Problem with Certificate can cause MTA Failure: Difference between revisions

No edit summary
No edit summary
Line 56: Line 56:
     (f) as root: su - zimbra zmcontrol stop; su - zimbra zmcontrol start
     (f) as root: su - zimbra zmcontrol stop; su - zimbra zmcontrol start
     ^D is Control-D
     ^D is Control-D
-----------------------------------------------------------------------------------------------------------------------------------
'''For Multi-Server: Run this on the system which is running postfix or an ldap replica'''
After doing the steps listed above on the ldap master, log into any different systems running postfix or that are an ldap replica
and:
    (a) Run as root: su - zimbra zmcontrol stop
    (b) Run as root: cd /opt/zimbra/ssl; mkdir bak; mv * bak
    (c) Run as root: run /opt/zimbra/bin/zmcertmgr createca
    (This will download the new CA from the LDAP server)
    (d) Run as root: run /opt/zimbra/bin/zmcertmgr deployca
    (e) Run as root: su - zimbra zmcontrtol start


-----------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------
Line 89: Line 102:


http://www.zimbra.com/forums/installation/13898-argh-commercial-certificates-after-4-10-5-0-foss-upgrade.html
http://www.zimbra.com/forums/installation/13898-argh-commercial-certificates-after-4-10-5-0-foss-upgrade.html
-----------------------------------------------------------------------------------------------------------------------------------
'''For Multi-Server: Run this on the system which is running postfix'''
    zmcontrol stop
    (a) Run as root: cd /opt/zimbra/ssl; mkdir bak; mv * bak
    (b) Run as root: run /opt/zimbra/bin/zmcertmgr createca
    (This will download the new CA from the LDAP server)
    (c) Run as root: run /opt/zimbra/bin/zmcertmgr deployca
    zmcontrtol start


-----------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------

Revision as of 00:41, 7 January 2008

There are some issues in Zimbra 5.0 GA that you should know about.

Zimbra can install/upgrade and work under most circumstances, however, a small number of users are encountering some issues.

We wanted to post this thread to let you know about these, and help you work through any issue you have.


Issue:

Problem with Certificate can cause MTA Failure [ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ]

Symptom:

When MTA starts up, user will receive the following message in the /var/log/zimbra.log file:

Error:
  postfix/trivial-rewrite[6172]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem
  postfix/trivial-rewrite[19377]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem
  postfix/trivial-rewrite[19378]: error: dict_ldap_connect: Unable to set STARTTLS: -11: Connect error


Then the MTA (postfix) will stop functioning resulting in mail delivery failure (via lmtp and smtp).

Common Cause:

CA chain can be appended in reverse creating invalid Certificate

Workaround:

Read this post: http://www.zimbra.com/forums/administrators/13927-if-you-have-trouble-zimbra-5-0-read.html

Alternate: http://www.zimbra.com/forums/installation/13898-argh-commercial-certificates-after-4-10-5-0-foss-upgrade.html


   Steps:
   (a) Run as root: cd /opt/zimbra/ssl; mkdir bak; mv * bak
   (b) Run this as zimbra:
   (b1) To get the password: zmlocalconfig -s zimbra_ldap_password
   (b2) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W
   Code:
   dn: cn=config,cn=zimbra
   changetype:modify
   delete: zimbraCertAuthorityCertSelfSigned      [Hit Enter Twice here]
   ^D
   (b3) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W
   Code:
   dn: cn=config,cn=zimbra
   changetype:modify
   delete: zimbraCertAuthorityKeySelfSigned      [Hit Enter Twice here]
   ^D
   (c) as root: run /opt/zimbra/bin/zmcertmgr createca
   (d) as root: run /opt/zimbra/bin/zmcertmgr deployca
   (e) as root: run /opt/zimbra/bin/zmcertmgr install self -new
   (f) as root: su - zimbra zmcontrol stop; su - zimbra zmcontrol start
   ^D is Control-D

For Multi-Server: Run this on the system which is running postfix or an ldap replica

After doing the steps listed above on the ldap master, log into any different systems running postfix or that are an ldap replica and:

   (a) Run as root: su - zimbra zmcontrol stop
   (b) Run as root: cd /opt/zimbra/ssl; mkdir bak; mv * bak
   (c) Run as root: run /opt/zimbra/bin/zmcertmgr createca
   (This will download the new CA from the LDAP server)
   (d) Run as root: run /opt/zimbra/bin/zmcertmgr deployca 
   (e) Run as root: su - zimbra zmcontrtol start

References:

http://www.zimbra.com/forums/installation/13762-solved-expired-cert-5-0ga-can-cause-mail-delivery-failure.html

[ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ] - an expired CA cert will block mail delivery after upgrading to 5.0.0


Issue:

Cannot install a Commercial Certificate in Zimbra 5.0 [Bug 23294] Symptom:

User is unable to install a commercial certificate in Zimbra 5.0 Common Cause:

Related to Bug [ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ]

Workaround:

Installing Cert via Command Line: [ http://bugzilla.zimbra.com/show_bug.cgi?id=23294 ] - commercial certs fail to install

References:

Bug [ http://bugzilla.zimbra.com/show_bug.cgi?id=23294 ] - commercial certs fail to install Argh Commercial Certificates after a 4.10 -> 5.0 FOSS upgrade!

http://www.zimbra.com/forums/installation/13898-argh-commercial-certificates-after-4-10-5-0-foss-upgrade.html


Verified Against: Zimbra Collaboration Suite 5.0 Date Created: 01/02/2008
Article ID: https://wiki.zimbra.com/index.php?title=Problem_with_Certificate_can_cause_MTA_Failure Date Modified: 2008-01-07



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search