https://wiki.zimbra.com/api.php?action=feedcontributions&user=Sam4wiki&feedformat=atomZimbra :: Tech Center - User contributions [en]2024-03-29T02:26:13ZUser contributionsMediaWiki 1.39.0https://wiki.zimbra.com/index.php?title=Steps_To_Migrating_CBPolicyd_SQLite3_Database&diff=68722Steps To Migrating CBPolicyd SQLite3 Database2022-01-19T07:10:49Z<p>Sam4wiki: </p>
<hr />
<div>{{BC|Community Sandbox}}<br />
__FORCETOC__<br />
<div class="col-md-12 ibox-content"><br />
=Restoring the CBPolicyd database from the existing server to the new server=<br />
<hr><br />
{{KB|{{WIP}}|{{ZCS 9.0}}|{{ZCS 8.8}}|}}<br />
<hr><br />
<br />
====Problem====<br />
Some clients actively use CBPolicyd on MTA server/s. There may be a need to migrate the CBPolicyd database from one server to another. <br />
<br />
====Solution====<br />
PolicyD uses SQLLite <br />
<br />
<br />
{{SubmittedBy|Samrat Sarkar}}<br />
<br />
{{Article Footer|ZCS 8.8 ZCS 9.0|2022-01-19|2022-01-19}}</div>Sam4wikihttps://wiki.zimbra.com/index.php?title=Steps_To_Migrating_CBPolicyd_SQLite3_Database&diff=68721Steps To Migrating CBPolicyd SQLite3 Database2022-01-19T07:03:09Z<p>Sam4wiki: Created page with "{{BC|Community Sandbox}} __FORCETOC__ <div class="col-md-12 ibox-content"> =Restoring the CBPolicyd database from the existing server to the new server= <hr> {{KB|{{WIP}}|{{ZC..."</p>
<hr />
<div>{{BC|Community Sandbox}}<br />
__FORCETOC__<br />
<div class="col-md-12 ibox-content"><br />
=Restoring the CBPolicyd database from the existing server to the new server=<br />
<hr><br />
{{KB|{{WIP}}|{{ZCS 9.0}}|{{ZCS 8.8}}|}}<br />
<hr><br />
<br />
====Problem====<br />
Some clients actively use CBPolicyd on MTA server/s. There may be a need to migrate the CBPolicyd database from one server to another. <br />
<br />
====Solution====</div>Sam4wikihttps://wiki.zimbra.com/index.php?title=External_eMail_Warnings&diff=68412External eMail Warnings2021-09-15T05:12:22Z<p>Sam4wiki: /* Step 2 */</p>
<hr />
<div>=Customizing Amavis To Add Warning Messages To External Emails= <br />
{{KB|{{ZC}}|{{ZCS 8.8}}|{{ZCS 9.0}}|}}<br />
{{WIP}} <br />
<br />
'''Note:''' This is a customization and not supported officially. Try this on your staging environment before implementing on production server. This will not survive any upgrade.<br />
<br />
====Requirement====<br />
How can we add banner in the mail header for all emails from external domains<br />
<br />
====Solution====<br />
We have to do customization of Amavis in order to achieve this.<br />
<br />
=====Step 1=====<br />
*Create external_disclaimer.conf file<br />
su - zimbra<br />
vi /opt/zimbra/conf/external_disclaimer.conf<br />
*Edit with the below contents<br />
use strict;<br />
<br />
$altermime='/opt/zimbra/common/bin/altermime';<br />
@altermime_args_disclaimer = qw(--verbose --pretext=/opt/zimbra/data/altermime/_OPTION_.txt --pretext-html=/opt/zimbra/data/altermime/_OPTION_.html --force-for-bad-html);<br />
$defang_maps_by_ccat{+CC_CATCHALL} = ['disclaimer'];<br />
$allow_disclaimers = 1;<br />
@local_domains_maps = (["."]);<br />
@disclaimer_options_bysender_maps = ({<br />
'.' => 'external_domains',<br />
},);<br />
<br />
1;<br />
*Create external_domains.html and external_domains.txt files and edit with your desired message<br />
vi /opt/zimbra/data/altermime/external_domains.txt <br />
CAUTION: This email originated from an external domain, click links or open attachments once you recognize the sender and know the content is safe.<br />
<br />
vi /opt/zimbra/data/altermime/external_domains.html<br />
