https://wiki.zimbra.com/api.php?action=feedcontributions&user=BrianP&feedformat=atomZimbra :: Tech Center - User contributions [en]2024-03-28T15:40:23ZUser contributionsMediaWiki 1.39.0https://wiki.zimbra.com/index.php?title=Logger&diff=14853Logger2009-09-09T18:57:22Z<p>BrianP: </p>
<hr />
<div>=Overview=<br />
The Zimbra Logger package (zimbra-logger) comprises data collection and reporting utilities for the Zimbra Collaboration Suite.<br />
==ZCS 6.0 and later==<br />
[[Logger (ZCS 6.0.x and later)]]<br />
==ZCS 5.0 and earlier==<br />
[[Logger (ZCS 5.0.x and earlier)]]<br />
<br />
{{Article Footer||9/9/2009}}<br />
<br />
[[Category:Logger]]</div>BrianPhttps://wiki.zimbra.com/index.php?title=Logger&diff=14852Logger2009-09-09T18:54:07Z<p>BrianP: /* Overview */</p>
<hr />
<div>=Overview=<br />
The Zimbra Logger package (zimbra-logger) comprises data collection and reporting utilities for the Zimbra Collaboration Suite.<br />
==ZCS 6.0 or later==<br />
[[Logger (ZCS 6.0.x or later)]]<br />
==ZCS 5.0 and earlier==<br />
[[Logger (ZCS 5.0.x and earlier)]]<br />
<br />
{{Article Footer||9/9/2009}}<br />
<br />
[[Category:Logger]]</div>BrianPhttps://wiki.zimbra.com/index.php?title=Logger&diff=14851Logger2009-09-09T18:52:10Z<p>BrianP: /* ZCS 6.0 and earlier */</p>
<hr />
<div>=Overview=<br />
<br />
==ZCS 6.0 or later==<br />
[[Logger (ZCS 6.0.x or later)]]<br />
==ZCS 5.0 and earlier==<br />
[[Logger (ZCS 5.0.x and earlier)]]<br />
<br />
{{Article Footer||9/9/2009}}<br />
<br />
[[Category:Logger]]</div>BrianPhttps://wiki.zimbra.com/index.php?title=Logger&diff=14850Logger2009-09-09T18:51:48Z<p>BrianP: </p>
<hr />
<div>=Overview=<br />
<br />
==ZCS 6.0 or later==<br />
[[Logger (ZCS 6.0.x or later)]]<br />
==ZCS 6.0 and earlier==<br />
[[Logger (ZCS 5.0.x and earlier)]]<br />
<br />
{{Article Footer||9/9/2009}}<br />
<br />
[[Category:Logger]]</div>BrianPhttps://wiki.zimbra.com/index.php?title=Logger(GnR)&diff=14849Logger(GnR)2009-09-09T18:37:41Z<p>BrianP: Logger(GnR) moved to Logger (ZCS 6.0.x and later)</p>
<hr />
<div>#REDIRECT [[Logger (ZCS 6.0.x and later)]]</div>BrianPhttps://wiki.zimbra.com/index.php?title=Logger_(ZCS_6.0.x_and_later)&diff=14848Logger (ZCS 6.0.x and later)2009-09-09T18:37:41Z<p>BrianP: Logger(GnR) moved to Logger (ZCS 6.0.x and later)</p>
<hr />
<div>= Logger in version 6.0 (GnR) =<br />
<br />
== Description ==<br />
<br />
Logger is a non-essential ZCS service that processes logs produced by Zimbra,<br />
and associated services. Logs are processed into a format that is readily<br />
displayed in the Zimbra Admin Console indicating real-time service status,<br />
MTA/spam/virus traffic and performance statistics.<br />
<br />
=== What's changed since 5.0 (and earlier) ===<br />
<br />
The logger service has been completely redesigned and redeveloped for ZCS 6.0<br />
<br />
The service no longer relies on mysql and most command-line utilities related<br />
to the old service are no longer available.<br />
<br />
zmmsgtrace has been removed with no plan for a replacement.<br />
<br />
== Architecture and Implementation ==<br />
<br />
=== zmlogger ===<br />
<br />
This process is launched through zmloggerctl and runs on a pipe from<br />
zmlogswatch, it tails /var/log/zimbra-stats.log and captures information from the<br />
'zimbramon' and 'mailboxd' services and parses out statistics information.<br />
<br />
Zmlogger reads an sqlite database to determine the type of each stat counter<br />
and mappings to RRD file:data-columns and writes the stat counters to<br />
the appropriate RRD file(s).<br />
<br />
=== zmlogprocess ===<br />
<br />
Zmlogprocess is launched out of cron on the logger host every 5 minutes.<br />
<br />
This job reads MTA data from zimbra.log: MTA traffic and volume, SPAM<br />
and Virus infections. The data is then sent back to zmlogger as stat counters<br />
via syslog.<br />
<br />
=== zmstat ===<br />
<br />
Zmstats is also integrated into the logger service by broadcasting its stat<br />
counters over syslog in addition to using the old CSV files.<br />
<br />
Stats will still be readable using the zmstat-chart tool in addition to live,<br />
real-time data displayed in the admin console.<br />
<br />
=== syslog ===<br />
<br />
The logger service will use syslog as a mechanism for aggregating data to a<br />
centralized server. Messages are generally sent in the format of<br />
<br />
message-type: headers(csv):: data-columns(csv)<br />
<br />
Messages over 800 characters in length are broken up using a uuid eliding<br />
scheme. This scheme is required due to many syslogd implementations<br />
restricting message length to be 1022 bytes or shorter. The scheme works<br />
by appending :::uuid to prepending :::uuid to messages that are split. The<br />
UUID allows easily matching long messages together in the event multiple<br />
long messages occur at once (common).<br />
<br />
=== sqlite ===<br />
<br />
SQLite is used as an integration database. It maps dns names to zmhostname<br />
when there are mismatches, stores information about stat counter types and<br />
a mapping of a stat counter to an RRD file's datasource column.<br />
<br />
==== Schema ====<br />
<br />
Our integration database schema is as follows:<br />
<br />
* hosts: columns (id, dns_hostname, zm_hostname); generated dynamically as logger works<br />
<br />
Self-explanatory<br />
<br />
* rrds: columns (id, host_id, col_name, col_name_19, col_num, csv_file, rrd_file); also generated dynamically as logger works<br />
** host_id is the host for which this column is mapping<br />
** col_name_19 is the name of the column in the rrd file<br />
** col_num is the index of the column in the rrd_file<br />
** csv_file is the grouping of the stat counter<br />
** rrd_file is a number that, combined with the host_id, determines the rrd filename<br />
<br />
* datatypes: columns (csv_file, col_name, col_type); static mappings table (coming in beta2)<br />
** csv_file is the grouping of the stat counter<br />
** col_name is the column for which this is determining the datatype<br />
** col_type is the type of the column GAUGE, DERIVED, COUNTER or ABSOLUTE (rrd types)<br />
<br />
* config: columns (schema_version); single row table used for schema versioning (coming in beta2)<br />
<br />
==== zmloggerhostmap ====<br />
<br />
This is a command used to manipulate the DNS hostname to zmhostname mappings<br />
when there is a mismatch in the information reported to Logger<br />
<br />
=== rrd ===<br />
<br />
RRDs are used to store stat counter information, it manages aggregation and<br />
averaging. Generally, one RRD file is generated per group of statistics and<br />
information is retained for 2 years in varying levels of granularity (from 30<br />
second to 1 hour resolution).<br />
<br />
==== zmrrdfetch ====<br />
<br />
This is an internal command that ZCS will use to fetch and combine data from<br />
the RRD files. The information will often be used to form graphs and charts<br />
in the admin console.<br />
<br />
<br />
== Troubleshooting ==<br />
<br />
=== No chart shows ===<br />
<br />
Is flash installed? The new charts now require flash to generate images on the client-side.<br />
<br />
=== Statistics show no data available ===<br />
<br />
# zmloggerctl status; ps ax | grep zmlogger<br />
# /opt/zimbra/libexec/zmrrdfetch -f zmmtastats<br />
# grep -w MTA /var/log/zimbra-stats.log<br />
# tail /var/log/zimbra-stats.log<br />
# zmsoap -z GetLoggerStatsRequest stats/@name=zmmtastats | head -20<br />
<br />
Take the above information, and post/attach the information to support or the Zimbra Forums<br />
<br />
{{Article Footer|Zimbra Collaboration Suite 6.0.x|4/9/2009}}<br />
[[Category:Logger]]</div>BrianPhttps://wiki.zimbra.com/index.php?title=Logger&diff=14845Logger2009-09-09T18:37:03Z<p>BrianP: Logger moved to Logger (ZCS 5.0.x and earlier)</p>
<hr />
<div>#REDIRECT [[Logger (ZCS 5.0.x and earlier)]]</div>BrianPhttps://wiki.zimbra.com/index.php?title=Logger_(ZCS_5.0.x_and_earlier)&diff=14844Logger (ZCS 5.0.x and earlier)2009-09-09T18:37:03Z<p>BrianP: Logger moved to Logger (ZCS 5.0.x and earlier)</p>
<hr />
<div>Although the logger is not essential for Zimbra to operate, this article will describe setup, configuration, and troubleshooting of the logger service for ZCS 5.0.x and earlier.<br />
<br />
=Setup and Configuration=<br />
==Installation==<br />
If the logger service is installed during ZCS installation, zmsetup.pl runs zmloggerinit, which A) creates the '''zimbra_logger''' database and the tables shown in the output below, and B) generates the zimbra and root mysql user passwords, and stores them in '''[[CLI_zmlocalconfig_%28Local_Configuration|zmlocalconfig]]'''.<br />
<br />
==Multi-node Installations==<br />
''Note: See also the [[Monitoring_Zimbra_Servers#Zimbra_Logger|server monitoring guide]].<br />
<br />
1. Set the log hostname to the name of the node running the logger service. For this example, it's called '''mail1.domain.com'''.<br />
<br />
$ zmprov getConfig zimbraLogHostname<br />
$ zmprov modifyConfig zimbraLogHostname mail1.domain.com<br />
<br />
2. Configure syslog on each node. This must be done as root on each node.<br />
<br />
# /opt/zimbra/bin/zmsyslogsetup<br />
<br />
3. In order to allow the log host to accept log messages from the other nodes, add the "-r" option to the SYSLOGD_OPTIONS line in /etc/sysconfig/syslog (this must also be done as root); for example:<br />
<br />
SYSLOGD_OPTIONS="-r -m 0"<br />
<br />
=Troubleshooting=<br />
<br />
==Accessing the logger MySQL database manually==<br />
<br />
$ logmysql zimbra_logger<br />
<br />
mysql> show tables;<br />
+-------------------------+<br />
| Tables_in_zimbra_logger |<br />
+-------------------------+<br />
| amavis |<br />
| amavis_aggregate |<br />
| config |<br />
| disk_aggregate |<br />
| disk_status |<br />
| mta |<br />
| mta_aggregate |<br />
| processing_history |<br />
| raw_logs |<br />
| service_status |<br />
+-------------------------+<br />
<br />
==Checking and Repairing the tables in the logger database==<br />
<br />
Mysql has built-in tools for checking and repairing the database. You should check all of the tables in the logger database, and repair each one that indicates it needs repair. <br />
<br />
Here is an example, using the "raw_logs" table:<br />
<br />
$ logmysql zimbra_logger<br />
<br />
mysql> check table raw_logs;<br />
+------------------------+-------+----------+----------+<br />
| Table | Op | Msg_type | Msg_text |<br />
+------------------------+-------+----------+----------+<br />
| zimbra_logger.raw_logs | check | status | OK | <br />
+------------------------+-------+----------+----------+<br />
1 row in set (1.06 sec)<br />
<br />
If a table does not show OK status, try repairing:<br />
<br />
mysql> repair table raw_logs;<br />
+------------------------+--------+----------+----------+<br />
| Table | Op | Msg_type | Msg_text |<br />
+------------------------+--------+----------+----------+<br />
| zimbra_logger.raw_logs | repair | status | OK | <br />
+------------------------+--------+----------+----------+<br />
1 row in set (2.32 sec)<br />
<br />
See [http://dev.mysql.com/doc/refman/5.0/en/repair.html MySQL documentation] for more information.<br />
<br />
==Overview of logger pipeline==<br />
<br />
1. The mta components (postfix, amavis) and system status scripts (zmstatuslog, zmdisklog, zmqueuelog) log to /var/log/zimbra.log.<br />
<br />
2. The logswatch script monitors /var/log/zimbra.log and sends new lines to the zmlogger script.<br />
<br />
3. The zmlogger script inserts the log lines into the raw_logs table, and updates the service_status table, in the zimbra_logger database.<br />
<br />
4. The zmlogprocess script breaks down the lines from the raw_logs table and inserts the data into the mta, mta_aggregate, amavis, amavis_aggregate, disk_status, disk_aggregate, and processing_history tables of the zimbra_logger db.<br />
<br />
==How to determine why logger isn't working==<br />
<br />
Why does the logger service stop? The two main causes are log rotation and a bug in zmlogswatchctl before ZCS 4.5.<br />
<br />
===Check the logger mysql error log===<br />
The logger mysql error log will be /opt/zimbra/logger/db/data/<hostname>.err. For example, if your server's hostname is "zimbra.domain.com", the file will be /opt/zimbra/logger/db/data/zimbra.domain.com.err.<br />
<br />
Try [[Repair_Logger_Data_Corruption|repairing the corrupt tables]] if you see any lines like this:<br />
<br />
070927 14:30:01 [ERROR] /opt/zimbra/logger/mysql/libexec/mysqld: Table './zimbra_logger/raw_logs' is marked as crashed and last (automatic?) repair failed<br />
<br />
===Check "zmcontrol status"===<br />
1. If "'''logmysql.server''' is not running", verify whether A) the file /opt/zimbra/logger/db/mysql.pid exists, and B) there is an /opt/zimbra/logger/mysql/libexec/mysqld process.<br />
<br />
cat /opt/zimbra/logger/db/mysql.pid<br />
ps aux | grep logger/mysql<br />
<br />
Under normal operation, the id of this mysqld process will be in the mysql.pid file.<br />
<br />
2. If "'''zmlogswatchctl''' is not running", verify whether A) the file /opt/zimbra/log/logswatch.pid exists, and B) there is a single /opt/zimbra/libexec/logswatch process.<br />
<br />
cat /opt/zimbra/log/logswatch.pid<br />
ps aux | grep logswatch<br />
<br />
3. If "'''logger''' Running", verify that the logger database is accessible and that there are not multiple logswatch scripts running (see #2).<br />
<br />
logmysqladmin status<br />
ps aux | grep logswatch<br />
<br />
===Check the MTA log===<br />
1. Is there MTA activity?<br />
<br />
grep postfix /var/log/zimbra.log | tail<br />
grep amavis /var/log/zimbra.log | tail<br />
<br />
2. Is there ZCS system information?<br />
<br />
grep STATUS /var/log/zimbra.log | tail<br />
grep DISK /var/log/zimbra.log | tail<br />
grep QUEUE /var/log/zimbra.log | tail<br />
<br />
===Check the logger database===<br />
1. Is data making it to the '''service_status''' and '''raw_logs''' tables (choose the current date)?<br />
<br />
logmysql zimbra_logger<br />
select * from service_status;<br />
select * from raw_logs where log_date >= curdate(); # Today's entries<br />
# or<br />
select * from raw_logs where log_date > '2007-03-15'; # Entries newer than 2007-03-15<br />
<br />
==Symptoms==<br />
<br />
[[Logger#Check_.22zmcontrol_status.22|zmlogswatchctl is not running]]<br />
<br />
[[Logger#Multi-node_Installations|Admin console only showing data for the log host in a multi-node installation]]<br />
<br />
