Problem with Certificate can cause MTA Failure: Difference between revisions
No edit summary |
No edit summary |
||
Line 1: | Line 1: | ||
'''Issue:''' | '''Issue:''' | ||
Problem with Certificate can cause MTA Failure | Problem with Certificate can cause MTA Failure | ||
'''Symptom:''' | '''Symptom:''' | ||
Line 25: | Line 18: | ||
'''Common Cause:''' | '''Common Cause:''' | ||
CA chain can be appended in reverse creating invalid Certificate | CA chain can be appended in reverse creating invalid Certificate [ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ] | ||
The above error may also be seen when you are hitting [ http://bugzilla.zimbra.com/show_bug.cgi?id=22468 ]. In this case, the following Workaround would not work. | |||
'''Workaround:''' | '''Workaround:''' |
Revision as of 11:06, 11 January 2008
Issue:
Problem with Certificate can cause MTA Failure
Symptom:
When MTA starts up, user will receive the following message in the /var/log/zimbra.log file:
Error:
postfix/trivial-rewrite[6172]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem postfix/trivial-rewrite[19377]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem postfix/trivial-rewrite[19378]: error: dict_ldap_connect: Unable to set STARTTLS: -11: Connect error
Then the MTA (postfix) will stop functioning resulting in mail delivery failure (via lmtp and smtp).
Common Cause:
CA chain can be appended in reverse creating invalid Certificate [ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ]
The above error may also be seen when you are hitting [ http://bugzilla.zimbra.com/show_bug.cgi?id=22468 ]. In this case, the following Workaround would not work.
Workaround:
Read this post: http://www.zimbra.com/forums/administrators/13927-if-you-have-trouble-zimbra-5-0-read.html
Steps: (a) Run as root: cd /opt/zimbra/ssl; mkdir bak; mv * bak (a1) Run as root: cd /opt/zimbra/conf/ca; mkdir bak; mv * bak (b) Run this as zimbra: (b1) To get the password: zmlocalconfig -s zimbra_ldap_password (b2) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W Code: dn: cn=config,cn=zimbra changetype:modify delete: zimbraCertAuthorityCertSelfSigned [Hit Enter Twice here] ^D (b3) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W Code: dn: cn=config,cn=zimbra changetype:modify delete: zimbraCertAuthorityKeySelfSigned [Hit Enter Twice here] ^D (c) as root: run /opt/zimbra/bin/zmcertmgr createca (d) as root: run /opt/zimbra/bin/zmcertmgr deployca (e) as root: run /opt/zimbra/bin/zmcertmgr install self -new (f) as root: su - zimbra zmcontrol stop; su - zimbra zmcontrol start ^D is Control-D
For Multi-Server MTA: Run this on the systems which are running postfix
After doing the steps listed above on the ldap master, log into any different systems running postfix:
(a) Run as root: su - zimbra zmcontrol stop (b) Run as root: cd /opt/zimbra/ssl; mkdir bak; mv * bak (c) Run as root: cd /opt/zimbra/conf/ca; mkdir bak; mv * bak (d) Run as root: run /opt/zimbra/bin/zmcertmgr createca (This will download the new CA from the LDAP server) (e) Run as root: run /opt/zimbra/bin/zmcertmgr deployca (f) Run as root: su - zimbra zmcontrtol start
For LDAP replicas: Run this on the systems that are LDAP replicas
After doing the steps listed above on the ldap master, log into any different systems running postfix:
(a) Run as root: su - zimbra zmcontrol stop (b) Run as root: cd /opt/zimbra/ssl; mkdir bak; mv * bak (c) Run as root: cd /opt/zimbra/conf/ca; mkdir bak; mv * bak (d) Run as root: run /opt/zimbra/bin/zmcertmgr createca (This will download the new CA from the LDAP server) (e) Run as root: run /opt/zimbra/bin/zmcertmgr deployca (f) Run as root: /opt/zimbra/bin/zmcertmgr install self -new (g) Run as root: su - zimbra zmcontrtol start
References:
[ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ] - an expired CA cert will block mail delivery after upgrading to 5.0.0
Issue:
Cannot install a Commercial Certificate in Zimbra 5.0 [Bug 23294] Symptom:
User is unable to install a commercial certificate in Zimbra 5.0 Common Cause:
Related to Bug [ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ]
Workaround:
Installing Cert via Command Line: [ http://bugzilla.zimbra.com/show_bug.cgi?id=23294 ] - commercial certs fail to install
References:
Bug [ http://bugzilla.zimbra.com/show_bug.cgi?id=23294 ] - commercial certs fail to install Argh Commercial Certificates after a 4.10 -> 5.0 FOSS upgrade!