<div style="background-color: #40E0D0; width: 100%; padding: 2pt; font-size: 10pt; line-height: 12pt; font-family: 'Calibri'; color: black; text-align: left; border: 1pt solid #9C6500;"><span style="color: #DE3163;">CAUTION:</span> This email originated from an external domain, click links or open attachments once you recognize the sender and know the content is safe.</div><br />
<br />
"'Note:"' Refer to this link for HTML color codes [https://htmlcolorcodes.com/ htmlcolorcodes]<br />
<br />
=====Step 2===== <br />
<br />
Next we have to configure amavis to execute external_disclaimer.conf file for each email<br />
<br />
*Open file amavisd.conf.in<br />
vi /opt/zimbra/conf/amavisd.conf.in<br />
*Add the following line at the end of the file, just above the line "1; # insure a defined return value"<br />
include_config_files('/opt/zimbra/conf/disclaimer-external.conf');<br />
<br />
1; # insure a defined return value<br />
*Save and restart Amavis<br />
zmamavisdctl restart<br />
{{SubmittedBy|Samrat Sarkar}}<br />
<br />
{{Article Footer|ZCS 8.8.15 ZCS 9.0||2021-09-15}}</div>Sam4wikihttps://wiki.zimbra.com/index.php?title=External_eMail_Warnings&diff=68411External eMail Warnings2021-09-15T05:08:12Z<p>Sam4wiki: </p>
<hr />
<div>=Customizing Amavis To Add Warning Messages To External Emails= <br />
{{KB|{{ZC}}|{{ZCS 8.8}}|{{ZCS 9.0}}|}}<br />
{{WIP}} <br />
<br />
'''Note:''' This is a customization and not supported officially. Try this on your staging environment before implementing on production server. This will not survive any upgrade.<br />
<br />
====Requirement====<br />
How can we add banner in the mail header for all emails from external domains<br />
<br />
====Solution====<br />
We have to do customization of Amavis in order to achieve this.<br />
<br />
=====Step 1=====<br />
*Create external_disclaimer.conf file<br />
su - zimbra<br />
vi /opt/zimbra/conf/external_disclaimer.conf<br />
*Edit with the below contents<br />
use strict;<br />
<br />
$altermime='/opt/zimbra/common/bin/altermime';<br />
@altermime_args_disclaimer = qw(--verbose --pretext=/opt/zimbra/data/altermime/_OPTION_.txt --pretext-html=/opt/zimbra/data/altermime/_OPTION_.html --force-for-bad-html);<br />
$defang_maps_by_ccat{+CC_CATCHALL} = ['disclaimer'];<br />
$allow_disclaimers = 1;<br />
@local_domains_maps = (["."]);<br />
@disclaimer_options_bysender_maps = ({<br />
'.' => 'external_domains',<br />
},);<br />
<br />
1;<br />
*Create external_domains.html and external_domains.txt files and edit with your desired message<br />
vi /opt/zimbra/data/altermime/external_domains.txt <br />
CAUTION: This email originated from an external domain, click links or open attachments once you recognize the sender and know the content is safe.<br />
<br />
vi /opt/zimbra/data/altermime/external_domains.html<br />
<div style="background-color: #40E0D0; width: 100%; padding: 2pt; font-size: 10pt; line-height: 12pt; font-family: 'Calibri'; color: black; text-align: left; border: 1pt solid #9C6500;"><span style="color: #DE3163;">CAUTION:</span> This email originated from an external domain, click links or open attachments once you recognize the sender and know the content is safe.</div><br />
<br />
"'Note:"' Refer to this link for HTML color codes [https://htmlcolorcodes.com/ htmlcolorcodes]<br />
<br />
=====Step 2===== <br />
<br />
Next we have to configure amavis to execute external_disclaimer.conf file for each email<br />
<br />
*Open file amavisd.conf.in<br />
vi /opt/zimbra/conf/amavisd.conf.in<br />
*Add the following line at the end of the file<br />
include_config_files('/opt/zimbra/conf/disclaimer-external.conf');<br />
*Save and restart Amavis<br />
zmamavisdctl restart<br />
{{SubmittedBy|Samrat Sarkar}}<br />
<br />
