Problem with Certificate can cause MTA Failure: Difference between revisions

No edit summary
No edit summary
 
(26 intermediate revisions by 8 users not shown)
Line 1: Line 1:
There are some issues in Zimbra 5.0 GA that you should know about.
{{Archive}}=Issue: Problem with Certificate can cause MTA Failure=


Zimbra can install/upgrade and work under most circumstances, however, a small number of users are encountering some issues.
=Symptom=
 
We wanted to post this thread to let you know about these, and help you work through any issue you have.
 
-----------------------------------------------------------------------------------------------------------------------------------
'''Issue:'''
 
Problem with Certificate can cause MTA Failure [ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ]
 
'''Symptom:'''


When MTA starts up, user will receive the following message in the /var/log/zimbra.log file:
When MTA starts up, user will receive the following message in the /var/log/zimbra.log file:


'''Error:'''
'''Error:'''
 
   postfix/trivial-rewrite[6172]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem
   postfix/trivial-rewrite[6172]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem
   postfix/trivial-rewrite[19377]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem
   postfix/trivial-rewrite[19377]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem
Line 23: Line 13:
Then the MTA (postfix) will stop functioning resulting in mail delivery failure (via lmtp and smtp).
Then the MTA (postfix) will stop functioning resulting in mail delivery failure (via lmtp and smtp).


'''Common Cause:'''
=Common Cause=


CA chain can be appended in reverse creating invalid Certificate
CA chain can be appended in reverse creating invalid Certificate [ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ]


'''Workaround:'''
The above error may also be seen when you are hitting [ http://bugzilla.zimbra.com/show_bug.cgi?id=22468 ]. In this case, the following Workaround would not work.


Read this post: [SOLVED] Expired Cert in 5.0GA can cause mail Delivery failure
Alternate: Argh Commercial Certificates after a 4.10 -> 5.0 FOSS upgrade!


-----------------------------------------------------------------------------------------------------------------------------------
=Workaround [5.0.1_GA or later]=


'''Steps:'''
==For Single-server and Multi-server ldap masters==
 
    (a) Run as root: /opt/zimbra/bin/zmcertmgr createca -new
    (b) Run as root: /opt/zimbra/bin/zmcertmgr deployca
    (c) Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self -new
    (d) Run as root: su - zimbra zmcontrol stop; su - zimbra zmcontrol start
* Note, for zcs version 5.0.6 (c) should be Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self


(a) Run as root: cd /opt/zimbra/ssl; mkdir bak; mv * bak
==For Multi-Server: Run this on all other systems in the multi-server setup==
(b) Run this as zimbra:
(b1) To get the password: zmlocalconfig -s zimbra_ldap_password
(b2) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W


'''Code:'''
After doing the steps listed above on the ldap master, log into any different systems running postfix:


dn: cn=config,cn=zimbra
    (a) Run as root: su - zimbra zmcontrol stop
changetype:modify
    (b) Run as root: /opt/zimbra/bin/zmcertmgr deployca
delete: zimbraCertAuthorityCertSelfSigned      [Hit Enter Twice here]
    (c) Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self -new
^D
    (d) Run as root: su - zimbra zmcontrtol start
* Note, for zcs version 5.0.6 (c) should be Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self


(b3) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W
=Workaround [5.0.0_GA]=


'''Code:'''
Read this post: http://www.zimbra.com/forums/administrators/13927-if-you-have-trouble-zimbra-5-0-read.html


dn: cn=config,cn=zimbra
Alternate: http://www.zimbra.com/forums/installation/13898-argh-commercial-certificates-after-4-10-5-0-foss-upgrade.html
changetype:modify
delete: zimbraCertAuthorityKeySelfSigned      [Hit Enter Twice here]
^D


(c) as root: run /opt/zimbra/bin/zmcertmgr createca
    (a) Run as root: cd /opt/zimbra/ssl; mkdir /tmp/ssl.bak; mv * /tmp/ssl.bak
(d) as root: run /opt/zimbra/bin/zmcertmgr deployca
    (a1) Run as root: cd /opt/zimbra/conf/ca; mkdir /tmp/ca.bak; mv * /tmp/ca.bak
(e) as root: run /opt/zimbra/bin/zmcertmgr install self -new
    (b) Run this as zimbra:
(f) as root: su - zimbra zmcontrol stop; su - zimbra zmcontrol start
    (b1) To get the password: zmlocalconfig -s zimbra_ldap_password
    (b2) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W
    '''Code:'''
    dn: cn=config,cn=zimbra
    changetype:modify
    delete: zimbraCertAuthorityCertSelfSigned      [Hit Enter Twice here]
    ^D
    (b3) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W
    '''Code:'''
    dn: cn=config,cn=zimbra
    changetype:modify
    delete: zimbraCertAuthorityKeySelfSigned      [Hit Enter Twice here]
    ^D
    (c) as root: run /opt/zimbra/bin/zmcertmgr createca
    (d) as root: run /opt/zimbra/bin/zmcertmgr deployca
    (e) as root: run /opt/zimbra/bin/zmcertmgr install self -new
    (f) as root: su - zimbra zmcontrol stop; su - zimbra zmcontrol start
    ^D is Control-D
* Note, for zcs version 5.0.6 (e) should be Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self


