Difference between revisions of "Problem with Certificate can cause MTA Failure"

(Issue: Cannot install a Commercial Certificate in Zimbra 5.0 [Bug 23294]: Removing second section, which wasn't relevant to article, and splitting to a new article)
 
(3 intermediate revisions by one other user not shown)
Line 1: Line 1:
=Issue: Problem with Certificate can cause MTA Failure=
+
{{Archive}}=Issue: Problem with Certificate can cause MTA Failure=
  
==Symptom==
+
=Symptom=
  
 
When MTA starts up, user will receive the following message in the /var/log/zimbra.log file:
 
When MTA starts up, user will receive the following message in the /var/log/zimbra.log file:
Line 13: Line 13:
 
Then the MTA (postfix) will stop functioning resulting in mail delivery failure (via lmtp and smtp).
 
Then the MTA (postfix) will stop functioning resulting in mail delivery failure (via lmtp and smtp).
  
==Common Cause==
+
=Common Cause=
  
 
CA chain can be appended in reverse creating invalid Certificate [ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ]
 
CA chain can be appended in reverse creating invalid Certificate [ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ]
Line 20: Line 20:
  
  
===Workaround [5.0.1_GA or later]===
+
=Workaround [5.0.1_GA or later]=
  
====For Single-server and Multi-server ldap masters====
+
==For Single-server and Multi-server ldap masters==
 
    
 
    
 
     (a) Run as root: /opt/zimbra/bin/zmcertmgr createca -new
 
     (a) Run as root: /opt/zimbra/bin/zmcertmgr createca -new
Line 30: Line 30:
 
* Note, for zcs version 5.0.6 (c) should be Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self
 
* Note, for zcs version 5.0.6 (c) should be Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self
  
====For Multi-Server: Run this on all other systems in the multi-server setup====
+
==For Multi-Server: Run this on all other systems in the multi-server setup==
  
 
After doing the steps listed above on the ldap master, log into any different systems running postfix:
 
After doing the steps listed above on the ldap master, log into any different systems running postfix:
Line 40: Line 40:
 
* Note, for zcs version 5.0.6 (c) should be Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self
 
* Note, for zcs version 5.0.6 (c) should be Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self
  
===Workaround [5.0.0_GA]===
+
=Workaround [5.0.0_GA]=
  
 
Read this post: http://www.zimbra.com/forums/administrators/13927-if-you-have-trouble-zimbra-5-0-read.html
 
Read this post: http://www.zimbra.com/forums/administrators/13927-if-you-have-trouble-zimbra-5-0-read.html
Line 69: Line 69:
 
* Note, for zcs version 5.0.6 (e) should be Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self
 
* Note, for zcs version 5.0.6 (e) should be Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self
  
====For Multi-Server MTA: Run this on the systems which are running postfix====
+
==For Multi-Server MTA: Run this on the systems which are running postfix==
  
 
After doing the steps listed above on the ldap master, log into any different systems running postfix:
 
After doing the steps listed above on the ldap master, log into any different systems running postfix:
Line 81: Line 81:
 
     (f) Run as root: su - zimbra zmcontrtol start
 
     (f) Run as root: su - zimbra zmcontrtol start
  
====For LDAP replicas: Run this on the systems that are LDAP replicas====
+
==For LDAP replicas: Run this on the systems that are LDAP replicas==
  
 
After doing the steps listed above on the ldap master, log into any different systems running postfix:
 
After doing the steps listed above on the ldap master, log into any different systems running postfix:
Line 96: Line 96:
 
* Note, for zcs version 5.0.6 (f) should be Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self
 
* Note, for zcs version 5.0.6 (f) should be Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self
  
==References==
+
=References=
  
 
http://www.zimbra.com/forums/installation/13762-solved-expired-cert-5-0ga-can-cause-mail-delivery-failure.html
 
http://www.zimbra.com/forums/installation/13762-solved-expired-cert-5-0ga-can-cause-mail-delivery-failure.html
  
 
[ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ] - an expired CA cert will block mail delivery after upgrading to 5.0.0
 
[ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ] - an expired CA cert will block mail delivery after upgrading to 5.0.0
 
  
  
Line 107: Line 106:
 
{{Article Footer|Zimbra Collaboration Suite 5.0|01/02/2008}}
 
{{Article Footer|Zimbra Collaboration Suite 5.0|01/02/2008}}
  
[[Category:Troubleshooting]]
+
[[Category:Troubleshooting Certificates]]
[[Category:Certificates]]
+
[[Category:Troubleshooting MTA]]
[[Category:MTA]]
 

Latest revision as of 12:37, 24 March 2015

Issue: Problem with Certificate can cause MTA Failure

Symptom

When MTA starts up, user will receive the following message in the /var/log/zimbra.log file:

Error:
  postfix/trivial-rewrite[6172]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem
  postfix/trivial-rewrite[19377]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem
  postfix/trivial-rewrite[19378]: error: dict_ldap_connect: Unable to set STARTTLS: -11: Connect error


Then the MTA (postfix) will stop functioning resulting in mail delivery failure (via lmtp and smtp).