{{Article Footer|ZCS 8.8.15 ZCS 9.0||2021-09-15}}</div>Sam4wikihttps://wiki.zimbra.com/index.php?title=External_eMail_Warnings&diff=68410External eMail Warnings2021-09-15T05:05:17Z<p>Sam4wiki: Created page with "=Customizing Amavis To Add Warning Messages To External Emails= {{KB|{{ZC}}|{{ZCS 8.8}}|{{ZCS 9.0}}|}} {{WIP}} '''Note:''' This is a customization and not supported offic..."</p>
<hr />
<div>=Customizing Amavis To Add Warning Messages To External Emails= <br />
{{KB|{{ZC}}|{{ZCS 8.8}}|{{ZCS 9.0}}|}}<br />
{{WIP}} <br />
<br />
'''Note:''' This is a customization and not supported officially. Try this on your staging environment before implementing on production server. This will not survive any upgrade.<br />
<br />
====Requirment====<br />
How can we add banner in the mail header for all emails from external domains<br />
<br />
====Solution====<br />
We have to do customization of Amavis in order to achieve this.<br />
<br />
=====Step 1=====<br />
*Create external_disclaimer.conf file<br />
su - zimbra<br />
vi /opt/zimbra/conf/external_disclaimer.conf<br />
*Edit with the below contents<br />
use strict;<br />
<br />
$altermime='/opt/zimbra/common/bin/altermime';<br />
@altermime_args_disclaimer = qw(--verbose --pretext=/opt/zimbra/data/altermime/_OPTION_.txt --pretext-html=/opt/zimbra/data/altermime/_OPTION_.html --force-for-bad-html);<br />
$defang_maps_by_ccat{+CC_CATCHALL} = ['disclaimer'];<br />
$allow_disclaimers = 1;<br />
@local_domains_maps = (["."]);<br />
@disclaimer_options_bysender_maps = ({<br />
'.' => 'external_domains',<br />
},);<br />
<br />
1;<br />
*Create external_domains.html and external_domains.txt files and edit with your desired message<br />
vi /opt/zimbra/data/altermime/external_domains.txt <br />
CAUTION: This email originated from an external domain, click links or open attachments once you recognize the sender and know the content is safe.<br />
<br />
vi /opt/zimbra/data/altermime/external_domains.html<br />
<div style="background-color: #40E0D0; width: 100%; padding: 2pt; font-size: 10pt; line-height: 12pt; font-family: 'Calibri'; color: black; text-align: left; border: 1pt solid #9C6500;"><span style="color: #DE3163;">CAUTION:</span> This email originated from an external domain, click links or open attachments once you recognize the sender and know the content is safe.</div><br />
<br />
"'Note:"' Refer to this link for HTML color codes [https://htmlcolorcodes.com/ htmlcolorcodes]<br />
<br />
=====Step 2===== <br />
<br />
Now we have to configure amavis to execute external_disclaimer.conf file for each email<br />
<br />
*Open file amavisd.conf.in<br />
vi /opt/zimbra/conf/amavisd.conf.in<br />
*Add the following line at the end of the file<br />
include_config_files('/opt/zimbra/conf/disclaimer-external.conf');<br />
*Save and restart Amavis<br />
zmamavisdctl restart<br />
{{SubmittedBy|Samrat Sarkar}}<br />
<br />
{{Article Footer|ZCS 8.8.15 ZCS 9.0||2021-09-15}}</div>Sam4wikihttps://wiki.zimbra.com/index.php?title=Root_CA_certificate_has_expired&diff=67295Root CA certificate has expired2020-06-01T17:39:25Z<p>Sam4wiki: </p>
<hr />
<div>{{BC|Certified}}<br />
__FORCETOC__<br />
<div class="col-md-12 ibox-content"><br />
=Root CA certificate has expired=<br />
{{KB|{{ZC}}|{{ZCS 8.8}}|{{ZCS 9.0}}|}}<br />
{{WIP}}<br />
<br />
==Problem==<br />
<br />
Ldap servers are unable to communicate with other servers in the ZCS environment <br />
<br />
We get the below error when checking the LDAP status<br />
<br />
zmcontrol status<br />
Unable to start TLS: SSL connect attempt failed error:14090086:SSL<br />
<br />
'''OR'''<br />
<br />
ldap status<br />
Unable to start TLS: SSL connect attempt failed error:14090086:SSL<br />
<br />
==How to verify if the Root CA or any intermediate CA has expired==<br />
<br />
su - zimbra<br />
cd /opt/zimbra/ssl/zimbra/commercial/<br />