<br />
==What queries the logger database==<br />
<br />
1. The '''[[Monitoring_Zimbra_Servers#Generating_Daily_Mail_Reports|zmdailyreport]]''' script processes data from the mta and amavis tables, and emails the results to root, which is normally an alias to the original zimbra admin account.<br />
<br />
[zimbra@mail ~]$ crontab -l | grep zmdailyreport<br />
10 1 * * * /opt/zimbra/libexec/zmdailyreport | /opt/zimbra/postfix/sbin/sendmail root<br />
<br />
[zimbra@mail ~]$ zmprov getAccount admin | grep Alias<br />
zimbraMailAlias: root@mail.domain.com<br />
zimbraMailAlias: postmaster@mail.domain.com<br />
<br />
2. The '''[[Monitoring_Zimbra_Servers#Tracing_Messages|zmmsgtrace]]''' tool queries the mta and amavis tables and outputs basic info about matching messages.<br />
<br />
3. The '''zmgengraphs''' script queries the disk_aggregate, mta_aggregate, and amavis_aggregate tables and creates images that will be displayed in the admin console.<br />
<br />
4. Loading the '''[[Administration_Console|admin console]]''' queries the service_status table, and [[Monitoring_Zimbra_Servers#Server_Performance_Statistics|viewing server statistics]] will display the graphs created by zmgengraphs.<br />
<br />
[screenshot]<br />
<br />
<br />
== How to shrink logger database ==<br />
<br />
For first time is good to clean db manually if the database is very big.<br />
The commands bellow will delete all data in three tables (mta, amavis, raw_logs). If you need this data don't execute them!<br />
$zmlogswatchctl stop (don't execute "zmloggerctl stop" this also stops logger mysqld)<br />
$logmysql -D zimbra_logger<br />
mysql> delete from amavis;<br />
mysql> optimize table amavis;<br />
mysql> delete from mta;<br />
mysql> optimize table mta;<br />
mysql> delete from raw_logs;<br />
mysql> optimize table raw_logs;<br />
mysql> quit<br />
$zmlogswatchctl start<br />
Be patient, each deleting query may lasts for a long time!<br />
<br />
Here is a script for database cleaning. Run it under zimbra account. If the database is big and the execution time is long enough do zmlogswatchctl stop command to prevent zimbra accessing database. And don't forget make zmlogswatchctl start after the script.<br />
#!/bin/bash<br />
<br />
AMAVIS=10 #keep last 10 days<br />
MTA=30 #keep last 30 days<br />
RAW=2 #keep last 2 days<br />
<br />
/opt/zimbra/bin/logmysql -D zimbra_logger << EOF<br />
delete from amavis where arrive_time < adddate(curdate(),interval -$AMAVIS day);<br />
optimize table amavis;<br />
select count(*) AS amavis_rec_left from amavis;<br />
delete from mta where (arrive_time > "2000-01-01" and arrive_time < adddate(curdate(),interval -$MTA day)) or <br />
(leave_time > "2000-01-01" and leave_time < adddate(curdate(),interval -$MTA day));<br />
optimize table mta;<br />
select count(*) AS MTA_rec_left from mta;<br />
delete from raw_logs where log_date < adddate(curdate(),interval -$RAW day);<br />
optimize table raw_logs;<br />
select count(*) AS raw_rec_left from raw_logs;<br />
quit<br />
EOF<br />
<br />
[[Category:Logger]]</div>BrianPhttps://wiki.zimbra.com/index.php?title=Logger_(ZCS_5.0.x_and_earlier)&diff=14843Logger (ZCS 5.0.x and earlier)2009-09-09T18:34:51Z<p>BrianP: </p>
<hr />
<div>Although the logger is not essential for Zimbra to operate, this article will describe setup, configuration, and troubleshooting of the logger service for ZCS 5.0.x and earlier.<br />
<br />
=Setup and Configuration=<br />
==Installation==<br />
If the logger service is installed during ZCS installation, zmsetup.pl runs zmloggerinit, which A) creates the '''zimbra_logger''' database and the tables shown in the output below, and B) generates the zimbra and root mysql user passwords, and stores them in '''[[CLI_zmlocalconfig_%28Local_Configuration|zmlocalconfig]]'''.<br />
<br />
==Multi-node Installations==<br />
''Note: See also the [[Monitoring_Zimbra_Servers#Zimbra_Logger|server monitoring guide]].<br />
<br />
1. Set the log hostname to the name of the node running the logger service. For this example, it's called '''mail1.domain.com'''.<br />
<br />
$ zmprov getConfig zimbraLogHostname<br />
$ zmprov modifyConfig zimbraLogHostname mail1.domain.com<br />
<br />
2. Configure syslog on each node. This must be done as root on each node.<br />
<br />
# /opt/zimbra/bin/zmsyslogsetup<br />
<br />
3. In order to allow the log host to accept log messages from the other nodes, add the "-r" option to the SYSLOGD_OPTIONS line in /etc/sysconfig/syslog (this must also be done as root); for example:<br />
<br />
SYSLOGD_OPTIONS="-r -m 0"<br />
<br />
=Troubleshooting=<br />
<br />
==Accessing the logger MySQL database manually==<br />
<br />
$ logmysql zimbra_logger<br />
<br />
mysql> show tables;<br />
+-------------------------+<br />
| Tables_in_zimbra_logger |<br />
+-------------------------+<br />
| amavis |<br />
| amavis_aggregate |<br />
| config |<br />
| disk_aggregate |<br />
| disk_status |<br />
| mta |<br />
| mta_aggregate |<br />
| processing_history |<br />
| raw_logs |<br />
| service_status |<br />
+-------------------------+<br />
<br />
==Checking and Repairing the tables in the logger database==<br />
<br />
Mysql has built-in tools for checking and repairing the database. You should check all of the tables in the logger database, and repair each one that indicates it needs repair. <br />
<br />
Here is an example, using the "raw_logs" table:<br />
<br />
$ logmysql zimbra_logger<br />
<br />
mysql> check table raw_logs;<br />
+------------------------+-------+----------+----------+<br />
| Table | Op | Msg_type | Msg_text |<br />
+------------------------+-------+----------+----------+<br />
| zimbra_logger.raw_logs | check | status | OK | <br />
+------------------------+-------+----------+----------+<br />
1 row in set (1.06 sec)<br />
<br />
If a table does not show OK status, try repairing:<br />
<br />
mysql> repair table raw_logs;<br />
+------------------------+--------+----------+----------+<br />
| Table | Op | Msg_type | Msg_text |<br />
+------------------------+--------+----------+----------+<br />
| zimbra_logger.raw_logs | repair | status | OK | <br />
+------------------------+--------+----------+----------+<br />
1 row in set (2.32 sec)<br />
<br />
See [http://dev.mysql.com/doc/refman/5.0/en/repair.html MySQL documentation] for more information.<br />
<br />
==Overview of logger pipeline==<br />
<br />
1. The mta components (postfix, amavis) and system status scripts (zmstatuslog, zmdisklog, zmqueuelog) log to /var/log/zimbra.log.<br />
<br />
2. The logswatch script monitors /var/log/zimbra.log and sends new lines to the zmlogger script.<br />
<br />
3. The zmlogger script inserts the log lines into the raw_logs table, and updates the service_status table, in the zimbra_logger database.<br />
<br />
4. The zmlogprocess script breaks down the lines from the raw_logs table and inserts the data into the mta, mta_aggregate, amavis, amavis_aggregate, disk_status, disk_aggregate, and processing_history tables of the zimbra_logger db.<br />
<br />
==How to determine why logger isn't working==<br />
<br />
Why does the logger service stop? The two main causes are log rotation and a bug in zmlogswatchctl before ZCS 4.5.<br />
<br />
===Check the logger mysql error log===<br />
The logger mysql error log will be /opt/zimbra/logger/db/data/<hostname>.err. For example, if your server's hostname is "zimbra.domain.com", the file will be /opt/zimbra/logger/db/data/zimbra.domain.com.err.<br />
<br />
Try [[Repair_Logger_Data_Corruption|repairing the corrupt tables]] if you see any lines like this:<br />
<br />
070927 14:30:01 [ERROR] /opt/zimbra/logger/mysql/libexec/mysqld: Table './zimbra_logger/raw_logs' is marked as crashed and last (automatic?) repair failed<br />
<br />
===Check "zmcontrol status"===<br />
1. If "'''logmysql.server''' is not running", verify whether A) the file /opt/zimbra/logger/db/mysql.pid exists, and B) there is an /opt/zimbra/logger/mysql/libexec/mysqld process.<br />
<br />
cat /opt/zimbra/logger/db/mysql.pid<br />
ps aux | grep logger/mysql<br />
<br />
Under normal operation, the id of this mysqld process will be in the mysql.pid file.<br />
<br />
2. If "'''zmlogswatchctl''' is not running", verify whether A) the file /opt/zimbra/log/logswatch.pid exists, and B) there is a single /opt/zimbra/libexec/logswatch process.<br />
<br />
cat /opt/zimbra/log/logswatch.pid<br />
ps aux | grep logswatch<br />
<br />
3. If "'''logger''' Running", verify that the logger database is accessible and that there are not multiple logswatch scripts running (see #2).<br />
<br />
logmysqladmin status<br />
ps aux | grep logswatch<br />
<br />
===Check the MTA log===<br />
1. Is there MTA activity?<br />
<br />
grep postfix /var/log/zimbra.log | tail<br />
grep amavis /var/log/zimbra.log | tail<br />
<br />
2. Is there ZCS system information?<br />
<br />
grep STATUS /var/log/zimbra.log | tail<br />
grep DISK /var/log/zimbra.log | tail<br />
grep QUEUE /var/log/zimbra.log | tail<br />
<br />
===Check the logger database===<br />
1. Is data making it to the '''service_status''' and '''raw_logs''' tables (choose the current date)?<br />
<br />
logmysql zimbra_logger<br />
select * from service_status;<br />
select * from raw_logs where log_date >= curdate(); # Today's entries<br />
# or<br />
select * from raw_logs where log_date > '2007-03-15'; # Entries newer than 2007-03-15<br />
<br />
==Symptoms==<br />
<br />
[[Logger#Check_.22zmcontrol_status.22|zmlogswatchctl is not running]]<br />
<br />
[[Logger#Multi-node_Installations|Admin console only showing data for the log host in a multi-node installation]]<br />
<br />
<br />
==What queries the logger database==<br />
<br />
1. The '''[[Monitoring_Zimbra_Servers#Generating_Daily_Mail_Reports|zmdailyreport]]''' script processes data from the mta and amavis tables, and emails the results to root, which is normally an alias to the original zimbra admin account.<br />
<br />
[zimbra@mail ~]$ crontab -l | grep zmdailyreport<br />
10 1 * * * /opt/zimbra/libexec/zmdailyreport | /opt/zimbra/postfix/sbin/sendmail root<br />
<br />
[zimbra@mail ~]$ zmprov getAccount admin | grep Alias<br />
zimbraMailAlias: root@mail.domain.com<br />
zimbraMailAlias: postmaster@mail.domain.com<br />
<br />
2. The '''[[Monitoring_Zimbra_Servers#Tracing_Messages|zmmsgtrace]]''' tool queries the mta and amavis tables and outputs basic info about matching messages.<br />
<br />
3. The '''zmgengraphs''' script queries the disk_aggregate, mta_aggregate, and amavis_aggregate tables and creates images that will be displayed in the admin console.<br />
<br />
4. Loading the '''[[Administration_Console|admin console]]''' queries the service_status table, and [[Monitoring_Zimbra_Servers#Server_Performance_Statistics|viewing server statistics]] will display the graphs created by zmgengraphs.<br />
<br />
[screenshot]<br />
<br />
<br />
== How to shrink logger database ==<br />
<br />
For first time is good to clean db manually if the database is very big.<br />
The commands bellow will delete all data in three tables (mta, amavis, raw_logs). If you need this data don't execute them!<br />
$zmlogswatchctl stop (don't execute "zmloggerctl stop" this also stops logger mysqld)<br />
$logmysql -D zimbra_logger<br />
mysql> delete from amavis;<br />
mysql> optimize table amavis;<br />
mysql> delete from mta;<br />
mysql> optimize table mta;<br />
mysql> delete from raw_logs;<br />
mysql> optimize table raw_logs;<br />
mysql> quit<br />
$zmlogswatchctl start<br />
Be patient, each deleting query may lasts for a long time!<br />
<br />
Here is a script for database cleaning. Run it under zimbra account. If the database is big and the execution time is long enough do zmlogswatchctl stop command to prevent zimbra accessing database. And don't forget make zmlogswatchctl start after the script.<br />
#!/bin/bash<br />
<br />
AMAVIS=10 #keep last 10 days<br />
MTA=30 #keep last 30 days<br />
RAW=2 #keep last 2 days<br />
<br />
/opt/zimbra/bin/logmysql -D zimbra_logger << EOF<br />
delete from amavis where arrive_time < adddate(curdate(),interval -$AMAVIS day);<br />
optimize table amavis;<br />
select count(*) AS amavis_rec_left from amavis;<br />
delete from mta where (arrive_time > "2000-01-01" and arrive_time < adddate(curdate(),interval -$MTA day)) or <br />
(leave_time > "2000-01-01" and leave_time < adddate(curdate(),interval -$MTA day));<br />
optimize table mta;<br />
select count(*) AS MTA_rec_left from mta;<br />
delete from raw_logs where log_date < adddate(curdate(),interval -$RAW day);<br />
optimize table raw_logs;<br />
select count(*) AS raw_rec_left from raw_logs;<br />
quit<br />
EOF<br />
<br />
[[Category:Logger]]</div>BrianPhttps://wiki.zimbra.com/index.php?title=Problem_with_Certificate_can_cause_MTA_Failure&diff=7963Problem with Certificate can cause MTA Failure2008-02-13T20:51:03Z<p>BrianP: </p>
<hr />
<div>'''Issue:'''<br />
<br />
Problem with Certificate can cause MTA Failure <br />
<br />
'''Symptom:'''<br />
<br />
When MTA starts up, user will receive the following message in the /var/log/zimbra.log file:<br />
<br />
'''Error:'''<br />
postfix/trivial-rewrite[6172]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem<br />
postfix/trivial-rewrite[19377]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem<br />
postfix/trivial-rewrite[19378]: error: dict_ldap_connect: Unable to set STARTTLS: -11: Connect error<br />
<br />
<br />
Then the MTA (postfix) will stop functioning resulting in mail delivery failure (via lmtp and smtp).<br />
<br />
'''Common Cause:'''<br />
<br />
CA chain can be appended in reverse creating invalid Certificate [ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ]<br />
<br />
The above error may also be seen when you are hitting [ http://bugzilla.zimbra.com/show_bug.cgi?id=22468 ]. In this case, the following Workaround would not work. <br />
<br />
<br />
'''Workaround [5.0.1_GA or later]'''<br />
<br />
----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
'''For Single-server and Multi-server ldap masters'''<br />
<br />
(a) Run as root: /opt/zimbra/bin/zmcertmgr createca -new<br />
(b) Run as root: /opt/zimbra/bin/zmcertmgr deployca<br />
(c) Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self -new<br />
(d) Run as root: su - zimbra zmcontrol stop; su - zimbra zmcontrol start<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
'''For Multi-Server: Run this on all other systems in the multi-server setup'''<br />
<br />
After doing the steps listed above on the ldap master, log into any different systems running postfix:<br />