^D is Control-D
==For Multi-Server MTA: Run this on the systems which are running postfix==


-----------------------------------------------------------------------------------------------------------------------------------
After doing the steps listed above on the ldap master, log into any different systems running postfix:


'''References:'''
    (a) Run as root: su - zimbra zmcontrol stop
    (b) Run as root: cd /opt/zimbra/ssl; mkdir /tmp/ssl.bak; mv * /tmp/ssl.bak
    (c) Run as root: cd /opt/zimbra/conf/ca; mkdir /tmp/ca.bak; mv * /tmp/ca.bak
    (d) Run as root: run /opt/zimbra/bin/zmcertmgr createca
    (This will download the new CA from the LDAP server)
    (e) Run as root: run /opt/zimbra/bin/zmcertmgr deployca
    (f) Run as root: su - zimbra zmcontrtol start


http://www.zimbra.com/forums/installation/13762-solved-expired-cert-5-0ga-can-cause-mail-delivery-failure.html
==For LDAP replicas: Run this on the systems that are LDAP replicas==


[ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ] - an expired CA cert will block mail delivery after upgrading to 5.0.0
After doing the steps listed above on the ldap master, log into any different systems running postfix:


-----------------------------------------------------------------------------------------------------------------------------------
    (a) Run as root: su - zimbra zmcontrol stop
    (b) Run as root: cd /opt/zimbra/ssl; mkdir /tmp/ssl.bak; mv * /tmp/ssl.bak
    (c) Run as root: cd /opt/zimbra/conf/ca; mkdir /tmp/ca.bak; mv * /tmp/ca.bak
    (d) Run as root: run /opt/zimbra/bin/zmcertmgr createca
    (This will download the new CA from the LDAP server)
    (e) Run as root: /opt/zimbra/bin/zmcertmgr deployca
    (f) Run as root: /opt/zimbra/bin/zmcertmgr install self -new
    (g) Run as root: su - zimbra; zmcontrol start


'''Issue:'''
* Note, for zcs version 5.0.6 (f) should be Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self


Cannot install a Commercial Certificate in Zimbra 5.0 [Bug 23294]
=References=
'''
Symptom:'''


User is unable to install a commercial certificate in Zimbra 5.0
http://www.zimbra.com/forums/installation/13762-solved-expired-cert-5-0ga-can-cause-mail-delivery-failure.html
'''
Common Cause:'''


Related to Bug [ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ]
[ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ] - an expired CA cert will block mail delivery after upgrading to 5.0.0
 
'''Workaround:'''
 
Installing Cert via Command Line: [ http://bugzilla.zimbra.com/show_bug.cgi?id=23294 ] - commercial certs fail to install


'''References:'''


Bug [ http://bugzilla.zimbra.com/show_bug.cgi?id=23294 ] - commercial certs fail to install
Argh Commercial Certificates after a 4.10 -> 5.0 FOSS upgrade!


http://www.zimbra.com/forums/installation/13898-argh-commercial-certificates-after-4-10-5-0-foss-upgrade.html
{{Article Footer|Zimbra Collaboration Suite 5.0|01/02/2008}}


-----------------------------------------------------------------------------------------------------------------------------------
[[Category:Troubleshooting Certificates]]
[[Category:Troubleshooting MTA]]

Latest revision as of 12:37, 24 March 2015

Issue: Problem with Certificate can cause MTA Failure

Symptom

When MTA starts up, user will receive the following message in the /var/log/zimbra.log file:

Error:
  postfix/trivial-rewrite[6172]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem
  postfix/trivial-rewrite[19377]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem
  postfix/trivial-rewrite[19378]: error: dict_ldap_connect: Unable to set STARTTLS: -11: Connect error


Then the MTA (postfix) will stop functioning resulting in mail delivery failure (via lmtp and smtp).

Common Cause

CA chain can be appended in reverse creating invalid Certificate [ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ]

The above error may also be seen when you are hitting [ http://bugzilla.zimbra.com/show_bug.cgi?id=22468 ]. In this case, the following Workaround would not work.