zimbra@mail commercial]$ /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt<br />
** Verifying 'commercial.crt' against 'commercial.key'<br />
Certificate 'commercial.crt' and private key 'commercial.key' match.<br />
** Verifying 'commercial.crt' against 'commercial_ca.crt'<br />
ERROR: Unable to validate certificate chain: commercial.crt: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root<br />
error 10 at 3 depth lookup:certificate has expired<br />
C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority<br />
error 10 at 2 depth lookup:certificate has expired<br />
OK<br />
<br />
== Description ==<br />
<br />
1. '''commercial.key''' is your private key used to generate the Certificate Signing Request (CSR)<br />
<br />
2. '''commercial_ca.crt''' is the certificate chain created by bundling the intermediate and root CA<br />
<br />
3. '''commercial.crt''' is the SSL certificate.<br />
<br />
==Solution==<br />
<br />
This issue has cropped up because '''Sectigo (Comodo) Root certificate''' which is namely '''AddTrust External CA Root''' have expired on '''May 30, 2020'''. The successor of this root certificate is named the '''Comodo RSA Certification authority Root''', and wil expire in '''2038'''. To fix the issue, download the new Comodo RSA Certification authority Root and re-deploy the SSL certificate.<br />
<br />
The new Comodo RSA Certification authority Root can be downloaded from here [https://support.comodo.com/index.php?/Knowledgebase/Article/View/969/108/root-comodo-rsa-certification-authority-sha-2 link]<br />
<br />
==Steps to re deploy the certs==<br />
<br />
1. Download and save the root CA. (e.g. /tmp/ca.crt) <br />
<br />
2. Download any intermediary CAs from your provider to a temporary file. (e.g. /tmp/ca_intermediary.crt)<br />
<br />
3. Combine root and intermediary CAs into a temporary file.<br />
<br />
cat /tmp/ca_intermediary.crt /tmp/ca.crt > /tmp/ca_chain.crt<br />
<br />
4. Move the old certs and recreate the necessary folders<br />
<br />
mv /opt/zimbra/ssl/zimbra/ /opt/zimbra/ssl/zimbra.old<br />
mkdir /opt/zimbra/ssl/zimbra/<br />
mkdir -p /opt/zimbra/ssl/zimbra/{ca,commercial,server}<br />
mv /opt/zimbra/ssl/zimbra.old/commercial/commercial.key /opt/zimbra/ssl/zimbra/commercial/commercial.key<br />
chmod 750 /opt/zimbra/ssl/zimbra<br />
chmod 750 /opt/zimbra/ssl/zimbra/*<br />
<br />
<br />
5. Verify your commercial certificate.<br />
<br />
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt<br />
**Verifying /tmp/commercial.crt against<br />
/opt/zimbra/ssl/zimbra/commercial/commercial.key<br />
Certificate (/tmp/commercial.crt) and private key<br />
(/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.<br />
Valid Certificate: /tmp/commercial.crt: OK<br />
<br />
7. Deploy your commercial certificate.<br />
<br />
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt<br />
** Verifying /tmp/commercial.crt against<br />
/opt/zimbra/ssl/zimbra/commercial/commercial.key<br />
Certificate (/tmp/commercial.crt) and private key<br />
(/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.<br />
Valid Certificate: /tmpt/commercial.crt: OK<br />
**Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt<br />
**Appending CA chain /tmp/ca_chain.crt to<br />
/opt/zimbra/ssl/zimbra/commercial/commercial.crt<br />
**Saving server config key zimbraSSLCeretificate…done.<br />
**Saving server config key zimbraSSLPrivateKey…done.<br />
**Installing mta certificate and key…done.<br />
**Installing slapd certificate and key…done.<br />
**Installing proxy certificate and key…done.<br />
**Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12…done.<br />
**Creating keystore file /opt/zimbra/mailbox/etc/keystore…done.<br />
**Installing CA to /opt/zimbra/conf/ca…done.<br />
<br />