<br />
(a) Run as root: su - zimbra zmcontrol stop<br />
(b) Run as root: /opt/zimbra/bin/zmcertmgr deployca <br />
(c) Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self -new<br />
(d) Run as root: su - zimbra zmcontrtol start<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
<br />
'''Workaround [5.0.0_GA]'''<br />
<br />
Read this post: http://www.zimbra.com/forums/administrators/13927-if-you-have-trouble-zimbra-5-0-read.html<br />
<br />
Alternate: http://www.zimbra.com/forums/installation/13898-argh-commercial-certificates-after-4-10-5-0-foss-upgrade.html<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
'''Steps:'''<br />
(a) Run as root: cd /opt/zimbra/ssl; mkdir /tmp/ssl.bak; mv * /tmp/ssl.bak<br />
(a1) Run as root: cd /opt/zimbra/conf/ca; mkdir /tmp/ca.bak; mv * /tmp/ca.bak<br />
(b) Run this as zimbra:<br />
(b1) To get the password: zmlocalconfig -s zimbra_ldap_password<br />
(b2) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W<br />
'''Code:'''<br />
dn: cn=config,cn=zimbra<br />
changetype:modify<br />
delete: zimbraCertAuthorityCertSelfSigned [Hit Enter Twice here]<br />
^D<br />
(b3) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W<br />
'''Code:'''<br />
dn: cn=config,cn=zimbra<br />
changetype:modify<br />
delete: zimbraCertAuthorityKeySelfSigned [Hit Enter Twice here]<br />
^D<br />
(c) as root: run /opt/zimbra/bin/zmcertmgr createca<br />
(d) as root: run /opt/zimbra/bin/zmcertmgr deployca<br />
(e) as root: run /opt/zimbra/bin/zmcertmgr install self -new<br />
(f) as root: su - zimbra zmcontrol stop; su - zimbra zmcontrol start<br />
^D is Control-D<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
'''For Multi-Server MTA: Run this on the systems which are running postfix'''<br />
<br />
After doing the steps listed above on the ldap master, log into any different systems running postfix:<br />
<br />
(a) Run as root: su - zimbra zmcontrol stop<br />
(b) Run as root: cd /opt/zimbra/ssl; mkdir /tmp/ssl.bak; mv * /tmp/ssl.bak<br />
(c) Run as root: cd /opt/zimbra/conf/ca; mkdir /tmp/ca.bak; mv * /tmp/ca.bak<br />
(d) Run as root: run /opt/zimbra/bin/zmcertmgr createca<br />
(This will download the new CA from the LDAP server)<br />
(e) Run as root: run /opt/zimbra/bin/zmcertmgr deployca <br />
(f) Run as root: su - zimbra zmcontrtol start<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
'''For LDAP replicas: Run this on the systems that are LDAP replicas'''<br />
<br />
After doing the steps listed above on the ldap master, log into any different systems running postfix:<br />
<br />
(a) Run as root: su - zimbra zmcontrol stop<br />
(b) Run as root: cd /opt/zimbra/ssl; mkdir /tmp/ssl.bak; mv * /tmp/ssl.bak<br />
(c) Run as root: cd /opt/zimbra/conf/ca; mkdir /tmp/ca.bak; mv * /tmp/ca.bak<br />
(d) Run as root: run /opt/zimbra/bin/zmcertmgr createca<br />
(This will download the new CA from the LDAP server)<br />
(e) Run as root: /opt/zimbra/bin/zmcertmgr deployca<br />
(f) Run as root: /opt/zimbra/bin/zmcertmgr install self -new<br />
(g) Run as root: su - zimbra; zmcontrol start<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
'''References:'''<br />
<br />
http://www.zimbra.com/forums/installation/13762-solved-expired-cert-5-0ga-can-cause-mail-delivery-failure.html<br />
<br />
[ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ] - an expired CA cert will block mail delivery after upgrading to 5.0.0<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
'''Issue:'''<br />
<br />
Cannot install a Commercial Certificate in Zimbra 5.0 [Bug 23294]<br />
'''<br />
Symptom:'''<br />
<br />
User is unable to install a commercial certificate in Zimbra 5.0<br />
'''<br />
Common Cause:'''<br />
<br />
Related to Bug [ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ]<br />
<br />
'''Workaround:'''<br />
<br />
Installing Cert via Command Line: [ http://bugzilla.zimbra.com/show_bug.cgi?id=23294 ] - commercial certs fail to install<br />
<br />
'''References:'''<br />
<br />
Bug [ http://bugzilla.zimbra.com/show_bug.cgi?id=23294 ] - commercial certs fail to install<br />
Argh Commercial Certificates after a 4.10 -> 5.0 FOSS upgrade!<br />
<br />
http://www.zimbra.com/forums/installation/13898-argh-commercial-certificates-after-4-10-5-0-foss-upgrade.html<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
{{Article Footer|Zimbra Collaboration Suite 5.0|01/02/2008}}<br />
[[Category:Troubleshooting]]<br />
[[Category: Certificates]]</div>BrianPhttps://wiki.zimbra.com/index.php?title=Recreating_a_Self-Signed_SSL_Certificate_in_ZCS_4.5_%26_5.0&diff=7960Recreating a Self-Signed SSL Certificate in ZCS 4.5 & 5.02008-02-13T20:48:52Z<p>BrianP: </p>
<hr />
<div>== Self Signed Certificate Instructions ==<br />
<br />
===WARNINGS===<br />
<br />
- ''If you're working with a commercial certificate, do *NOT* use this page - go [[Commercial Certificates]] instead''<br />
<br />
- Please read all instructions and pay attention to specific 4.5(and prior) vs 5.0 sections & notes.<br />
<br />
- V5.0 will include a certificates area in your tools section of the admin interface so you might try using that first.<br />
<br />
To clean up SSL certificates and recreate a new self-signed cert:<br />
<br />
=== Why recreate my certificates ===<br />
<br />
If you're seeing an error like this when you run zmprov:<br />
<br />
[] ERROR: java.security.cert.CertificateExpiredException: NotAfter: Sun Oct 08 00:38:45 EDT 2006<br />
ERROR: zclient.IO_ERROR (invoke java.security.cert.CertificateException: Untrusted Server Certificate Chain, server: localhost) <br />
(cause: javax.net.ssl.SSLHandshakeException java.security.cert.CertificateException: Untrusted Server Certificate Chain)<br />
<br />
your certs are expired, and need to be recreated<br />
<br />
===Back up existing certificates===<br />
<br />
* This backs up the default certificates created by zmcreateca and zmcreatecert:<br />
tar cf /tmp/zimbra-ssl-bak.tar /opt/zimbra/ssl/<br />
<br />
* This backs up the server's working certificate files:<br />
cd /opt/zimbra/<br />
tar cf /tmp/zimbra-certs.tar conf/ca/ conf/*.crt conf/*.key conf/*.pem tomcat/conf/keystore java/jre/lib/security/cacerts<br />
<br />
===Delete and re-create SSL Directory (as root)===<br />
su -<br />
rm -rf /opt/zimbra/ssl<br />
mkdir /opt/zimbra/ssl<br />
chown zimbra:zimbra /opt/zimbra/ssl<br />
<br />
===Give the zimbra user write access to the cacerts keystore===<br />
* On linux the java cacerts file is a part of the ZCS installation.<br />
chown zimbra:zimbra /opt/zimbra/java/jre/lib/security/cacerts<br />
chmod 644 /opt/zimbra/java/jre/lib/security/cacerts<br />
* On Mac OS X the java cacerts file is a part of the system's java installation. Either run the "keytool -delete ..." command in the next section as root or give write access to the zimbra user.<br />
chown zimbra:zimbra /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts<br />
chmod u+w /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts<br />
<br />
===Remove the self-signed root certificate from the cacerts keystore (as zimbra)===<br />
* Mac OS X<br />
keytool -delete -alias my_ca -keystore /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts -storepass changeit<br><br />
* Linux<br />
keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit<br />
<br />
===Delete the server cert from the mailboxd keystore (as zimbra)===<br />
<br />
* For ZCS upto 4.5.x (tomcat)<br />
su - zimbra<br />
keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra<br />
<br />
* For ZCS 5.0+ (mailboxd/jetty)<br />
su - zimbra<br />
keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass zimbra<br />
<br />
* Storepass is normally stored in localconfig<br />
su - zimbra<br />
zmlocalconfig -s -m nokey tomcat_keystore_password<br />
<br />
or for 5.0 (jetty)<br />
su - zimbra<br />
zmlocalconfig -s -m nokey mailboxd_keystore_password<br />
<br />
===Perform optional configuration===<br />
* If you want to change the duration of the certificate from the default (365 days), modify the "default_days" entry in the file /opt/zimbra/conf/zmssl.cnf.in<br />
<br />
''Workaround: zmssl.cnf.in default_days is ingnored. Currently you will need to edit zmcreateca and zmcreatecert:'' Bug is http://bugzilla.zimbra.com/show_bug.cgi?id=12228<br />
<br />
* If you want the common name show up in the CA rather than 'Zimbra Collaboration Suite' because you have several zimbra servers. Please Note: I probably have unnecessary steps in this section here, but this is what I did to get it working for me.<br />
vi /opt/zimbra/conf/zmssl.cnf.in<br />
[change section to appear as below]<br />
0.organizationName = Zimbra<br />
0.organizationName_default = Zimbra<br />
# we can do this but it is not needed normally :-)<br />
#1.organizationName = Second Organization Name (eg, company)<br />
#1.organizationName_default = World Wide Web Pty Ltd<br />
organizationalUnitName = Zimbra<br />
organizationalUnitName_default = Zimbra<br />
commonName = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work><br />
commonName_max = 64<br />
commonName_default = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work><br />
<br />
===Create the CA certificate (as zimbra)===<br />
zmcreateca<br />
<br />
* (OPTIONAL) If you did the Optional step to make the CN the hostname for the CA, the output should be like the following:<br />
...<br />
Signature ok<br />
subject=/C=US/ST=N/A/L=N/A/O=Zimbra/OU=Zimbra/CN=<your hostname><br />
Getting Private key<br />
unable to write 'random state'<br />
<br />
===Install server ca files===<br />
* After creating the ca, it appears that zmcreateca doesn't copy the new ca.key and ca.pem to /opt/zimbra/conf/ca, so do it manually (as zimbra):<br />
cp /opt/zimbra/ssl/ssl/ca/ca.key /opt/zimbra/conf/ca/ca.key<br />
cp /opt/zimbra/ssl/ssl/ca/ca.pem /opt/zimbra/conf/ca/ca.pem<br />
<br />
===Create the server certificate (as zimbra)===<br />
zmcreatecert<br />
<br />
If you wish to have several names on the certificate, supply them as arguments<br />
<br />
zmcreatecert mail.mydomain.com webmail.mydomain.com webmail.yourdomain.com<br />
<br />
===Install the server certificate files (as zimbra)===<br />
* For Tomcat (ZCS upto 4.5.x)<br />
zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/tomcat.crt<br />
zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key<br />
<br />
* For Mailboxd (ZCS 5.0+)<br />
zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/mailboxd.crt<br />
zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key<br />
<br />
* To update CA cert stored in LDAP (as zimbra):<br />
''zmprov -l mcf zimbraCertAuthorityKeySelfSigned "`cat /opt/zimbra/ssl/ssl/ca/ca.key`"''<br />
''zmprov -l mcf zimbraCertAuthorityCertSelfSigned "`cat /opt/zimbra/ssl/ssl/ca/ca.pem`"''<br />
<br />
* You can see your updated certs in LDAP now and compare them to contents of /opt/zimbra/ssl/ssl/ca (as zimbra)<br />
zmprov -l gcf zimbraCertAuthorityKeySelfSigned <br />
zmprov -l gcf zimbraCertAuthorityCertSelfSigned<br />
<br />
===Restart zimbra services===<br />
* It may be necessary to restart the Zimbra servers for the changes to take effect (as zimbra).<br />
zmcontrol stop<br />
zmcontrol start<br />
<br />
==Other Possible Issues==<br />
<br />
'''Note about 'unable to write random state':'''<br />
<br />
This is a "harmless" warning that openssl has no random number seed file. The [http://www.openssl.org/support/faq.html#USER1 full] [http://www.openssl.org/support/faq.html#USER2 story] is available from openssl.org.<br />
<br />
'''Permission denied (publickey,gssapi-with-mic)'''<br />
<br />
http://www.ncsa.uiuc.edu/UserInfo/Resources/Software/ssh/openssh_3.8.html<br />
<br />
[[Category:SSL/TLS]]<br />
[[Category:Troubleshooting]]<br />
[[Category: Certificates]]<br />
[[Category:Pending Certification]]</div>BrianPhttps://wiki.zimbra.com/index.php?title=5.x_Commercial_Certificates_Guide&diff=76395.x Commercial Certificates Guide2008-01-24T23:50:22Z<p>BrianP: </p>
<hr />
<div><br />
<br />
[5.0.1_GA and later]<br />
<br />
Obtain your commerial cert from your provider. You will also need the root CA and any intermediaries that the provider uses in PEM format.<br />
Concatenate the root and intermediaries files into a single file for use with zmcertmgr<br />
<br />
(a) sudo zmcertmgr deploycrt comm <cert file> <ca_chain file><br />
(b) zmcontrol stop ; zmcontrol start<br />
<br />
<br />
[5.0.0_GA]<br />
<br />
<pre><br />
(a) Copy the certificate file(s) to /opt/zimbra/ssl/zimbra/commercial/ while naming it commercial.crt<br />
If you have more than one cert files, please concatenate them into one file<br />
(b) Copy the private key to /opt/zimbra/ssl/zimbra/commercial/ while naming it commercial.key<br />
(c) Copy /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/jetty/webapps/zimbraAdmin/tmp/current.crt<br />
current.crt should be owned by zimbra:zimbra<br />
(d) Run this command /opt/zimbra/bin/zmcertmgr install comm<br />
</pre><br />
<br />
If there are any errors from the above command, please send it to us (support@zimbra.com)</div>BrianPhttps://wiki.zimbra.com/index.php?title=5.x_Commercial_Certificates_Guide&diff=76385.x Commercial Certificates Guide2008-01-24T23:48:13Z<p>BrianP: </p>
<hr />
<div>Please make sure the commercial certificate files are in the correct directories and run "zmcertmgr install comm" AS ROOT<br />
<br />
[5.0.1_GA and later]<br />
<br />
Obtain your commerial cert from your provider. You will also need the root CA and any intermediaries that the provider uses in PEM format.<br />
Concatenate the root and intermediaries files into a single file for use with zmcertmgr<br />
<br />
(a) sudo zmcertmgr deploycrt comm <cert file> <ca_chain file><br />
(b) zmcontrol stop ; zmcontrol start<br />
<br />
<br />
[5.0.0_GA]<br />
<br />
<pre><br />
(a) Copy the certificate file(s) to /opt/zimbra/ssl/zimbra/commercial/ while naming it commercial.crt<br />
If you have more than one cert files, please concatenate them into one file<br />
(b) Copy the private key to /opt/zimbra/ssl/zimbra/commercial/ while naming it commercial.key<br />
(c) Copy /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/jetty/webapps/zimbraAdmin/tmp/current.crt<br />
current.crt should be owned by zimbra:zimbra<br />
(d) Run this command /opt/zimbra/bin/zmcertmgr install comm<br />
</pre><br />
<br />
If there are any errors from the above command, please send it to us (support@zimbra.com)</div>BrianPhttps://wiki.zimbra.com/index.php?title=Problem_with_Certificate_can_cause_MTA_Failure&diff=7637Problem with Certificate can cause MTA Failure2008-01-24T21:10:28Z<p>BrianP: </p>
