failure
Symptom
When MTA starts up, user will receive the following message in the /var/log/zimbra.log file:
Error: postfix/trivial-rewrite[6172]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem postfix/trivial-rewrite[19377]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem postfix/trivial-rewrite[19378]: error: dict_ldap_connect: Unable to set STARTTLS: -11: Connect error
Then the MTA (postfix) will stop functioning resulting in mail delivery failure (via lmtp and smtp).
Common Cause
CA chain can be appended in reverse creating invalid Certificate [ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ]
The above error may also be seen when you are hitting [ http://bugzilla.zimbra.com/show_bug.cgi?id=22468 ]. In this case, the following Workaround would not work.
Workaround [5.0.1_GA or later]
For Single-server and Multi-server ldap masters
(a) Run as root: /opt/zimbra/bin/zmcertmgr createca -new (b) Run as root: /opt/zimbra/bin/zmcertmgr deployca (c) Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self -new (d) Run as root: su - zimbra zmcontrol stop; su - zimbra zmcontrol start
- Note, for zcs version 5.0.6 (c) should be Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self
For Multi-Server: Run this on all other systems in the multi-server setup
After doing the steps listed above on the ldap master, log into any different systems running postfix:
(a) Run as root: su - zimbra zmcontrol stop (b) Run as root: /opt/zimbra/bin/zmcertmgr deployca (c) Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self -new (d) Run as root: su - zimbra zmcontrtol start
- Note, for zcs version 5.0.6 (c) should be Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self
Workaround [5.0.0_GA]
Read this post: http://www.zimbra.com/forums/administrators/13927-if-you-have-trouble-zimbra-5-0-read.html
(a) Run as root: cd /opt/zimbra/ssl; mkdir /tmp/ssl.bak; mv * /tmp/ssl.bak (a1) Run as root: cd /opt/zimbra/conf/ca; mkdir /tmp/ca.bak; mv * /tmp/ca.bak (b) Run this as zimbra: (b1) To get the password: zmlocalconfig -s zimbra_ldap_password (b2) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W Code: dn: cn=config,cn=zimbra changetype:modify delete: zimbraCertAuthorityCertSelfSigned [Hit Enter Twice here] ^D (b3) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W Code: dn: cn=config,cn=zimbra changetype:modify delete: zimbraCertAuthorityKeySelfSigned [Hit Enter Twice here] ^D (c) as root: run /opt/zimbra/bin/zmcertmgr createca (d) as root: run /opt/zimbra/bin/zmcertmgr deployca (e) as root: run /opt/zimbra/bin/zmcertmgr install self -new (f) as root: su - zimbra zmcontrol stop; su - zimbra zmcontrol start ^D is Control-D
- Note, for zcs version 5.0.6 (e) should be Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self
For Multi-Server MTA: Run this on the systems which are running postfix
After doing the steps listed above on the ldap master, log into any different systems running postfix:
(a) Run as root: su - zimbra zmcontrol stop (b) Run as root: cd /opt/zimbra/ssl; mkdir /tmp/ssl.bak; mv * /tmp/ssl.bak (c) Run as root: cd /opt/zimbra/conf/ca; mkdir /tmp/ca.bak; mv * /tmp/ca.bak (d) Run as root: run /opt/zimbra/bin/zmcertmgr createca (This will download the new CA from the LDAP server) (e) Run as root: run /opt/zimbra/bin/zmcertmgr deployca (f) Run as root: su - zimbra zmcontrtol start
For LDAP replicas: Run this on the systems that are LDAP replicas
After doing the steps listed above on the ldap master, log into any different systems running postfix:
(a) Run as root: su - zimbra zmcontrol stop (b) Run as root: cd /opt/zimbra/ssl; mkdir /tmp/ssl.bak; mv * /tmp/ssl.bak (c) Run as root: cd /opt/zimbra/conf/ca; mkdir /tmp/ca.bak; mv * /tmp/ca.bak (d) Run as root: run /opt/zimbra/bin/zmcertmgr createca (This will download the new CA from the LDAP server) (e) Run as root: /opt/zimbra/bin/zmcertmgr deployca (f) Run as root: /opt/zimbra/bin/zmcertmgr install self -new (g) Run as root: su - zimbra; zmcontrol start
- Note, for zcs version 5.0.6 (f) should be Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self
References
[ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ] - an expired CA cert will block mail delivery after upgrading to 5.0.0