8. To finish, verify the certificate was deployed.<br />
<br />
/opt/zimbra/bin/zmcertmgr viewdeployedcrt<br />
<br />
==A quick Fix till the root CA is installed==<br />
<br />
Disable the TLS on the LDAP server as a workaround till the certificates are re-deployed<br />
<br />
Execute the below commands on the LDAP servers<br />
<br />
zmlocalconfig -e ldap_starttls_required=false<br />
zmlocalconfig -e ldap_starttls_supported=0<br />
zmcontrol restart<br />
<br />
Once the certificates are re-deployed then enable TLS on the LDAP server again. <br />
<br />
zmlocalconfig -e ldap_starttls_required=true<br />
zmlocalconfig -e ldap_starttls_supported=1<br />
zmcontrol restart<br />
<br />
{| class="wikitable" style="background-color:#d0f0c0;" cellpadding="10"<br />
|'''Submitted by''': Samrat Sarkar<br />
|}<br />
<br />
{{Article Footer|ZCS 8.8.x, 9.0|2020-06-01}}</div>Sam4wikihttps://wiki.zimbra.com/index.php?title=Root_CA_certificate_has_expired&diff=67286Root CA certificate has expired2020-06-01T14:03:41Z<p>Sam4wiki: </p>
<hr />
<div>{{BC|Certified}}<br />
__FORCETOC__<br />
<div class="col-md-12 ibox-content"><br />
=Root CA certificate has expired=<br />
{{KB|{{ZC}}|{{ZCS 8.8}}|{{ZCS 9.0}}|}}<br />
{{WIP}}<br />
<br />
==Problem==<br />
<br />
Ldap servers are unable to communicate with other servers in the ZCS environment <br />
<br />
We get the below error when checking the LDAP status<br />
<br />
zmcontrol status<br />
Unable to start TLS: SSL connect attempt failed error:14090086:SSL<br />
<br />
OR<br />
<br />
ldap status<br />
Unable to start TLS: SSL connect attempt failed error:14090086:SSL<br />
<br />
==How to verify if the Root CA or any intermediate CA has expired==<br />
<br />
su - zimbra<br />
cd /opt/zimbra/ssl/zimbra/commercial/<br />
zimbra@mail commercial]$ /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt<br />
** Verifying 'commercial.crt' against 'commercial.key'<br />
Certificate 'commercial.crt' and private key 'commercial.key' match.<br />
** Verifying 'commercial.crt' against 'commercial_ca.crt'<br />
ERROR: Unable to validate certificate chain: commercial.crt: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root<br />
error 10 at 3 depth lookup:certificate has expired<br />
C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority<br />
error 10 at 2 depth lookup:certificate has expired<br />
OK<br />
<br />
==Solution==<br />
<br />
This issue has cropped up because '''Sectigo (Comodo) Root certificate''' which is namely '''AddTrust External CA Root''' have expired on '''May 30, 2020'''. The successor of this root certificate is named the '''Comodo RSA Certification authority Root''', and wil expire in '''2038'''. We need to download the new Comodo RSA Certification authority Root and re deploy the SSL certificate.<br />
<br />
The new Comodo RSA Certification authority Root can be downloaded from here [https://support.comodo.com/index.php?/Knowledgebase/Article/View/969/108/root-comodo-rsa-certification-authority-sha-2 link]<br />
<br />
==Steps to re deploy the certs==<br />
<br />
1. Download and save the root CA. (e.g. /tmp/ca.crt) <br />
<br />
2. Download any intermediary CAs from your provider to a temporary file. (e.g. /tmp/ca_intermediary.crt)<br />
<br />
3. Combine root and intermediary CAs into a temporary file.<br />
<br />
cat /tmp/ca_intermediary.crt /tmp/ca.crt > /tmp/ca_chain.crt<br />
<br />
4. Move the old certs and recreate the necessary folders<br />
<br />
mv /opt/zimbra/ssl/zimbra/ /opt/zimbra/ssl/zimbra.old<br />
mkdir /opt/zimbra/ssl/zimbra/<br />
mkdir -p /opt/zimbra/ssl/zimbra/{ca,commercial,server}<br />