<hr />
<div>'''Issue:'''<br />
<br />
Problem with Certificate can cause MTA Failure <br />
<br />
'''Symptom:'''<br />
<br />
When MTA starts up, user will receive the following message in the /var/log/zimbra.log file:<br />
<br />
'''Error:'''<br />
postfix/trivial-rewrite[6172]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem<br />
postfix/trivial-rewrite[19377]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem<br />
postfix/trivial-rewrite[19378]: error: dict_ldap_connect: Unable to set STARTTLS: -11: Connect error<br />
<br />
<br />
Then the MTA (postfix) will stop functioning resulting in mail delivery failure (via lmtp and smtp).<br />
<br />
'''Common Cause:'''<br />
<br />
CA chain can be appended in reverse creating invalid Certificate [ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ]<br />
<br />
The above error may also be seen when you are hitting [ http://bugzilla.zimbra.com/show_bug.cgi?id=22468 ]. In this case, the following Workaround would not work. <br />
<br />
<br />
'''Workaround [5.0.1_GA or later]'''<br />
<br />
----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
'''For Single-server and Multi-server ldap masters'''<br />
<br />
(a) Run as root: /opt/zimbra/bin/zmcertmgr createca -new<br />
(b) Run as root: /opt/zimbra/bin/zmcertmgr deployca<br />
(c) Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self -new<br />
(d) Run as root: su - zimbra zmcontrol stop; su - zimbra zmcontrol start<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
'''For Multi-Server: Run this on all other systems in the multi-server setup'''<br />
<br />
After doing the steps listed above on the ldap master, log into any different systems running postfix:<br />
<br />
(a) Run as root: su - zimbra zmcontrol stop<br />
(b) Run as root: /opt/zimbra/bin/zmcertmgr deployca <br />
(c) Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self -new<br />
(d) Run as root: su - zimbra zmcontrtol start<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
<br />
'''Workaround [5.0.0_GA]'''<br />
<br />
Read this post: http://www.zimbra.com/forums/administrators/13927-if-you-have-trouble-zimbra-5-0-read.html<br />
<br />
Alternate: http://www.zimbra.com/forums/installation/13898-argh-commercial-certificates-after-4-10-5-0-foss-upgrade.html<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
'''Steps:'''<br />
(a) Run as root: cd /opt/zimbra/ssl; mkdir /tmp/ssl.bak; mv * /tmp/ssl.bak<br />
(a1) Run as root: cd /opt/zimbra/conf/ca; mkdir /tmp/ca.bak; mv * /tmp/ca.bak<br />
(b) Run this as zimbra:<br />
(b1) To get the password: zmlocalconfig -s zimbra_ldap_password<br />
(b2) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W<br />
'''Code:'''<br />
dn: cn=config,cn=zimbra<br />
changetype:modify<br />
delete: zimbraCertAuthorityCertSelfSigned [Hit Enter Twice here]<br />
^D<br />
(b3) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W<br />
'''Code:'''<br />
dn: cn=config,cn=zimbra<br />
changetype:modify<br />
delete: zimbraCertAuthorityKeySelfSigned [Hit Enter Twice here]<br />
^D<br />
(c) as root: run /opt/zimbra/bin/zmcertmgr createca<br />
(d) as root: run /opt/zimbra/bin/zmcertmgr deployca<br />
(e) as root: run /opt/zimbra/bin/zmcertmgr install self -new<br />
(f) as root: su - zimbra zmcontrol stop; su - zimbra zmcontrol start<br />
^D is Control-D<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
'''For Multi-Server MTA: Run this on the systems which are running postfix'''<br />
<br />
After doing the steps listed above on the ldap master, log into any different systems running postfix:<br />
<br />
(a) Run as root: su - zimbra zmcontrol stop<br />
(b) Run as root: cd /opt/zimbra/ssl; mkdir /tmp/ssl.bak; mv * /tmp/ssl.bak<br />
(c) Run as root: cd /opt/zimbra/conf/ca; mkdir /tmp/ca.bak; mv * /tmp/ca.bak<br />
(d) Run as root: run /opt/zimbra/bin/zmcertmgr createca<br />
(This will download the new CA from the LDAP server)<br />
(e) Run as root: run /opt/zimbra/bin/zmcertmgr deployca <br />
(f) Run as root: su - zimbra zmcontrtol start<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
'''For LDAP replicas: Run this on the systems that are LDAP replicas'''<br />
<br />
After doing the steps listed above on the ldap master, log into any different systems running postfix:<br />
<br />
(a) Run as root: su - zimbra zmcontrol stop<br />
(b) Run as root: cd /opt/zimbra/ssl; mkdir /tmp/ssl.bak; mv * /tmp/ssl.bak<br />
(c) Run as root: cd /opt/zimbra/conf/ca; mkdir /tmp/ca.bak; mv * /tmp/ca.bak<br />
(d) Run as root: run /opt/zimbra/bin/zmcertmgr createca<br />
(This will download the new CA from the LDAP server)<br />
(e) Run as root: /opt/zimbra/bin/zmcertmgr deployca<br />
(f) Run as root: /opt/zimbra/bin/zmcertmgr install self -new<br />
(g) Run as root: su - zimbra; zmcontrol start<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
'''References:'''<br />
<br />
http://www.zimbra.com/forums/installation/13762-solved-expired-cert-5-0ga-can-cause-mail-delivery-failure.html<br />
<br />
[ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ] - an expired CA cert will block mail delivery after upgrading to 5.0.0<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
'''Issue:'''<br />
<br />
Cannot install a Commercial Certificate in Zimbra 5.0 [Bug 23294]<br />
'''<br />
Symptom:'''<br />
<br />
User is unable to install a commercial certificate in Zimbra 5.0<br />
'''<br />
Common Cause:'''<br />
<br />
Related to Bug [ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ]<br />
<br />
'''Workaround:'''<br />
<br />
Installing Cert via Command Line: [ http://bugzilla.zimbra.com/show_bug.cgi?id=23294 ] - commercial certs fail to install<br />
<br />
'''References:'''<br />
<br />
Bug [ http://bugzilla.zimbra.com/show_bug.cgi?id=23294 ] - commercial certs fail to install<br />
Argh Commercial Certificates after a 4.10 -> 5.0 FOSS upgrade!<br />
<br />
http://www.zimbra.com/forums/installation/13898-argh-commercial-certificates-after-4-10-5-0-foss-upgrade.html<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
{{Article Footer|Zimbra Collaboration Suite 5.0|01/02/2008}}<br />
[[Category:Troubleshooting]]</div>BrianPhttps://wiki.zimbra.com/index.php?title=Problem_with_Certificate_can_cause_MTA_Failure&diff=7636Problem with Certificate can cause MTA Failure2008-01-24T21:10:15Z<p>BrianP: </p>
<hr />
<div>'''Issue:'''<br />
<br />
Problem with Certificate can cause MTA Failure <br />
<br />
'''Symptom:'''<br />
<br />
When MTA starts up, user will receive the following message in the /var/log/zimbra.log file:<br />
<br />
'''Error:'''<br />
postfix/trivial-rewrite[6172]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem<br />
postfix/trivial-rewrite[19377]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem<br />
postfix/trivial-rewrite[19378]: error: dict_ldap_connect: Unable to set STARTTLS: -11: Connect error<br />
<br />
<br />
Then the MTA (postfix) will stop functioning resulting in mail delivery failure (via lmtp and smtp).<br />
<br />
'''Common Cause:'''<br />
<br />
CA chain can be appended in reverse creating invalid Certificate [ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ]<br />
<br />
The above error may also be seen when you are hitting [ http://bugzilla.zimbra.com/show_bug.cgi?id=22468 ]. In this case, the following Workaround would not work. <br />
<br />
<br />
'''Workaround for [5.0.1_GA or later]'''<br />
<br />
----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
'''For Single-server and Multi-server ldap masters'''<br />
<br />
(a) Run as root: /opt/zimbra/bin/zmcertmgr createca -new<br />
(b) Run as root: /opt/zimbra/bin/zmcertmgr deployca<br />
(c) Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self -new<br />
(d) Run as root: su - zimbra zmcontrol stop; su - zimbra zmcontrol start<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
'''For Multi-Server: Run this on all other systems in the multi-server setup'''<br />
<br />
After doing the steps listed above on the ldap master, log into any different systems running postfix:<br />
<br />
(a) Run as root: su - zimbra zmcontrol stop<br />
(b) Run as root: /opt/zimbra/bin/zmcertmgr deployca <br />
(c) Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self -new<br />
(d) Run as root: su - zimbra zmcontrtol start<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
<br />
'''Workaround [5.0.0_GA]'''<br />
<br />
Read this post: http://www.zimbra.com/forums/administrators/13927-if-you-have-trouble-zimbra-5-0-read.html<br />
<br />
Alternate: http://www.zimbra.com/forums/installation/13898-argh-commercial-certificates-after-4-10-5-0-foss-upgrade.html<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
'''Steps:'''<br />
(a) Run as root: cd /opt/zimbra/ssl; mkdir /tmp/ssl.bak; mv * /tmp/ssl.bak<br />
(a1) Run as root: cd /opt/zimbra/conf/ca; mkdir /tmp/ca.bak; mv * /tmp/ca.bak<br />
(b) Run this as zimbra:<br />
(b1) To get the password: zmlocalconfig -s zimbra_ldap_password<br />
(b2) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W<br />
'''Code:'''<br />
dn: cn=config,cn=zimbra<br />
changetype:modify<br />
delete: zimbraCertAuthorityCertSelfSigned [Hit Enter Twice here]<br />
^D<br />
(b3) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W<br />
'''Code:'''<br />
dn: cn=config,cn=zimbra<br />
changetype:modify<br />
delete: zimbraCertAuthorityKeySelfSigned [Hit Enter Twice here]<br />
^D<br />
(c) as root: run /opt/zimbra/bin/zmcertmgr createca<br />
(d) as root: run /opt/zimbra/bin/zmcertmgr deployca<br />
(e) as root: run /opt/zimbra/bin/zmcertmgr install self -new<br />
(f) as root: su - zimbra zmcontrol stop; su - zimbra zmcontrol start<br />
^D is Control-D<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
'''For Multi-Server MTA: Run this on the systems which are running postfix'''<br />
<br />
After doing the steps listed above on the ldap master, log into any different systems running postfix:<br />
<br />
(a) Run as root: su - zimbra zmcontrol stop<br />
(b) Run as root: cd /opt/zimbra/ssl; mkdir /tmp/ssl.bak; mv * /tmp/ssl.bak<br />
(c) Run as root: cd /opt/zimbra/conf/ca; mkdir /tmp/ca.bak; mv * /tmp/ca.bak<br />
(d) Run as root: run /opt/zimbra/bin/zmcertmgr createca<br />
(This will download the new CA from the LDAP server)<br />
(e) Run as root: run /opt/zimbra/bin/zmcertmgr deployca <br />
(f) Run as root: su - zimbra zmcontrtol start<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
'''For LDAP replicas: Run this on the systems that are LDAP replicas'''<br />
<br />
After doing the steps listed above on the ldap master, log into any different systems running postfix:<br />
<br />
(a) Run as root: su - zimbra zmcontrol stop<br />
(b) Run as root: cd /opt/zimbra/ssl; mkdir /tmp/ssl.bak; mv * /tmp/ssl.bak<br />
(c) Run as root: cd /opt/zimbra/conf/ca; mkdir /tmp/ca.bak; mv * /tmp/ca.bak<br />
(d) Run as root: run /opt/zimbra/bin/zmcertmgr createca<br />
(This will download the new CA from the LDAP server)<br />
(e) Run as root: /opt/zimbra/bin/zmcertmgr deployca<br />
(f) Run as root: /opt/zimbra/bin/zmcertmgr install self -new<br />
(g) Run as root: su - zimbra; zmcontrol start<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
'''References:'''<br />
<br />
http://www.zimbra.com/forums/installation/13762-solved-expired-cert-5-0ga-can-cause-mail-delivery-failure.html<br />
<br />
[ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ] - an expired CA cert will block mail delivery after upgrading to 5.0.0<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
'''Issue:'''<br />
<br />
Cannot install a Commercial Certificate in Zimbra 5.0 [Bug 23294]<br />
'''<br />
Symptom:'''<br />
<br />
User is unable to install a commercial certificate in Zimbra 5.0<br />
'''<br />
Common Cause:'''<br />
<br />
Related to Bug [ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ]<br />
<br />
'''Workaround:'''<br />
<br />
Installing Cert via Command Line: [ http://bugzilla.zimbra.com/show_bug.cgi?id=23294 ] - commercial certs fail to install<br />
<br />
'''References:'''<br />
<br />
Bug [ http://bugzilla.zimbra.com/show_bug.cgi?id=23294 ] - commercial certs fail to install<br />
Argh Commercial Certificates after a 4.10 -> 5.0 FOSS upgrade!<br />
<br />
http://www.zimbra.com/forums/installation/13898-argh-commercial-certificates-after-4-10-5-0-foss-upgrade.html<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
{{Article Footer|Zimbra Collaboration Suite 5.0|01/02/2008}}<br />
[[Category:Troubleshooting]]</div>BrianPhttps://wiki.zimbra.com/index.php?title=Problem_with_Certificate_can_cause_MTA_Failure&diff=7635Problem with Certificate can cause MTA Failure2008-01-24T21:07:46Z<p>BrianP: </p>
<hr />
<div>'''Issue:'''<br />
<br />
Problem with Certificate can cause MTA Failure <br />
<br />
'''Symptom:'''<br />
<br />
When MTA starts up, user will receive the following message in the /var/log/zimbra.log file:<br />
<br />
'''Error:'''<br />
postfix/trivial-rewrite[6172]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem<br />
postfix/trivial-rewrite[19377]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem<br />
postfix/trivial-rewrite[19378]: error: dict_ldap_connect: Unable to set STARTTLS: -11: Connect error<br />
<br />
<br />
Then the MTA (postfix) will stop functioning resulting in mail delivery failure (via lmtp and smtp).<br />
<br />
'''Common Cause:'''<br />
<br />
CA chain can be appended in reverse creating invalid Certificate [ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ]<br />
<br />
The above error may also be seen when you are hitting [ http://bugzilla.zimbra.com/show_bug.cgi?id=22468 ]. In this case, the following Workaround would not work. <br />
<br />
<br />
'''Workaround for [5.0.1_GA or later]'''<br />
<br />
----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
'''For Single-server and Multi-server ldap masters'''<br />
(a) Run as root: su - zimbra zmcontrol stop<br />
(b) Run as root: /opt/zimbra/bin/zmcertmgr createca -new<br />
(c) Run as root: /opt/zimbra/bin/zmcertmgr deployca<br />
(d) Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self -new<br />
(e) Run as root: su - zimbra zmcontrol stop; su - zimbra zmcontrol start<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
'''For Multi-Server: Run this on all other systems in the multi-server setup'''<br />
<br />
After doing the steps listed above on the ldap master, log into any different systems running postfix:<br />
<br />
(a) Run as root: su - zimbra zmcontrol stop<br />
(b) Run as root: /opt/zimbra/bin/zmcertmgr deployca <br />