Common Cause

CA chain can be appended in reverse creating invalid Certificate [ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ]

The above error may also be seen when you are hitting [ http://bugzilla.zimbra.com/show_bug.cgi?id=22468 ]. In this case, the following Workaround would not work.


Workaround [5.0.1_GA or later]

For Single-server and Multi-server ldap masters

   (a) Run as root: /opt/zimbra/bin/zmcertmgr createca -new
   (b) Run as root: /opt/zimbra/bin/zmcertmgr deployca
   (c) Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self -new
   (d) Run as root: su - zimbra zmcontrol stop; su - zimbra zmcontrol start
  • Note, for zcs version 5.0.6 (c) should be Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self

For Multi-Server: Run this on all other systems in the multi-server setup

After doing the steps listed above on the ldap master, log into any different systems running postfix:

   (a) Run as root: su - zimbra zmcontrol stop
   (b) Run as root: /opt/zimbra/bin/zmcertmgr deployca 
   (c) Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self -new
   (d) Run as root: su - zimbra zmcontrtol start
  • Note, for zcs version 5.0.6 (c) should be Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self

Workaround [5.0.0_GA]

Read this post: http://www.zimbra.com/forums/administrators/13927-if-you-have-trouble-zimbra-5-0-read.html

Alternate: http://www.zimbra.com/forums/installation/13898-argh-commercial-certificates-after-4-10-5-0-foss-upgrade.html

   (a) Run as root: cd /opt/zimbra/ssl; mkdir /tmp/ssl.bak; mv * /tmp/ssl.bak
   (a1) Run as root: cd /opt/zimbra/conf/ca; mkdir /tmp/ca.bak; mv * /tmp/ca.bak
   (b) Run this as zimbra:
   (b1) To get the password: zmlocalconfig -s zimbra_ldap_password
   (b2) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W
   Code:
   dn: cn=config,cn=zimbra
   changetype:modify
   delete: zimbraCertAuthorityCertSelfSigned      [Hit Enter Twice here]
   ^D
   (b3) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W
   Code:
   dn: cn=config,cn=zimbra
   changetype:modify
   delete: zimbraCertAuthorityKeySelfSigned      [Hit Enter Twice here]
   ^D
   (c) as root: run /opt/zimbra/bin/zmcertmgr createca
   (d) as root: run /opt/zimbra/bin/zmcertmgr deployca
   (e) as root: run /opt/zimbra/bin/zmcertmgr install self -new
   (f) as root: su - zimbra zmcontrol stop; su - zimbra zmcontrol start
   ^D is Control-D
  • Note, for zcs version 5.0.6 (e) should be Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self

For Multi-Server MTA: Run this on the systems which are running postfix

After doing the steps listed above on the ldap master, log into any different systems running postfix:

   (a) Run as root: su - zimbra zmcontrol stop
   (b) Run as root: cd /opt/zimbra/ssl; mkdir /tmp/ssl.bak; mv * /tmp/ssl.bak
   (c) Run as root: cd /opt/zimbra/conf/ca; mkdir /tmp/ca.bak; mv * /tmp/ca.bak
   (d) Run as root: run /opt/zimbra/bin/zmcertmgr createca
   (This will download the new CA from the LDAP server)
   (e) Run as root: run /opt/zimbra/bin/zmcertmgr deployca 
   (f) Run as root: su - zimbra zmcontrtol start

For LDAP replicas: Run this on the systems that are LDAP replicas

After doing the steps listed above on the ldap master, log into any different systems running postfix:

   (a) Run as root: su - zimbra zmcontrol stop
   (b) Run as root: cd /opt/zimbra/ssl; mkdir /tmp/ssl.bak; mv * /tmp/ssl.bak
   (c) Run as root: cd /opt/zimbra/conf/ca; mkdir /tmp/ca.bak; mv * /tmp/ca.bak
   (d) Run as root: run /opt/zimbra/bin/zmcertmgr createca
   (This will download the new CA from the LDAP server)
   (e) Run as root: /opt/zimbra/bin/zmcertmgr deployca
   (f) Run as root: /opt/zimbra/bin/zmcertmgr install self -new
   (g) Run as root: su - zimbra; zmcontrol start
  • Note, for zcs version 5.0.6 (f) should be Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self

References

http://www.zimbra.com/forums/installation/13762-solved-expired-cert-5-0ga-can-cause-mail-delivery-failure.html

[ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ] - an expired CA cert will block mail delivery after upgrading to 5.0.0


Verified Against: Zimbra Collaboration Suite 5.0 Date Created: 01/02/2008
Article ID: https://wiki.zimbra.com/index.php?title=Problem_with_Certificate_can_cause_MTA_Failure Date Modified: 2015-03-24



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search