mv /opt/zimbra/ssl/zimbra.old/commercial/commercial.key /opt/zimbra/ssl/zimbra/commercial/commercial.key<br />
chmod 750 /opt/zimbra/ssl/zimbra<br />
chmod 750 /opt/zimbra/ssl/zimbra/*<br />
<br />
<br />
5. Verify your commercial certificate.<br />
<br />
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt<br />
**Verifying /tmp/commercial.crt against<br />
/opt/zimbra/ssl/zimbra/commercial/commercial.key<br />
Certificate (/tmp/commercial.crt) and private key<br />
(/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.<br />
Valid Certificate: /tmp/commercial.crt: OK<br />
<br />
7. Deploy your commercial certificate.<br />
<br />
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt<br />
** Verifying /tmp/commercial.crt against<br />
/opt/zimbra/ssl/zimbra/commercial/commercial.key<br />
Certificate (/tmp/commercial.crt) and private key<br />
(/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.<br />
Valid Certificate: /tmpt/commercial.crt: OK<br />
**Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt<br />
**Appending CA chain /tmp/ca_chain.crt to<br />
/opt/zimbra/ssl/zimbra/commercial/commercial.crt<br />
**Saving server config key zimbraSSLCeretificate…done.<br />
**Saving server config key zimbraSSLPrivateKey…done.<br />
**Installing mta certificate and key…done.<br />
**Installing slapd certificate and key…done.<br />
**Installing proxy certificate and key…done.<br />
**Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12…done.<br />
**Creating keystore file /opt/zimbra/mailbox/etc/keystore…done.<br />
**Installing CA to /opt/zimbra/conf/ca…done.<br />
<br />
8. To finish, verify the certificate was deployed.<br />
<br />
/opt/zimbra/bin/zmcertmgr viewdeployedcrt<br />
<br />
==A quick Fix till the root CA is installed==<br />
<br />
We can disable the TLS on the LDAP server for the time being till the certificates are re deployed<br />
<br />
Please execute the below commands on the LDAP servers<br />
<br />
zmlocalconfig -e ldap_starttls_required=false<br />
zmlocalconfig -e ldap_starttls_supported=0<br />
zmcontrol restart<br />
<br />
<br />
{| class="wikitable" style="background-color:#d0f0c0;" cellpadding="10"<br />
|'''Submitted by''': Samrat Sarkar<br />
|}<br />
<br />
{{Article Footer|ZCS 8.8.x, 9.0|2020-06-01}}</div>Sam4wikihttps://wiki.zimbra.com/index.php?title=CA_root_certificate_has_expired&diff=67282CA root certificate has expired2020-06-01T11:22:22Z<p>Sam4wiki: Sam4wiki moved page CA root certificate has expired to Root CA certificate has expired: More appropriate Subject</p>
<hr />
<div>#REDIRECT [[Root CA certificate has expired]]</div>Sam4wikihttps://wiki.zimbra.com/index.php?title=Root_CA_certificate_has_expired&diff=67281Root CA certificate has expired2020-06-01T11:22:22Z<p>Sam4wiki: Sam4wiki moved page CA root certificate has expired to Root CA certificate has expired: More appropriate Subject</p>
<hr />
<div>{{BC|Certified}}<br />
__FORCETOC__<br />
<div class="col-md-12 ibox-content"><br />
=Root CA certificate has expired=<br />
{{KB|{{ZC}}|{{ZCS 8.8}}|{{ZCS 9.0}}|}}<br />
{{WIP}}<br />
<br />
==Problem==<br />
<br />
Ldap servers are unable to communicate with other servers in the ZCS environment <br />
<br />
We get the below error when checking the LDAP status<br />
<br />
zmcontrol status<br />
Unable to start TLS: SSL connect attempt failed error:14090086:SSL<br />
<br />
OR<br />
<br />
ldap status<br />
Unable to start TLS: SSL connect attempt failed error:14090086:SSL<br />
<br />
==How to verify if the Root CA or any intermediate CA has expired==<br />
<br />
su - zimbra<br />
cd /opt/zimbra/ssl/zimbra/commercial/<br />
zimbra@mail commercial]$ /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt<br />