(c) Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self -new<br />
(d) Run as root: su - zimbra zmcontrtol start<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
<br />
'''Workaround [5.0.0_GA]'''<br />
<br />
Read this post: http://www.zimbra.com/forums/administrators/13927-if-you-have-trouble-zimbra-5-0-read.html<br />
<br />
Alternate: http://www.zimbra.com/forums/installation/13898-argh-commercial-certificates-after-4-10-5-0-foss-upgrade.html<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
'''Steps:'''<br />
(a) Run as root: cd /opt/zimbra/ssl; mkdir /tmp/ssl.bak; mv * /tmp/ssl.bak<br />
(a1) Run as root: cd /opt/zimbra/conf/ca; mkdir /tmp/ca.bak; mv * /tmp/ca.bak<br />
(b) Run this as zimbra:<br />
(b1) To get the password: zmlocalconfig -s zimbra_ldap_password<br />
(b2) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W<br />
'''Code:'''<br />
dn: cn=config,cn=zimbra<br />
changetype:modify<br />
delete: zimbraCertAuthorityCertSelfSigned [Hit Enter Twice here]<br />
^D<br />
(b3) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W<br />
'''Code:'''<br />
dn: cn=config,cn=zimbra<br />
changetype:modify<br />
delete: zimbraCertAuthorityKeySelfSigned [Hit Enter Twice here]<br />
^D<br />
(c) as root: run /opt/zimbra/bin/zmcertmgr createca<br />
(d) as root: run /opt/zimbra/bin/zmcertmgr deployca<br />
(e) as root: run /opt/zimbra/bin/zmcertmgr install self -new<br />
(f) as root: su - zimbra zmcontrol stop; su - zimbra zmcontrol start<br />
^D is Control-D<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
'''For Multi-Server MTA: Run this on the systems which are running postfix'''<br />
<br />
After doing the steps listed above on the ldap master, log into any different systems running postfix:<br />
<br />
(a) Run as root: su - zimbra zmcontrol stop<br />
(b) Run as root: cd /opt/zimbra/ssl; mkdir /tmp/ssl.bak; mv * /tmp/ssl.bak<br />
(c) Run as root: cd /opt/zimbra/conf/ca; mkdir /tmp/ca.bak; mv * /tmp/ca.bak<br />
(d) Run as root: run /opt/zimbra/bin/zmcertmgr createca<br />
(This will download the new CA from the LDAP server)<br />
(e) Run as root: run /opt/zimbra/bin/zmcertmgr deployca <br />
(f) Run as root: su - zimbra zmcontrtol start<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
'''For LDAP replicas: Run this on the systems that are LDAP replicas'''<br />
<br />
After doing the steps listed above on the ldap master, log into any different systems running postfix:<br />
<br />
(a) Run as root: su - zimbra zmcontrol stop<br />
(b) Run as root: cd /opt/zimbra/ssl; mkdir /tmp/ssl.bak; mv * /tmp/ssl.bak<br />
(c) Run as root: cd /opt/zimbra/conf/ca; mkdir /tmp/ca.bak; mv * /tmp/ca.bak<br />
(d) Run as root: run /opt/zimbra/bin/zmcertmgr createca<br />
(This will download the new CA from the LDAP server)<br />
(e) Run as root: /opt/zimbra/bin/zmcertmgr deployca<br />
(f) Run as root: /opt/zimbra/bin/zmcertmgr install self -new<br />
(g) Run as root: su - zimbra; zmcontrol start<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
'''References:'''<br />
<br />
http://www.zimbra.com/forums/installation/13762-solved-expired-cert-5-0ga-can-cause-mail-delivery-failure.html<br />
<br />
[ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ] - an expired CA cert will block mail delivery after upgrading to 5.0.0<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
'''Issue:'''<br />
<br />
Cannot install a Commercial Certificate in Zimbra 5.0 [Bug 23294]<br />
'''<br />
Symptom:'''<br />
<br />
User is unable to install a commercial certificate in Zimbra 5.0<br />
'''<br />
Common Cause:'''<br />
<br />
Related to Bug [ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ]<br />
<br />
'''Workaround:'''<br />
<br />
Installing Cert via Command Line: [ http://bugzilla.zimbra.com/show_bug.cgi?id=23294 ] - commercial certs fail to install<br />
<br />
'''References:'''<br />
<br />
Bug [ http://bugzilla.zimbra.com/show_bug.cgi?id=23294 ] - commercial certs fail to install<br />
Argh Commercial Certificates after a 4.10 -> 5.0 FOSS upgrade!<br />
<br />
http://www.zimbra.com/forums/installation/13898-argh-commercial-certificates-after-4-10-5-0-foss-upgrade.html<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
{{Article Footer|Zimbra Collaboration Suite 5.0|01/02/2008}}<br />
[[Category:Troubleshooting]]</div>BrianPhttps://wiki.zimbra.com/index.php?title=Problem_with_Certificate_can_cause_MTA_Failure&diff=7634Problem with Certificate can cause MTA Failure2008-01-24T21:06:48Z<p>BrianP: </p>
<hr />
<div>'''Issue:'''<br />
<br />
Problem with Certificate can cause MTA Failure <br />
<br />
'''Symptom:'''<br />
<br />
When MTA starts up, user will receive the following message in the /var/log/zimbra.log file:<br />
<br />
'''Error:'''<br />
postfix/trivial-rewrite[6172]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem<br />
postfix/trivial-rewrite[19377]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem<br />
postfix/trivial-rewrite[19378]: error: dict_ldap_connect: Unable to set STARTTLS: -11: Connect error<br />
<br />
<br />
Then the MTA (postfix) will stop functioning resulting in mail delivery failure (via lmtp and smtp).<br />
<br />
'''Common Cause:'''<br />
<br />
CA chain can be appended in reverse creating invalid Certificate [ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ]<br />
<br />
The above error may also be seen when you are hitting [ http://bugzilla.zimbra.com/show_bug.cgi?id=22468 ]. In this case, the following Workaround would not work. <br />
<br />
<br />
'''Workaround for 5.0.1_GA or later'''<br />
<br />
----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
'''For Single-server and Multi-server ldap masters'''<br />
(a) Run as root: su - zimbra zmcontrol stop<br />
(b) Run as root: /opt/zimbra/bin/zmcertmgr createca -new<br />
(c) Run as root: /opt/zimbra/bin/zmcertmgr deployca<br />
(d) Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self -new<br />
(e) Run as root: su - zimbra zmcontrol stop; su - zimbra zmcontrol start<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
'''For Multi-Server: Run this on all other systems in the multi-server setup'''<br />
<br />
After doing the steps listed above on the ldap master, log into any different systems running postfix:<br />
<br />
(a) Run as root: su - zimbra zmcontrol stop<br />
(b) Run as root: /opt/zimbra/bin/zmcertmgr deployca <br />
(c) Run as root: /opt/zimbra/bin/zmcertmgr deploycrt self -new<br />
(d) Run as root: su - zimbra zmcontrtol start<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
<br />
'''Workaround [5.0.0_GA]'''<br />
<br />
Read this post: http://www.zimbra.com/forums/administrators/13927-if-you-have-trouble-zimbra-5-0-read.html<br />
<br />
Alternate: http://www.zimbra.com/forums/installation/13898-argh-commercial-certificates-after-4-10-5-0-foss-upgrade.html<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
'''Steps:'''<br />
(a) Run as root: cd /opt/zimbra/ssl; mkdir /tmp/ssl.bak; mv * /tmp/ssl.bak<br />
(a1) Run as root: cd /opt/zimbra/conf/ca; mkdir /tmp/ca.bak; mv * /tmp/ca.bak<br />
(b) Run this as zimbra:<br />
(b1) To get the password: zmlocalconfig -s zimbra_ldap_password<br />
(b2) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W<br />
'''Code:'''<br />
dn: cn=config,cn=zimbra<br />
changetype:modify<br />
delete: zimbraCertAuthorityCertSelfSigned [Hit Enter Twice here]<br />
^D<br />
(b3) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W<br />
'''Code:'''<br />
dn: cn=config,cn=zimbra<br />
changetype:modify<br />
delete: zimbraCertAuthorityKeySelfSigned [Hit Enter Twice here]<br />
^D<br />
(c) as root: run /opt/zimbra/bin/zmcertmgr createca<br />
(d) as root: run /opt/zimbra/bin/zmcertmgr deployca<br />
(e) as root: run /opt/zimbra/bin/zmcertmgr install self -new<br />
(f) as root: su - zimbra zmcontrol stop; su - zimbra zmcontrol start<br />
^D is Control-D<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
'''For Multi-Server MTA: Run this on the systems which are running postfix'''<br />
<br />
After doing the steps listed above on the ldap master, log into any different systems running postfix:<br />
<br />
(a) Run as root: su - zimbra zmcontrol stop<br />
(b) Run as root: cd /opt/zimbra/ssl; mkdir /tmp/ssl.bak; mv * /tmp/ssl.bak<br />
(c) Run as root: cd /opt/zimbra/conf/ca; mkdir /tmp/ca.bak; mv * /tmp/ca.bak<br />
(d) Run as root: run /opt/zimbra/bin/zmcertmgr createca<br />
(This will download the new CA from the LDAP server)<br />
(e) Run as root: run /opt/zimbra/bin/zmcertmgr deployca <br />
(f) Run as root: su - zimbra zmcontrtol start<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
'''For LDAP replicas: Run this on the systems that are LDAP replicas'''<br />
<br />
After doing the steps listed above on the ldap master, log into any different systems running postfix:<br />
<br />
(a) Run as root: su - zimbra zmcontrol stop<br />
(b) Run as root: cd /opt/zimbra/ssl; mkdir /tmp/ssl.bak; mv * /tmp/ssl.bak<br />
(c) Run as root: cd /opt/zimbra/conf/ca; mkdir /tmp/ca.bak; mv * /tmp/ca.bak<br />
(d) Run as root: run /opt/zimbra/bin/zmcertmgr createca<br />
(This will download the new CA from the LDAP server)<br />
(e) Run as root: /opt/zimbra/bin/zmcertmgr deployca<br />
(f) Run as root: /opt/zimbra/bin/zmcertmgr install self -new<br />
(g) Run as root: su - zimbra; zmcontrol start<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
'''References:'''<br />
<br />
http://www.zimbra.com/forums/installation/13762-solved-expired-cert-5-0ga-can-cause-mail-delivery-failure.html<br />
<br />
[ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ] - an expired CA cert will block mail delivery after upgrading to 5.0.0<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
'''Issue:'''<br />
<br />
Cannot install a Commercial Certificate in Zimbra 5.0 [Bug 23294]<br />
'''<br />
Symptom:'''<br />
<br />
User is unable to install a commercial certificate in Zimbra 5.0<br />
'''<br />
Common Cause:'''<br />
<br />
Related to Bug [ http://bugzilla.zimbra.com/show_bug.cgi?id=23253 ]<br />
<br />
'''Workaround:'''<br />
<br />
Installing Cert via Command Line: [ http://bugzilla.zimbra.com/show_bug.cgi?id=23294 ] - commercial certs fail to install<br />
<br />
'''References:'''<br />
<br />
Bug [ http://bugzilla.zimbra.com/show_bug.cgi?id=23294 ] - commercial certs fail to install<br />
Argh Commercial Certificates after a 4.10 -> 5.0 FOSS upgrade!<br />
<br />
http://www.zimbra.com/forums/installation/13898-argh-commercial-certificates-after-4-10-5-0-foss-upgrade.html<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------<br />
<br />
{{Article Footer|Zimbra Collaboration Suite 5.0|01/02/2008}}<br />
[[Category:Troubleshooting]]</div>BrianPhttps://wiki.zimbra.com/index.php?title=Recreating_a_Self-Signed_SSL_Certificate_in_ZCS_4.5_%26_5.0&diff=6683Recreating a Self-Signed SSL Certificate in ZCS 4.5 & 5.02007-09-05T20:31:32Z<p>BrianP: /* Delete the server cert from the mailboxd keystore (as zimbra) */</p>
<hr />
<div>== Self Signed Certificate Instructions ==<br />
<br />
''If you're working with a commercial certificate, do *NOT* use this page - go [[Commercial Certificates|here]] instead''<br />
<br />
* To clean up SSL certificates and recreate a new self-signed cert try this.<br />
<br />
=== Why recreate my certificates ===<br />
<br />
If you're seeing an error like this when you run zmprov:<br />
<br />
[] ERROR: java.security.cert.CertificateExpiredException: NotAfter: Sun Oct 08 00:38:45 EDT 2006<br />
ERROR: zclient.IO_ERROR (invoke java.security.cert.CertificateException: Untrusted Server Certificate Chain, server: localhost) <br />
(cause: javax.net.ssl.SSLHandshakeException java.security.cert.CertificateException: Untrusted Server Certificate Chain)<br />
<br />
your certs are expired, and need to be recreated<br />
<br />
===Back up existing certificates===<br />
<br />
* This backs up the default certificates created by zmcreateca and zmcreatecert:<br />
tar cf /tmp/zimbra-ssl-bak.tar /opt/zimbra/ssl/<br />
<br />
* This backs up the server's working certificate files:<br />
cd /opt/zimbra/<br />
tar cf /tmp/zimbra-certs.tar conf/ca/ conf/*.crt conf/*.key conf/*.pem tomcat/conf/keystore java/jre/lib/security/cacerts<br />
<br />
===Delete and re-create SSL Directory (as root)===<br />
su -<br />
rm -rf /opt/zimbra/ssl<br />
mkdir /opt/zimbra/ssl<br />
chown zimbra:zimbra /opt/zimbra/ssl<br />
<br />
===Give the zimbra user write access to the cacerts keystore===<br />
* On linux the java cacerts file is a part of the ZCS installation.<br />
chown zimbra:zimbra /opt/zimbra/java/jre/lib/security/cacerts<br />
chmod 644 /opt/zimbra/java/jre/lib/security/cacerts<br />
* On Mac OS X the java cacerts file is a part of the system's java installation. Either run the "keytool -delete ..." command in the next section as root or give write access to the zimbra user.<br />
chown zimbra:zimbra /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts<br />
chmod u+w /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts<br />
<br />
===Remove the self-signed root certificate from the cacerts keystore (as zimbra)===<br />
* Mac OS X<br />
keytool -delete -alias my_ca -keystore /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts -storepass changeit<br><br />
* Linux<br />
keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit<br />
<br />
===Delete the server cert from the mailboxd keystore (as zimbra)===<br />
<br />
* For ZCS upto 4.5.x (tomcat)<br />
su - zimbra<br />
keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra<br />
<br />
* For ZCS 5.0+ (mailboxd/jetty)<br />
su - zimbra<br />
keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass zimbra<br />
<br />
* Storepass is normally stored in localconfig<br />
su - zimbra<br />
zmlocalconfig -s -m nokey tomcat_keystore_password<br />
<br />
===Perform optional configuration===<br />
* If you want to change the duration of the certificate from the default (365 days), modify the "default_days" entry in the file /opt/zimbra/conf/zmssl.cnf.in<br />
<br />
''Workaround: zmssl.cnf.in default_days is ingnored. Currently you will need to edit zmcreateca and zmcreatecert:'' Bug is http://bugzilla.zimbra.com/show_bug.cgi?id=12228<br />
<br />
* If you want the common name show up in the CA rather than 'Zimbra Collaboration Suite' because you have several zimbra servers. Please Note: I probably have unnecessary steps in this section here, but this is what I did to get it working for me.<br />
vi /opt/zimbra/conf/zmssl.cnf.in<br />
[change section to appear as below]<br />
0.organizationName = Zimbra<br />
0.organizationName_default = Zimbra<br />
