Difference between revisions of "Problem with Certificate can cause MTA Failure"

Line 14: Line 14:
 
When MTA starts up, user will receive the following message in the /var/log/zimbra.log file:
 
When MTA starts up, user will receive the following message in the /var/log/zimbra.log file:
  
'''Error:'''
+
'''Error:'''
  
 
   postfix/trivial-rewrite[6172]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem
 
   postfix/trivial-rewrite[6172]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem
Line 34: Line 34:
 
-----------------------------------------------------------------------------------------------------------------------------------
 
-----------------------------------------------------------------------------------------------------------------------------------
  
'''Steps:'''
+
    '''Steps:'''
  
(a) Run as root: cd /opt/zimbra/ssl; mkdir bak; mv * bak
+
    (a) Run as root: cd /opt/zimbra/ssl; mkdir bak; mv * bak
(b) Run this as zimbra:
+
    (b) Run this as zimbra:
(b1) To get the password: zmlocalconfig -s zimbra_ldap_password
+
    (b1) To get the password: zmlocalconfig -s zimbra_ldap_password
(b2) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W
+
    (b2) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W
  
'''Code:'''
+
    '''Code:'''
  
dn: cn=config,cn=zimbra
+
    dn: cn=config,cn=zimbra
changetype:modify
+
    changetype:modify
delete: zimbraCertAuthorityCertSelfSigned      [Hit Enter Twice here]
+
    delete: zimbraCertAuthorityCertSelfSigned      [Hit Enter Twice here]
^D
+
    ^D
  
(b3) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W
+
    (b3) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W
 +
 +
    '''Code:'''
  
'''Code:'''
+
    dn: cn=config,cn=zimbra
 +
    changetype:modify
 +
    delete: zimbraCertAuthorityKeySelfSigned      [Hit Enter Twice here]
 +
    ^D
  
dn: cn=config,cn=zimbra
+
    (c) as root: run /opt/zimbra/bin/zmcertmgr createca
changetype:modify
+
    (d) as root: run /opt/zimbra/bin/zmcertmgr deployca
delete: zimbraCertAuthorityKeySelfSigned      [Hit Enter Twice here]
+
    (e) as root: run /opt/zimbra/bin/zmcertmgr install self -new
^D
+
    (f) as root: su - zimbra zmcontrol stop; su - zimbra zmcontrol start
  
(c) as root: run /opt/zimbra/bin/zmcertmgr createca
+
    ^D is Control-D
(d) as root: run /opt/zimbra/bin/zmcertmgr deployca
 
(e) as root: run /opt/zimbra/bin/zmcertmgr install self -new
 
(f) as root: su - zimbra zmcontrol stop; su - zimbra zmcontrol start
 
 
 
^D is Control-D
 
  
 
-----------------------------------------------------------------------------------------------------------------------------------
 
-----------------------------------------------------------------------------------------------------------------------------------

Revision as of 07:08, 2 January 2008

There are some issues in Zimbra 5.0 GA that you should know about.

Zimbra can install/upgrade and work under most circumstances, however, a small number of users are encountering some issues.

We wanted to post this thread to let you know about these, and help you work through any issue you have.


Issue:

Problem with Certificate can cause MTA Failure [ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ]

Symptom:

When MTA starts up, user will receive the following message in the /var/log/zimbra.log file:

Error:
  postfix/trivial-rewrite[6172]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem
  postfix/trivial-rewrite[19377]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem
  postfix/trivial-rewrite[19378]: error: dict_ldap_connect: Unable to set STARTTLS: -11: Connect error


Then the MTA (postfix) will stop functioning resulting in mail delivery failure (via lmtp and smtp).

Common Cause:

CA chain can be appended in reverse creating invalid Certificate

Workaround:

Read this post: [SOLVED] Expired Cert in 5.0GA can cause mail Delivery failure Alternate: Argh Commercial Certificates after a 4.10 -> 5.0 FOSS upgrade!


   Steps:
   (a) Run as root: cd /opt/zimbra/ssl; mkdir bak; mv * bak
   (b) Run this as zimbra:
   (b1) To get the password: zmlocalconfig -s zimbra_ldap_password
   (b2) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W
   Code:
   dn: cn=config,cn=zimbra
   changetype:modify
   delete: zimbraCertAuthorityCertSelfSigned      [Hit Enter Twice here]
   ^D
   (b3) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W

   Code:
   dn: cn=config,cn=zimbra
   changetype:modify
   delete: zimbraCertAuthorityKeySelfSigned      [Hit Enter Twice here]
   ^D
   (c) as root: run /opt/zimbra/bin/zmcertmgr createca
   (d) as root: run /opt/zimbra/bin/zmcertmgr deployca
   (e) as root: run /opt/zimbra/bin/zmcertmgr install self -new
   (f) as root: su - zimbra zmcontrol stop; su - zimbra zmcontrol start
   ^D is Control-D

References:

http://www.zimbra.com/forums/installation/13762-solved-expired-cert-5-0ga-can-cause-mail-delivery-failure.html

[ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ] - an expired CA cert will block mail delivery after upgrading to 5.0.0


Issue:

Cannot install a Commercial Certificate in Zimbra 5.0 [Bug 23294] Symptom:

User is unable to install a commercial certificate in Zimbra 5.0 Common Cause:

Related to Bug [ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ]

Workaround:

Installing Cert via Command Line: [ http://bugzilla.zimbra.com/show_bug.cgi?id=23294 ] - commercial certs fail to install

References:

Bug [ http://bugzilla.zimbra.com/show_bug.cgi?id=23294 ] - commercial certs fail to install Argh Commercial Certificates after a 4.10 -> 5.0 FOSS upgrade!

http://www.zimbra.com/forums/installation/13898-argh-commercial-certificates-after-4-10-5-0-foss-upgrade.html


Jump to: navigation, search