** Verifying 'commercial.crt' against 'commercial.key'<br />
Certificate 'commercial.crt' and private key 'commercial.key' match.<br />
** Verifying 'commercial.crt' against 'commercial_ca.crt'<br />
ERROR: Unable to validate certificate chain: commercial.crt: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root<br />
error 10 at 3 depth lookup:certificate has expired<br />
C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority<br />
error 10 at 2 depth lookup:certificate has expired<br />
OK<br />
<br />
==Solution==<br />
<br />
This issue has cropped up because '''Sectigo (Comodo) Root certificate''' which is namely '''AddTrust External CA Root''' have expired on '''May 30, 2020'''. The successor of this root certificate is named the '''Comodo RSA Certification authority Root''', and wil expire in '''2038'''. We need to download the new Comodo RSA Certification authority Root and re deploy the SSL certificate.<br />
<br />
The new Comodo RSA Certification authority Root can be downloaded from here [https://support.comodo.com/index.php?/Knowledgebase/Article/View/969/108/root-comodo-rsa-certification-authority-sha-2 link]<br />
<br />
==Steps to re deploy the certs==<br />
<br />
1. Download and save the root CA. (e.g. /tmp/ca.crt) <br />
2. Download any intermediary CAs from your provider to a temporary file. (e.g. /tmp/ca_intermediary.crt)<br />
3. Combine root and intermediary CAs into a temporary file.<br />
<br />
cat /tmp/ca_intermediary.crt /tmp/ca.crt > /tmp/ca_chain.crt<br />
<br />
4. Move the old certs and recreate the necessary folders<br />
<br />
mv /opt/zimbra/ssl/zimbra/ /opt/zimbra/ssl/zimbra.old<br />
mkdir /opt/zimbra/ssl/zimbra/<br />
mkdir -p /opt/zimbra/ssl/zimbra/{ca,commercial,server}<br />
mv /opt/zimbra/ssl/zimbra.old/commercial/commercial.key /opt/zimbra/ssl/zimbra/commercial/commercial.key<br />
chmod 750 /opt/zimbra/ssl/zimbra<br />
chmod 750 /opt/zimbra/ssl/zimbra/*<br />
<br />
<br />
5. Verify your commercial certificate.<br />
<br />
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt<br />
**Verifying /tmp/commercial.crt against<br />
/opt/zimbra/ssl/zimbra/commercial/commercial.key<br />
Certificate (/tmp/commercial.crt) and private key<br />
(/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.<br />
Valid Certificate: /tmp/commercial.crt: OK<br />
<br />
7. Deploy your commercial certificate.<br />
<br />
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt<br />
** Verifying /tmp/commercial.crt against<br />
/opt/zimbra/ssl/zimbra/commercial/commercial.key<br />
Certificate (/tmp/commercial.crt) and private key<br />
(/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.<br />
Valid Certificate: /tmpt/commercial.crt: OK<br />
**Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt<br />
**Appending CA chain /tmp/ca_chain.crt to<br />
/opt/zimbra/ssl/zimbra/commercial/commercial.crt<br />
**Saving server config key zimbraSSLCeretificate…done.<br />
**Saving server config key zimbraSSLPrivateKey…done.<br />
**Installing mta certificate and key…done.<br />
**Installing slapd certificate and key…done.<br />
**Installing proxy certificate and key…done.<br />
**Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12…done.<br />
**Creating keystore file /opt/zimbra/mailbox/etc/keystore…done.<br />
**Installing CA to /opt/zimbra/conf/ca…done.<br />
<br />
8. To finish, verify the certificate was deployed.<br />
<br />
/opt/zimbra/bin/zmcertmgr viewdeployedcrt<br />
<br />
==A quick Fix till the root CA is installed==<br />
<br />
We can disable the TLS on the LDAP server for the time being till the certificates are re deployed<br />
<br />
Please execute the below commands on the LDAP servers<br />
<br />
zmlocalconfig -e ldap_starttls_required=false<br />