Workaround [5.0.1_GA or later]

For Single-server and Multi-server ldap masters

   (a) Run as root: /opt/zimbra/bin/zmcertmgr createca -new
   (b) Run as root: /opt/zimbra/bin/zmcertmgr deployca
   (c) Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self -new
   (d) Run as root: su - zimbra zmcontrol stop; su - zimbra zmcontrol start
  • Note, for zcs version 5.0.6 (c) should be Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self

For Multi-Server: Run this on all other systems in the multi-server setup

After doing the steps listed above on the ldap master, log into any different systems running postfix:

   (a) Run as root: su - zimbra zmcontrol stop
   (b) Run as root: /opt/zimbra/bin/zmcertmgr deployca 
   (c) Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self -new
   (d) Run as root: su - zimbra zmcontrtol start
  • Note, for zcs version 5.0.6 (c) should be Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self

Workaround [5.0.0_GA]

Read this post: http://www.zimbra.com/forums/administrators/13927-if-you-have-trouble-zimbra-5-0-read.html

Alternate: http://www.zimbra.com/forums/installation/13898-argh-commercial-certificates-after-4-10-5-0-foss-upgrade.html

   (a) Run as root: cd /opt/zimbra/ssl; mkdir /tmp/ssl.bak; mv * /tmp/ssl.bak
   (a1) Run as root: cd /opt/zimbra/conf/ca; mkdir /tmp/ca.bak; mv * /tmp/ca.bak
   (b) Run this as zimbra:
   (b1) To get the password: zmlocalconfig -s zimbra_ldap_password
   (b2) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W
   Code:
   dn: cn=config,cn=zimbra
   changetype:modify
   delete: zimbraCertAuthorityCertSelfSigned      [Hit Enter Twice here]
   ^D
   (b3) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W
   Code:
   dn: cn=config,cn=zimbra
   changetype:modify
   delete: zimbraCertAuthorityKeySelfSigned      [Hit Enter Twice here]
   ^D
   (c) as root: run /opt/zimbra/bin/zmcertmgr createca
   (d) as root: run /opt/zimbra/bin/zmcertmgr deployca
   (e) as root: run /opt/zimbra/bin/zmcertmgr install self -new
   (f) as root: su - zimbra zmcontrol stop; su - zimbra zmcontrol start
   ^D is Control-D
  • Note, for zcs version 5.0.6 (e) should be Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self

For Multi-Server MTA: Run this on the systems which are running postfix

After doing the steps listed above on the ldap master, log into any different systems running postfix:

   (a) Run as root: su - zimbra zmcontrol stop
   (b) Run as root: cd /opt/zimbra/ssl; mkdir /tmp/ssl.bak; mv * /tmp/ssl.bak
   (c) Run as root: cd /opt/zimbra/conf/ca; mkdir /tmp/ca.bak; mv * /tmp/ca.bak
   (d) Run as root: run /opt/zimbra/bin/zmcertmgr createca
   (This will download the new CA from the LDAP server)
   (e) Run as root: run /opt/zimbra/bin/zmcertmgr deployca 
   (f) Run as root: su - zimbra zmcontrtol start

For LDAP replicas: Run this on the systems that are LDAP replicas

After doing the steps listed above on the ldap master, log into any different systems running postfix:

   (a) Run as root: su - zimbra zmcontrol stop
   (b) Run as root: cd /opt/zimbra/ssl; mkdir /tmp/ssl.bak; mv * /tmp/ssl.bak
   (c) Run as root: cd /opt/zimbra/conf/ca; mkdir /tmp/ca.bak; mv * /tmp/ca.bak
   (d) Run as root: run /opt/zimbra/bin/zmcertmgr createca
   (This will download the new CA from the LDAP server)
   (e) Run as root: /opt/zimbra/bin/zmcertmgr deployca
   (f) Run as root: /opt/zimbra/bin/zmcertmgr install self -new
   (g) Run as root: su - zimbra; zmcontrol start
  • Note, for zcs version 5.0.6 (f) should be Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self

References

http://www.zimbra.com/forums/installation/13762-solved-expired-cert-5-0ga-can-cause-mail-delivery-failure.html

[ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ] - an expired CA cert will block mail delivery after upgrading to 5.0.0


Verified Against: Zimbra Collaboration Suite 5.0 Date Created: 01/02/2008
Article ID: https://wiki.zimbra.com/index.php?title=Problem_with_Certificate_can_cause_MTA_Failure Date Modified: 2015-03-24



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search