# we can do this but it is not needed normally :-)<br />
#1.organizationName = Second Organization Name (eg, company)<br />
#1.organizationName_default = World Wide Web Pty Ltd<br />
organizationalUnitName = Zimbra<br />
organizationalUnitName_default = Zimbra<br />
commonName = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work><br />
commonName_max = 64<br />
commonName_default = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work><br />
<br />
===Create the CA certificate (as zimbra)===<br />
zmcreateca<br />
<br />
* (OPTIONAL) If you did the Optional step to make the CN the hostname for the CA, the output should be like the following:<br />
...<br />
Signature ok<br />
subject=/C=US/ST=N/A/L=N/A/O=Zimbra/OU=Zimbra/CN=<your hostname><br />
Getting Private key<br />
unable to write 'random state'<br />
<br />
===Install server ca files===<br />
* After creating the ca, it appears that zmcreateca doesn't copy the new ca.key and ca.pem to /opt/zimbra/conf/ca, so do it manually (as zimbra):<br />
cp /opt/zimbra/ssl/ssl/ca/ca.key /opt/zimbra/conf/ca/ca.key<br />
cp /opt/zimbra/ssl/ssl/ca/ca.pem /opt/zimbra/conf/ca/ca.pem<br />
<br />
===Create the server certificate (as zimbra)===<br />
zmcreatecert<br />
<br />
If you wish to have several names on the certificate, supply them as arguments<br />
<br />
zmcreatecert mail.mydomain.com webmail.mydomain.com webmail.yourdomain.com<br />
<br />
===Install the server certificate files (as zimbra)===<br />
* For Tomcat (ZCS upto 4.5.x)<br />
zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/tomcat.crt<br />
zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key<br />
<br />
* For Mailboxd (ZCS 5.0+)<br />
zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/mailboxd.crt<br />
zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key<br />
<br />
* To update CA cert stored in LDAP (as zimbra):<br />
''zmprov -l mcf zimbraCertAuthorityKeySelfSigned "`cat /opt/zimbra/ssl/ssl/ca/ca.key`"''<br />
''zmprov -l mcf zimbraCertAuthorityCertSelfSigned "`cat /opt/zimbra/ssl/ssl/ca/ca.pem`"''<br />
<br />
* You can see your updated certs in LDAP now and compare them to contents of /opt/zimbra/ssl/ssl/ca (as zimbra)<br />
zmprov -l gcf zimbraCertAuthorityKeySelfSigned <br />
zmprov -l gcf zimbraCertAuthorityCertSelfSigned<br />
<br />
===Restart zimbra services===<br />
* It may be necessary to restart the Zimbra servers for the changes to take effect (as zimbra).<br />
zmcontrol stop<br />
zmcontrol start<br />
<br />
==Other Possible Issues==<br />
<br />
'''Note about 'unable to write random state':'''<br />
<br />
This is a "harmless" warning that openssl has no random number seed file. The [http://www.openssl.org/support/faq.html#USER1 full] [http://www.openssl.org/support/faq.html#USER2 story] is available from openssl.org.<br />
<br />
'''Permission denied (publickey,gssapi-with-mic)'''<br />
<br />
http://www.ncsa.uiuc.edu/UserInfo/Resources/Software/ssh/openssh_3.8.html<br />
<br />
[[Category:SSL/TLS]]<br />
[[Category:Troubleshooting]]<br />
[[Category:Pending Certification]]</div>BrianPhttps://wiki.zimbra.com/index.php?title=Recreating_a_Self-Signed_SSL_Certificate_in_ZCS_4.5_%26_5.0&diff=6682Recreating a Self-Signed SSL Certificate in ZCS 4.5 & 5.02007-09-05T20:31:06Z<p>BrianP: /* Delete the server cert from the mailboxd keystore (as zimbra) */</p>
<hr />
<div>== Self Signed Certificate Instructions ==<br />
<br />
''If you're working with a commercial certificate, do *NOT* use this page - go [[Commercial Certificates|here]] instead''<br />
<br />
* To clean up SSL certificates and recreate a new self-signed cert try this.<br />
<br />
=== Why recreate my certificates ===<br />
<br />
If you're seeing an error like this when you run zmprov:<br />
<br />
[] ERROR: java.security.cert.CertificateExpiredException: NotAfter: Sun Oct 08 00:38:45 EDT 2006<br />
ERROR: zclient.IO_ERROR (invoke java.security.cert.CertificateException: Untrusted Server Certificate Chain, server: localhost) <br />
(cause: javax.net.ssl.SSLHandshakeException java.security.cert.CertificateException: Untrusted Server Certificate Chain)<br />
<br />
your certs are expired, and need to be recreated<br />
<br />
===Back up existing certificates===<br />
<br />
* This backs up the default certificates created by zmcreateca and zmcreatecert:<br />
tar cf /tmp/zimbra-ssl-bak.tar /opt/zimbra/ssl/<br />
<br />
* This backs up the server's working certificate files:<br />
cd /opt/zimbra/<br />
tar cf /tmp/zimbra-certs.tar conf/ca/ conf/*.crt conf/*.key conf/*.pem tomcat/conf/keystore java/jre/lib/security/cacerts<br />
<br />
===Delete and re-create SSL Directory (as root)===<br />
su -<br />
rm -rf /opt/zimbra/ssl<br />
mkdir /opt/zimbra/ssl<br />
chown zimbra:zimbra /opt/zimbra/ssl<br />
<br />
===Give the zimbra user write access to the cacerts keystore===<br />
* On linux the java cacerts file is a part of the ZCS installation.<br />
chown zimbra:zimbra /opt/zimbra/java/jre/lib/security/cacerts<br />
chmod 644 /opt/zimbra/java/jre/lib/security/cacerts<br />
* On Mac OS X the java cacerts file is a part of the system's java installation. Either run the "keytool -delete ..." command in the next section as root or give write access to the zimbra user.<br />
chown zimbra:zimbra /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts<br />
chmod u+w /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts<br />
<br />
===Remove the self-signed root certificate from the cacerts keystore (as zimbra)===<br />
* Mac OS X<br />
keytool -delete -alias my_ca -keystore /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts -storepass changeit<br><br />
* Linux<br />
keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit<br />
<br />
===Delete the server cert from the mailboxd keystore (as zimbra)===<br />
<br />
* For ZCS upto 4.5.x (tomcat)<br />
su - zimbra<br />
keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra<br />
<br />
* For ZCS 5.0+ (mailboxd/jetty)<br />
su - zimbra<br />
keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass zimbra<br />
<br />
* Storepass is normally stored in localconfig<br />
su - zimbra<br />
zmlocalconfig -s -m nokey tomcat_keystore_password<br />
<br />
===Perform optional configuration===<br />
* If you want to change the duration of the certificate from the default (365 days), modify the "default_days" entry in the file /opt/zimbra/conf/zmssl.cnf.in<br />
<br />
''Workaround: zmssl.cnf.in default_days is ingnored. Currently you will need to edit zmcreateca and zmcreatecert:'' Bug is http://bugzilla.zimbra.com/show_bug.cgi?id=12228<br />
<br />
* If you want the common name show up in the CA rather than 'Zimbra Collaboration Suite' because you have several zimbra servers. Please Note: I probably have unnecessary steps in this section here, but this is what I did to get it working for me.<br />
vi /opt/zimbra/conf/zmssl.cnf.in<br />
[change section to appear as below]<br />
0.organizationName = Zimbra<br />
0.organizationName_default = Zimbra<br />
# we can do this but it is not needed normally :-)<br />
#1.organizationName = Second Organization Name (eg, company)<br />
#1.organizationName_default = World Wide Web Pty Ltd<br />
organizationalUnitName = Zimbra<br />
organizationalUnitName_default = Zimbra<br />
commonName = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work><br />
commonName_max = 64<br />
commonName_default = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work><br />
<br />
===Create the CA certificate (as zimbra)===<br />
zmcreateca<br />
<br />
* (OPTIONAL) If you did the Optional step to make the CN the hostname for the CA, the output should be like the following:<br />
...<br />
Signature ok<br />
subject=/C=US/ST=N/A/L=N/A/O=Zimbra/OU=Zimbra/CN=<your hostname><br />
Getting Private key<br />
unable to write 'random state'<br />
<br />
===Install server ca files===<br />
* After creating the ca, it appears that zmcreateca doesn't copy the new ca.key and ca.pem to /opt/zimbra/conf/ca, so do it manually (as zimbra):<br />
cp /opt/zimbra/ssl/ssl/ca/ca.key /opt/zimbra/conf/ca/ca.key<br />
cp /opt/zimbra/ssl/ssl/ca/ca.pem /opt/zimbra/conf/ca/ca.pem<br />
<br />
===Create the server certificate (as zimbra)===<br />
zmcreatecert<br />
<br />
If you wish to have several names on the certificate, supply them as arguments<br />
<br />
zmcreatecert mail.mydomain.com webmail.mydomain.com webmail.yourdomain.com<br />
<br />
===Install the server certificate files (as zimbra)===<br />
* For Tomcat (ZCS upto 4.5.x)<br />
zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/tomcat.crt<br />
zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key<br />
<br />
* For Mailboxd (ZCS 5.0+)<br />
zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/mailboxd.crt<br />
zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key<br />
<br />
* To update CA cert stored in LDAP (as zimbra):<br />
''zmprov -l mcf zimbraCertAuthorityKeySelfSigned "`cat /opt/zimbra/ssl/ssl/ca/ca.key`"''<br />
''zmprov -l mcf zimbraCertAuthorityCertSelfSigned "`cat /opt/zimbra/ssl/ssl/ca/ca.pem`"''<br />
<br />
* You can see your updated certs in LDAP now and compare them to contents of /opt/zimbra/ssl/ssl/ca (as zimbra)<br />
zmprov -l gcf zimbraCertAuthorityKeySelfSigned <br />
zmprov -l gcf zimbraCertAuthorityCertSelfSigned<br />
<br />
===Restart zimbra services===<br />
* It may be necessary to restart the Zimbra servers for the changes to take effect (as zimbra).<br />
zmcontrol stop<br />
zmcontrol start<br />
<br />
==Other Possible Issues==<br />
<br />
'''Note about 'unable to write random state':'''<br />
<br />
This is a "harmless" warning that openssl has no random number seed file. The [http://www.openssl.org/support/faq.html#USER1 full] [http://www.openssl.org/support/faq.html#USER2 story] is available from openssl.org.<br />
<br />
'''Permission denied (publickey,gssapi-with-mic)'''<br />
<br />
http://www.ncsa.uiuc.edu/UserInfo/Resources/Software/ssh/openssh_3.8.html<br />
<br />
[[Category:SSL/TLS]]<br />
[[Category:Troubleshooting]]<br />
[[Category:Pending Certification]]</div>BrianPhttps://wiki.zimbra.com/index.php?title=Recreating_a_Self-Signed_SSL_Certificate_in_ZCS_4.5_%26_5.0&diff=6681Recreating a Self-Signed SSL Certificate in ZCS 4.5 & 5.02007-09-05T20:29:07Z<p>BrianP: /* Install the server certificate files (as zimbra) */</p>
<hr />
<div>== Self Signed Certificate Instructions ==<br />
<br />
''If you're working with a commercial certificate, do *NOT* use this page - go [[Commercial Certificates|here]] instead''<br />
<br />
* To clean up SSL certificates and recreate a new self-signed cert try this.<br />
<br />
=== Why recreate my certificates ===<br />
<br />
If you're seeing an error like this when you run zmprov:<br />
<br />
[] ERROR: java.security.cert.CertificateExpiredException: NotAfter: Sun Oct 08 00:38:45 EDT 2006<br />
ERROR: zclient.IO_ERROR (invoke java.security.cert.CertificateException: Untrusted Server Certificate Chain, server: localhost) <br />
(cause: javax.net.ssl.SSLHandshakeException java.security.cert.CertificateException: Untrusted Server Certificate Chain)<br />
<br />
your certs are expired, and need to be recreated<br />
<br />
===Back up existing certificates===<br />
<br />
* This backs up the default certificates created by zmcreateca and zmcreatecert:<br />
tar cf /tmp/zimbra-ssl-bak.tar /opt/zimbra/ssl/<br />
<br />
* This backs up the server's working certificate files:<br />
cd /opt/zimbra/<br />
tar cf /tmp/zimbra-certs.tar conf/ca/ conf/*.crt conf/*.key conf/*.pem tomcat/conf/keystore java/jre/lib/security/cacerts<br />
<br />
===Delete and re-create SSL Directory (as root)===<br />
su -<br />
rm -rf /opt/zimbra/ssl<br />
mkdir /opt/zimbra/ssl<br />
chown zimbra:zimbra /opt/zimbra/ssl<br />
<br />
===Give the zimbra user write access to the cacerts keystore===<br />
* On linux the java cacerts file is a part of the ZCS installation.<br />
chown zimbra:zimbra /opt/zimbra/java/jre/lib/security/cacerts<br />
chmod 644 /opt/zimbra/java/jre/lib/security/cacerts<br />
* On Mac OS X the java cacerts file is a part of the system's java installation. Either run the "keytool -delete ..." command in the next section as root or give write access to the zimbra user.<br />
chown zimbra:zimbra /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts<br />
chmod u+w /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts<br />
<br />
===Remove the self-signed root certificate from the cacerts keystore (as zimbra)===<br />
* Mac OS X<br />
keytool -delete -alias my_ca -keystore /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts -storepass changeit<br><br />
* Linux<br />
keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit<br />
<br />
===Delete the server cert from the mailboxd keystore (as zimbra)===<br />
<br />
* For ZCS upto 4.5.x (tomcat)<br />
su - zimbra<br />
keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra<br />
<br />
* For ZCS 5.0+ (mailboxd/jetty)<br />
su - zimbra<br />
keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass zimbra<br />
<br />
===Perform optional configuration===<br />
* If you want to change the duration of the certificate from the default (365 days), modify the "default_days" entry in the file /opt/zimbra/conf/zmssl.cnf.in<br />
<br />
''Workaround: zmssl.cnf.in default_days is ingnored. Currently you will need to edit zmcreateca and zmcreatecert:'' Bug is http://bugzilla.zimbra.com/show_bug.cgi?id=12228<br />
<br />
* If you want the common name show up in the CA rather than 'Zimbra Collaboration Suite' because you have several zimbra servers. Please Note: I probably have unnecessary steps in this section here, but this is what I did to get it working for me.<br />
vi /opt/zimbra/conf/zmssl.cnf.in<br />
[change section to appear as below]<br />
0.organizationName = Zimbra<br />
0.organizationName_default = Zimbra<br />
# we can do this but it is not needed normally :-)<br />
#1.organizationName = Second Organization Name (eg, company)<br />
#1.organizationName_default = World Wide Web Pty Ltd<br />
organizationalUnitName = Zimbra<br />
organizationalUnitName_default = Zimbra<br />
commonName = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work><br />
commonName_max = 64<br />
commonName_default = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work><br />
<br />
===Create the CA certificate (as zimbra)===<br />
zmcreateca<br />
<br />
* (OPTIONAL) If you did the Optional step to make the CN the hostname for the CA, the output should be like the following:<br />
...<br />
Signature ok<br />
subject=/C=US/ST=N/A/L=N/A/O=Zimbra/OU=Zimbra/CN=<your hostname><br />
Getting Private key<br />
unable to write 'random state'<br />
<br />
===Install server ca files===<br />
* After creating the ca, it appears that zmcreateca doesn't copy the new ca.key and ca.pem to /opt/zimbra/conf/ca, so do it manually (as zimbra):<br />
cp /opt/zimbra/ssl/ssl/ca/ca.key /opt/zimbra/conf/ca/ca.key<br />
cp /opt/zimbra/ssl/ssl/ca/ca.pem /opt/zimbra/conf/ca/ca.pem<br />
<br />
===Create the server certificate (as zimbra)===<br />
zmcreatecert<br />
<br />
If you wish to have several names on the certificate, supply them as arguments<br />
<br />
zmcreatecert mail.mydomain.com webmail.mydomain.com webmail.yourdomain.com<br />
<br />
===Install the server certificate files (as zimbra)===<br />
* For Tomcat (ZCS upto 4.5.x)<br />
zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/tomcat.crt<br />
zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key<br />
<br />
* For Mailboxd (ZCS 5.0+)<br />
zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/mailboxd.crt<br />
zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key<br />
<br />
* To update CA cert stored in LDAP (as zimbra):<br />
''zmprov -l mcf zimbraCertAuthorityKeySelfSigned "`cat /opt/zimbra/ssl/ssl/ca/ca.key`"''<br />
''zmprov -l mcf zimbraCertAuthorityCertSelfSigned "`cat /opt/zimbra/ssl/ssl/ca/ca.pem`"''<br />
<br />
* You can see your updated certs in LDAP now and compare them to contents of /opt/zimbra/ssl/ssl/ca (as zimbra)<br />
zmprov -l gcf zimbraCertAuthorityKeySelfSigned <br />
zmprov -l gcf zimbraCertAuthorityCertSelfSigned<br />
<br />
===Restart zimbra services===<br />
* It may be necessary to restart the Zimbra servers for the changes to take effect (as zimbra).<br />
zmcontrol stop<br />
zmcontrol start<br />
<br />
==Other Possible Issues==<br />
<br />
'''Note about 'unable to write random state':'''<br />
<br />
This is a "harmless" warning that openssl has no random number seed file. The [http://www.openssl.org/support/faq.html#USER1 full] [http://www.openssl.org/support/faq.html#USER2 story] is available from openssl.org.<br />
<br />
'''Permission denied (publickey,gssapi-with-mic)'''<br />
<br />
http://www.ncsa.uiuc.edu/UserInfo/Resources/Software/ssh/openssh_3.8.html<br />
<br />
[[Category:SSL/TLS]]<br />
[[Category:Troubleshooting]]<br />
[[Category:Pending Certification]]</div>BrianPhttps://wiki.zimbra.com/index.php?title=Recreating_a_Self-Signed_SSL_Certificate_in_ZCS_4.5_%26_5.0&diff=6587Recreating a Self-Signed SSL Certificate in ZCS 4.5 & 5.02007-08-17T15:29:29Z<p>BrianP: /* Delete the server cert from the mailboxd keystore (as zimbra) */</p>
<hr />
<div>== Self Signed Certificate Instructions ==<br />
<br />
''If you're working with a commercial certificate, do *NOT* use this page - go [[Commercial Certificates|here]] instead''<br />
<br />
* To clean up SSL certificates and recreate a new self-signed cert try this.<br />
<br />
=== Why recreate my certificates ===<br />
<br />
If you're seeing an error like this when you run zmprov:<br />
<br />
[] ERROR: java.security.cert.CertificateExpiredException: NotAfter: Sun Oct 08 00:38:45 EDT 2006<br />
ERROR: zclient.IO_ERROR (invoke java.security.cert.CertificateException: Untrusted Server Certificate Chain, server: localhost) <br />
(cause: javax.net.ssl.SSLHandshakeException java.security.cert.CertificateException: Untrusted Server Certificate Chain)<br />
<br />
your certs are expired, and need to be recreated<br />
<br />
===Back up existing certificates===<br />
<br />
* This backs up the default certificates created by zmcreateca and zmcreatecert:<br />
tar cf /tmp/zimbra-ssl-bak.tar /opt/zimbra/ssl/<br />
<br />
* This backs up the server's working certificate files:<br />
cd /opt/zimbra/<br />
tar cf /tmp/zimbra-certs.tar conf/ca/ conf/*.crt conf/*.key conf/*.pem tomcat/conf/keystore java/jre/lib/security/cacerts<br />
<br />
===Delete and re-create SSL Directory (as root)===<br />
su -<br />
rm -rf /opt/zimbra/ssl<br />
mkdir /opt/zimbra/ssl<br />
chown zimbra:zimbra /opt/zimbra/ssl<br />
<br />
===Give the zimbra user write access to the cacerts keystore===<br />
* On linux the java cacerts file is a part of the ZCS installation.<br />
chown zimbra:zimbra /opt/zimbra/java/jre/lib/security/cacerts<br />
chmod 644 /opt/zimbra/java/jre/lib/security/cacerts<br />
* On Mac OS X the java cacerts file is a part of the system's java installation. Either run the "keytool -delete ..." command in the next section as root or give write access to the zimbra user.<br />
chown zimbra:zimbra /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts<br />
chmod u+w /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts<br />
<br />
===Remove the self-signed root certificate from the cacerts keystore (as zimbra)===<br />
* Mac OS X<br />
keytool -delete -alias my_ca -keystore /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts -storepass changeit<br><br />
* Linux<br />
keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit<br />
<br />
===Delete the server cert from the mailboxd keystore (as zimbra)===<br />
<br />
* For ZCS upto 4.5.x (tomcat)<br />
su - zimbra<br />
keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra<br />
<br />
* For ZCS 5.0+ (mailboxd/jetty)<br />
su - zimbra<br />
keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass zimbra<br />
<br />
===Perform optional configuration===<br />
* If you want to change the duration of the certificate from the default (365 days), modify the "default_days" entry in the file /opt/zimbra/conf/zmssl.cnf.in<br />
<br />
''Workaround: zmssl.cnf.in default_days is ingnored. Currently you will need to edit zmcreateca and zmcreatecert:'' Bug is http://bugzilla.zimbra.com/show_bug.cgi?id=12228<br />
<br />
* If you want the common name show up in the CA rather than 'Zimbra Collaboration Suite' because you have several zimbra servers. Please Note: I probably have unnecessary steps in this section here, but this is what I did to get it working for me.<br />
vi /opt/zimbra/conf/zmssl.cnf.in<br />
[change section to appear as below]<br />
0.organizationName = Zimbra<br />
0.organizationName_default = Zimbra<br />
# we can do this but it is not needed normally :-)<br />
#1.organizationName = Second Organization Name (eg, company)<br />
#1.organizationName_default = World Wide Web Pty Ltd<br />
organizationalUnitName = Zimbra<br />
organizationalUnitName_default = Zimbra<br />
commonName = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work><br />
commonName_max = 64<br />
commonName_default = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work><br />
<br />
===Create the CA certificate (as zimbra)===<br />
zmcreateca<br />
<br />
* (OPTIONAL) If you did the Optional step to make the CN the hostname for the CA, the output should be like the following:<br />
...<br />
Signature ok<br />
subject=/C=US/ST=N/A/L=N/A/O=Zimbra/OU=Zimbra/CN=<your hostname><br />
Getting Private key<br />
unable to write 'random state'<br />
<br />
===Install server ca files===<br />
* After creating the ca, it appears that zmcreateca doesn't copy the new ca.key and ca.pem to /opt/zimbra/conf/ca, so do it manually (as zimbra):<br />
cp /opt/zimbra/ssl/ssl/ca/ca.key /opt/zimbra/conf/ca/ca.key<br />
cp /opt/zimbra/ssl/ssl/ca/ca.pem /opt/zimbra/conf/ca/ca.pem<br />
<br />
===Create the server certificate (as zimbra)===<br />
zmcreatecert<br />
<br />
If you wish to have several names on the certificate, supply them as arguments<br />
<br />
zmcreatecert mail.mydomain.com webmail.mydomain.com webmail.yourdomain.com<br />
<br />
===Install the server certificate files (as zimbra)===<br />
* For Tomcat (ZCS upto 4.5.x)<br />
zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/tomcat.crt<br />
zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key<br />
<br />
* For Mailboxd (ZCS 5.0+)<br />
zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/mailboxd.crt<br />
zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key<br />
<br />
* To update CA cert stored in LDAP (as zimbra):<br />
''zmprov -l mcf zimbraCertAuthorityKeySelfSigned "`cat /opt/zimbra/ssl/ssl/ca/ca.key`"''<br />
''zmprov -l mcf zimbraCertAuthorityCertSelfSigned "`cat /opt/zimbra/ssl/ssl/ca/ca.pem`"''<br />
<br />
* You can see your updated certs in LDAP now and compare them to contents of /opt/zimbra/ssl/ssl/ca (as zimbra)<br />
zmprov -l gcf zimbraCertAuthorityKeySelfSigned <br />
zmprov -l gcf zimbraCertAuthorityCertSelfSigned<br />
<br />
===Restart zimbra services===<br />
* It may be necessary to restart the Zimbra servers for the changes to take effect (as zimbra).<br />
zmcontrol stop<br />
zmcontrol start<br />
<br />
==Other Possible Issues==<br />
<br />
'''Note about 'unable to write random state':'''<br />
<br />
This is a "harmless" warning that openssl has no random number seed file. The [http://www.openssl.org/support/faq.html#USER1 full] [http://www.openssl.org/support/faq.html#USER2 story] is available from openssl.org.<br />
<br />
'''Permission denied (publickey,gssapi-with-mic)'''<br />
<br />
http://www.ncsa.uiuc.edu/UserInfo/Resources/Software/ssh/openssh_3.8.html<br />
<br />
[[Category:SSL/TLS]]<br />
[[Category:Troubleshooting]]</div>BrianPhttps://wiki.zimbra.com/index.php?title=Recreating_a_Self-Signed_SSL_Certificate_in_ZCS_4.5_%26_5.0&diff=6586Recreating a Self-Signed SSL Certificate in ZCS 4.5 & 5.02007-08-17T15:28:30Z<p>BrianP: /* Install the server certificate files (as zimbra) */</p>
<hr />
<div>== Self Signed Certificate Instructions ==<br />
<br />
''If you're working with a commercial certificate, do *NOT* use this page - go [[Commercial Certificates|here]] instead''<br />
<br />
* To clean up SSL certificates and recreate a new self-signed cert try this.<br />
<br />
=== Why recreate my certificates ===<br />
<br />
If you're seeing an error like this when you run zmprov:<br />
<br />
[] ERROR: java.security.cert.CertificateExpiredException: NotAfter: Sun Oct 08 00:38:45 EDT 2006<br />
ERROR: zclient.IO_ERROR (invoke java.security.cert.CertificateException: Untrusted Server Certificate Chain, server: localhost) <br />
(cause: javax.net.ssl.SSLHandshakeException java.security.cert.CertificateException: Untrusted Server Certificate Chain)<br />
<br />
your certs are expired, and need to be recreated<br />
<br />
===Back up existing certificates===<br />
<br />
* This backs up the default certificates created by zmcreateca and zmcreatecert:<br />
tar cf /tmp/zimbra-ssl-bak.tar /opt/zimbra/ssl/<br />
<br />
* This backs up the server's working certificate files:<br />
cd /opt/zimbra/<br />
tar cf /tmp/zimbra-certs.tar conf/ca/ conf/*.crt conf/*.key conf/*.pem tomcat/conf/keystore java/jre/lib/security/cacerts<br />
<br />
===Delete and re-create SSL Directory (as root)===<br />
su -<br />
rm -rf /opt/zimbra/ssl<br />
mkdir /opt/zimbra/ssl<br />
chown zimbra:zimbra /opt/zimbra/ssl<br />
<br />
===Give the zimbra user write access to the cacerts keystore===<br />
* On linux the java cacerts file is a part of the ZCS installation.<br />
chown zimbra:zimbra /opt/zimbra/java/jre/lib/security/cacerts<br />
chmod 644 /opt/zimbra/java/jre/lib/security/cacerts<br />
* On Mac OS X the java cacerts file is a part of the system's java installation. Either run the "keytool -delete ..." command in the next section as root or give write access to the zimbra user.<br />
chown zimbra:zimbra /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts<br />
chmod u+w /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts<br />
<br />
===Remove the self-signed root certificate from the cacerts keystore (as zimbra)===<br />
* Mac OS X<br />
keytool -delete -alias my_ca -keystore /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts -storepass changeit<br><br />
* Linux<br />
keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit<br />
<br />
===Delete the server cert from the mailboxd keystore (as zimbra)===<br />
<br />
For Tomcat<br />
su - zimbra<br />
keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra<br />
<br />
For Jetty<br />
su - zimbra<br />
keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass zimbra<br />
<br />
===Perform optional configuration===<br />
* If you want to change the duration of the certificate from the default (365 days), modify the "default_days" entry in the file /opt/zimbra/conf/zmssl.cnf.in<br />
<br />
''Workaround: zmssl.cnf.in default_days is ingnored. Currently you will need to edit zmcreateca and zmcreatecert:'' Bug is http://bugzilla.zimbra.com/show_bug.cgi?id=12228<br />
<br />
* If you want the common name show up in the CA rather than 'Zimbra Collaboration Suite' because you have several zimbra servers. Please Note: I probably have unnecessary steps in this section here, but this is what I did to get it working for me.<br />
vi /opt/zimbra/conf/zmssl.cnf.in<br />
[change section to appear as below]<br />
0.organizationName = Zimbra<br />
0.organizationName_default = Zimbra<br />
# we can do this but it is not needed normally :-)<br />
#1.organizationName = Second Organization Name (eg, company)<br />
#1.organizationName_default = World Wide Web Pty Ltd<br />
organizationalUnitName = Zimbra<br />
organizationalUnitName_default = Zimbra<br />
commonName = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work><br />
commonName_max = 64<br />
commonName_default = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work><br />
<br />
===Create the CA certificate (as zimbra)===<br />
zmcreateca<br />
<br />
* (OPTIONAL) If you did the Optional step to make the CN the hostname for the CA, the output should be like the following:<br />
...<br />
Signature ok<br />
subject=/C=US/ST=N/A/L=N/A/O=Zimbra/OU=Zimbra/CN=<your hostname><br />
Getting Private key<br />
unable to write 'random state'<br />
<br />
===Install server ca files===<br />
* After creating the ca, it appears that zmcreateca doesn't copy the new ca.key and ca.pem to /opt/zimbra/conf/ca, so do it manually (as zimbra):<br />
cp /opt/zimbra/ssl/ssl/ca/ca.key /opt/zimbra/conf/ca/ca.key<br />
cp /opt/zimbra/ssl/ssl/ca/ca.pem /opt/zimbra/conf/ca/ca.pem<br />
<br />
===Create the server certificate (as zimbra)===<br />
zmcreatecert<br />
<br />
If you wish to have several names on the certificate, supply them as arguments<br />
<br />
zmcreatecert mail.mydomain.com webmail.mydomain.com webmail.yourdomain.com<br />
<br />
===Install the server certificate files (as zimbra)===<br />
* For Tomcat (ZCS upto 4.5.x)<br />
zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/tomcat.crt<br />
zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key<br />
<br />
* For Mailboxd (ZCS 5.0+)<br />
zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/mailboxd.crt<br />
zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key<br />
<br />
* To update CA cert stored in LDAP (as zimbra):<br />
''zmprov -l mcf zimbraCertAuthorityKeySelfSigned "`cat /opt/zimbra/ssl/ssl/ca/ca.key`"''<br />
''zmprov -l mcf zimbraCertAuthorityCertSelfSigned "`cat /opt/zimbra/ssl/ssl/ca/ca.pem`"''<br />
<br />
* You can see your updated certs in LDAP now and compare them to contents of /opt/zimbra/ssl/ssl/ca (as zimbra)<br />
zmprov -l gcf zimbraCertAuthorityKeySelfSigned <br />
zmprov -l gcf zimbraCertAuthorityCertSelfSigned<br />
<br />
===Restart zimbra services===<br />
* It may be necessary to restart the Zimbra servers for the changes to take effect (as zimbra).<br />
zmcontrol stop<br />
zmcontrol start<br />
<br />
==Other Possible Issues==<br />
<br />
'''Note about 'unable to write random state':'''<br />
<br />
This is a "harmless" warning that openssl has no random number seed file. The [http://www.openssl.org/support/faq.html#USER1 full] [http://www.openssl.org/support/faq.html#USER2 story] is available from openssl.org.<br />
<br />
'''Permission denied (publickey,gssapi-with-mic)'''<br />
<br />
http://www.ncsa.uiuc.edu/UserInfo/Resources/Software/ssh/openssh_3.8.html<br />
<br />
[[Category:SSL/TLS]]<br />
[[Category:Troubleshooting]]</div>BrianPhttps://wiki.zimbra.com/index.php?title=Recreating_a_Self-Signed_SSL_Certificate_in_ZCS_4.5_%26_5.0&diff=6585Recreating a Self-Signed SSL Certificate in ZCS 4.5 & 5.02007-08-17T15:25:01Z<p>BrianP: /* Delete the server cert from the mailboxd keystore (as zimbra) */</p>
<hr />
<div>== Self Signed Certificate Instructions ==<br />
<br />
''If you're working with a commercial certificate, do *NOT* use this page - go [[Commercial Certificates|here]] instead''<br />
<br />
* To clean up SSL certificates and recreate a new self-signed cert try this.<br />
<br />
=== Why recreate my certificates ===<br />
<br />
If you're seeing an error like this when you run zmprov:<br />
<br />
[] ERROR: java.security.cert.CertificateExpiredException: NotAfter: Sun Oct 08 00:38:45 EDT 2006<br />
ERROR: zclient.IO_ERROR (invoke java.security.cert.CertificateException: Untrusted Server Certificate Chain, server: localhost) <br />
(cause: javax.net.ssl.SSLHandshakeException java.security.cert.CertificateException: Untrusted Server Certificate Chain)<br />
<br />
your certs are expired, and need to be recreated<br />
<br />
===Back up existing certificates===<br />
<br />
* This backs up the default certificates created by zmcreateca and zmcreatecert:<br />
tar cf /tmp/zimbra-ssl-bak.tar /opt/zimbra/ssl/<br />
<br />
* This backs up the server's working certificate files:<br />
cd /opt/zimbra/<br />
tar cf /tmp/zimbra-certs.tar conf/ca/ conf/*.crt conf/*.key conf/*.pem tomcat/conf/keystore java/jre/lib/security/cacerts<br />
<br />
===Delete and re-create SSL Directory (as root)===<br />
su -<br />
rm -rf /opt/zimbra/ssl<br />
mkdir /opt/zimbra/ssl<br />
chown zimbra:zimbra /opt/zimbra/ssl<br />
<br />
===Give the zimbra user write access to the cacerts keystore===<br />
* On linux the java cacerts file is a part of the ZCS installation.<br />
chown zimbra:zimbra /opt/zimbra/java/jre/lib/security/cacerts<br />
chmod 644 /opt/zimbra/java/jre/lib/security/cacerts<br />
* On Mac OS X the java cacerts file is a part of the system's java installation. Either run the "keytool -delete ..." command in the next section as root or give write access to the zimbra user.<br />
chown zimbra:zimbra /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts<br />
chmod u+w /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts<br />
<br />
===Remove the self-signed root certificate from the cacerts keystore (as zimbra)===<br />
* Mac OS X<br />
keytool -delete -alias my_ca -keystore /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts -storepass changeit<br><br />
* Linux<br />
keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit<br />
<br />
===Delete the server cert from the mailboxd keystore (as zimbra)===<br />
<br />
For Tomcat<br />
su - zimbra<br />
keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra<br />
<br />
For Jetty<br />
su - zimbra<br />
keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass zimbra<br />
<br />
===Perform optional configuration===<br />
* If you want to change the duration of the certificate from the default (365 days), modify the "default_days" entry in the file /opt/zimbra/conf/zmssl.cnf.in<br />
<br />
''Workaround: zmssl.cnf.in default_days is ingnored. Currently you will need to edit zmcreateca and zmcreatecert:'' Bug is http://bugzilla.zimbra.com/show_bug.cgi?id=12228<br />
<br />
* If you want the common name show up in the CA rather than 'Zimbra Collaboration Suite' because you have several zimbra servers. Please Note: I probably have unnecessary steps in this section here, but this is what I did to get it working for me.<br />
vi /opt/zimbra/conf/zmssl.cnf.in<br />
[change section to appear as below]<br />
0.organizationName = Zimbra<br />
0.organizationName_default = Zimbra<br />
# we can do this but it is not needed normally :-)<br />
#1.organizationName = Second Organization Name (eg, company)<br />
#1.organizationName_default = World Wide Web Pty Ltd<br />
organizationalUnitName = Zimbra<br />
organizationalUnitName_default = Zimbra<br />
commonName = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work><br />
commonName_max = 64<br />
commonName_default = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work><br />
<br />
===Create the CA certificate (as zimbra)===<br />
zmcreateca<br />
<br />
* (OPTIONAL) If you did the Optional step to make the CN the hostname for the CA, the output should be like the following:<br />
...<br />
Signature ok<br />
subject=/C=US/ST=N/A/L=N/A/O=Zimbra/OU=Zimbra/CN=<your hostname><br />
Getting Private key<br />
unable to write 'random state'<br />
<br />
===Install server ca files===<br />
* After creating the ca, it appears that zmcreateca doesn't copy the new ca.key and ca.pem to /opt/zimbra/conf/ca, so do it manually (as zimbra):<br />
cp /opt/zimbra/ssl/ssl/ca/ca.key /opt/zimbra/conf/ca/ca.key<br />
cp /opt/zimbra/ssl/ssl/ca/ca.pem /opt/zimbra/conf/ca/ca.pem<br />
<br />
===Create the server certificate (as zimbra)===<br />
zmcreatecert<br />
<br />
If you wish to have several names on the certificate, supply them as arguments<br />
<br />
zmcreatecert mail.mydomain.com webmail.mydomain.com webmail.yourdomain.com<br />
<br />
===Install the server certificate files (as zimbra)===<br />
zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/tomcat.crt<br />
zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key<br />
<br />
* To update CA cert stored in LDAP (as zimbra):<br />
''zmprov -l mcf zimbraCertAuthorityKeySelfSigned "`cat /opt/zimbra/ssl/ssl/ca/ca.key`"''<br />
''zmprov -l mcf zimbraCertAuthorityCertSelfSigned "`cat /opt/zimbra/ssl/ssl/ca/ca.pem`"''<br />
<br />
* You can see your updated certs in LDAP now and compare them to contents of /opt/zimbra/ssl/ssl/ca (as zimbra)<br />
zmprov -l gcf zimbraCertAuthorityKeySelfSigned <br />
zmprov -l gcf zimbraCertAuthorityCertSelfSigned<br />
<br />
===Restart zimbra services===<br />
* It may be necessary to restart the Zimbra servers for the changes to take effect (as zimbra).<br />
zmcontrol stop<br />
zmcontrol start<br />
<br />
==Other Possible Issues==<br />
<br />
'''Note about 'unable to write random state':'''<br />
<br />
This is a "harmless" warning that openssl has no random number seed file. The [http://www.openssl.org/support/faq.html#USER1 full] [http://www.openssl.org/support/faq.html#USER2 story] is available from openssl.org.<br />
<br />
'''Permission denied (publickey,gssapi-with-mic)'''<br />
<br />
http://www.ncsa.uiuc.edu/UserInfo/Resources/Software/ssh/openssh_3.8.html<br />
<br />
[[Category:SSL/TLS]]<br />
[[Category:Troubleshooting]]</div>BrianPhttps://wiki.zimbra.com/index.php?title=Recreating_a_Self-Signed_SSL_Certificate_in_ZCS_4.5_%26_5.0&diff=6584Recreating a Self-Signed SSL Certificate in ZCS 4.5 & 5.02007-08-17T15:24:32Z<p>BrianP: /* Delete the server cert from the tomcat keystore (as zimbra) */</p>
<hr />
<div>== Self Signed Certificate Instructions ==<br />
<br />
''If you're working with a commercial certificate, do *NOT* use this page - go [[Commercial Certificates|here]] instead''<br />
<br />
* To clean up SSL certificates and recreate a new self-signed cert try this.<br />
<br />
=== Why recreate my certificates ===<br />
<br />
If you're seeing an error like this when you run zmprov:<br />
<br />
[] ERROR: java.security.cert.CertificateExpiredException: NotAfter: Sun Oct 08 00:38:45 EDT 2006<br />
ERROR: zclient.IO_ERROR (invoke java.security.cert.CertificateException: Untrusted Server Certificate Chain, server: localhost) <br />
(cause: javax.net.ssl.SSLHandshakeException java.security.cert.CertificateException: Untrusted Server Certificate Chain)<br />
<br />
your certs are expired, and need to be recreated<br />
<br />
===Back up existing certificates===<br />
<br />
* This backs up the default certificates created by zmcreateca and zmcreatecert:<br />
tar cf /tmp/zimbra-ssl-bak.tar /opt/zimbra/ssl/<br />
<br />
* This backs up the server's working certificate files:<br />
cd /opt/zimbra/<br />
tar cf /tmp/zimbra-certs.tar conf/ca/ conf/*.crt conf/*.key conf/*.pem tomcat/conf/keystore java/jre/lib/security/cacerts<br />
<br />
===Delete and re-create SSL Directory (as root)===<br />
su -<br />
rm -rf /opt/zimbra/ssl<br />
mkdir /opt/zimbra/ssl<br />
chown zimbra:zimbra /opt/zimbra/ssl<br />
<br />
===Give the zimbra user write access to the cacerts keystore===<br />
* On linux the java cacerts file is a part of the ZCS installation.<br />
chown zimbra:zimbra /opt/zimbra/java/jre/lib/security/cacerts<br />
chmod 644 /opt/zimbra/java/jre/lib/security/cacerts<br />
* On Mac OS X the java cacerts file is a part of the system's java installation. Either run the "keytool -delete ..." command in the next section as root or give write access to the zimbra user.<br />
chown zimbra:zimbra /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts<br />
chmod u+w /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts<br />
<br />
===Remove the self-signed root certificate from the cacerts keystore (as zimbra)===<br />
* Mac OS X<br />
keytool -delete -alias my_ca -keystore /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts -storepass changeit<br><br />
* Linux<br />
keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit<br />
<br />
===Delete the server cert from the mailboxd keystore (as zimbra)===<br />
<br />
For Tomcat<br />
su - zimbra<br />
keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra<br />
<br />
For Jetty<br />
su - zimbra<br />
keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass zimbra<br />
<br />
===Perform optional configuration===<br />
* If you want to change the duration of the certificate from the default (365 days), modify the "default_days" entry in the file /opt/zimbra/conf/zmssl.cnf.in<br />
<br />
''Workaround: zmssl.cnf.in default_days is ingnored. Currently you will need to edit zmcreateca and zmcreatecert:'' Bug is http://bugzilla.zimbra.com/show_bug.cgi?id=12228<br />
<br />
* If you want the common name show up in the CA rather than 'Zimbra Collaboration Suite' because you have several zimbra servers. Please Note: I probably have unnecessary steps in this section here, but this is what I did to get it working for me.<br />
vi /opt/zimbra/conf/zmssl.cnf.in<br />
[change section to appear as below]<br />
0.organizationName = Zimbra<br />
0.organizationName_default = Zimbra<br />
# we can do this but it is not needed normally :-)<br />
#1.organizationName = Second Organization Name (eg, company)<br />
#1.organizationName_default = World Wide Web Pty Ltd<br />
organizationalUnitName = Zimbra<br />
organizationalUnitName_default = Zimbra<br />
commonName = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work><br />
commonName_max = 64<br />
commonName_default = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work><br />
<br />
===Create the CA certificate (as zimbra)===<br />
zmcreateca<br />
<br />
* (OPTIONAL) If you did the Optional step to make the CN the hostname for the CA, the output should be like the following:<br />
...<br />
Signature ok<br />
subject=/C=US/ST=N/A/L=N/A/O=Zimbra/OU=Zimbra/CN=<your hostname><br />
Getting Private key<br />
unable to write 'random state'<br />
<br />
===Install server ca files===<br />
* After creating the ca, it appears that zmcreateca doesn't copy the new ca.key and ca.pem to /opt/zimbra/conf/ca, so do it manually (as zimbra):<br />
cp /opt/zimbra/ssl/ssl/ca/ca.key /opt/zimbra/conf/ca/ca.key<br />
cp /opt/zimbra/ssl/ssl/ca/ca.pem /opt/zimbra/conf/ca/ca.pem<br />
<br />
===Create the server certificate (as zimbra)===<br />
zmcreatecert<br />
<br />
If you wish to have several names on the certificate, supply them as arguments<br />
<br />
zmcreatecert mail.mydomain.com webmail.mydomain.com webmail.yourdomain.com<br />
<br />
===Install the server certificate files (as zimbra)===<br />
zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/tomcat.crt<br />
zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key<br />
<br />
* To update CA cert stored in LDAP (as zimbra):<br />
''zmprov -l mcf zimbraCertAuthorityKeySelfSigned "`cat /opt/zimbra/ssl/ssl/ca/ca.key`"''<br />
''zmprov -l mcf zimbraCertAuthorityCertSelfSigned "`cat /opt/zimbra/ssl/ssl/ca/ca.pem`"''<br />
<br />
* You can see your updated certs in LDAP now and compare them to contents of /opt/zimbra/ssl/ssl/ca (as zimbra)<br />
zmprov -l gcf zimbraCertAuthorityKeySelfSigned <br />
zmprov -l gcf zimbraCertAuthorityCertSelfSigned<br />
<br />
===Restart zimbra services===<br />
* It may be necessary to restart the Zimbra servers for the changes to take effect (as zimbra).<br />
zmcontrol stop<br />
zmcontrol start<br />
<br />
==Other Possible Issues==<br />
<br />
'''Note about 'unable to write random state':'''<br />
<br />
This is a "harmless" warning that openssl has no random number seed file. The [http://www.openssl.org/support/faq.html#USER1 full] [http://www.openssl.org/support/faq.html#USER2 story] is available from openssl.org.<br />
<br />
'''Permission denied (publickey,gssapi-with-mic)'''<br />
<br />
http://www.ncsa.uiuc.edu/UserInfo/Resources/Software/ssh/openssh_3.8.html<br />
<br />
[[Category:SSL/TLS]]<br />
[[Category:Troubleshooting]]</div>BrianP