zmlocalconfig -e ldap_starttls_supported=0<br />
zmcontrol restart<br />
<br />
<br />
{| class="wikitable" style="background-color:#d0f0c0;" cellpadding="10"<br />
|'''Submitted by''': Samrat Sarkar<br />
|}<br />
<br />
{{Article Footer|ZCS 8.8.x, 9.0|2020-06-01}}</div>Sam4wikihttps://wiki.zimbra.com/index.php?title=Root_CA_certificate_has_expired&diff=67280Root CA certificate has expired2020-06-01T11:21:50Z<p>Sam4wiki: </p>
<hr />
<div>{{BC|Certified}}<br />
__FORCETOC__<br />
<div class="col-md-12 ibox-content"><br />
=Root CA certificate has expired=<br />
{{KB|{{ZC}}|{{ZCS 8.8}}|{{ZCS 9.0}}|}}<br />
{{WIP}}<br />
<br />
==Problem==<br />
<br />
Ldap servers are unable to communicate with other servers in the ZCS environment <br />
<br />
We get the below error when checking the LDAP status<br />
<br />
zmcontrol status<br />
Unable to start TLS: SSL connect attempt failed error:14090086:SSL<br />
<br />
OR<br />
<br />
ldap status<br />
Unable to start TLS: SSL connect attempt failed error:14090086:SSL<br />
<br />
==How to verify if the Root CA or any intermediate CA has expired==<br />
<br />
su - zimbra<br />
cd /opt/zimbra/ssl/zimbra/commercial/<br />
zimbra@mail commercial]$ /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt<br />
** Verifying 'commercial.crt' against 'commercial.key'<br />
Certificate 'commercial.crt' and private key 'commercial.key' match.<br />
** Verifying 'commercial.crt' against 'commercial_ca.crt'<br />
ERROR: Unable to validate certificate chain: commercial.crt: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root<br />
error 10 at 3 depth lookup:certificate has expired<br />
C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority<br />
error 10 at 2 depth lookup:certificate has expired<br />
OK<br />
<br />
==Solution==<br />
<br />
This issue has cropped up because '''Sectigo (Comodo) Root certificate''' which is namely '''AddTrust External CA Root''' have expired on '''May 30, 2020'''. The successor of this root certificate is named the '''Comodo RSA Certification authority Root''', and wil expire in '''2038'''. We need to download the new Comodo RSA Certification authority Root and re deploy the SSL certificate.<br />
<br />
The new Comodo RSA Certification authority Root can be downloaded from here [https://support.comodo.com/index.php?/Knowledgebase/Article/View/969/108/root-comodo-rsa-certification-authority-sha-2 link]<br />
<br />
==Steps to re deploy the certs==<br />
<br />
1. Download and save the root CA. (e.g. /tmp/ca.crt) <br />
2. Download any intermediary CAs from your provider to a temporary file. (e.g. /tmp/ca_intermediary.crt)<br />
3. Combine root and intermediary CAs into a temporary file.<br />
<br />
cat /tmp/ca_intermediary.crt /tmp/ca.crt > /tmp/ca_chain.crt<br />
<br />
4. Move the old certs and recreate the necessary folders<br />
<br />
mv /opt/zimbra/ssl/zimbra/ /opt/zimbra/ssl/zimbra.old<br />
mkdir /opt/zimbra/ssl/zimbra/<br />
mkdir -p /opt/zimbra/ssl/zimbra/{ca,commercial,server}<br />
mv /opt/zimbra/ssl/zimbra.old/commercial/commercial.key /opt/zimbra/ssl/zimbra/commercial/commercial.key<br />
chmod 750 /opt/zimbra/ssl/zimbra<br />
chmod 750 /opt/zimbra/ssl/zimbra/*<br />
<br />
<br />
5. Verify your commercial certificate.<br />
<br />
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt<br />
**Verifying /tmp/commercial.crt against<br />
/opt/zimbra/ssl/zimbra/commercial/commercial.key<br />
Certificate (/tmp/commercial.crt) and private key<br />
(/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.<br />
Valid Certificate: /tmp/commercial.crt: OK<br />
<br />
7. Deploy your commercial certificate.<br />
<br />
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt<br />
** Verifying /tmp/commercial.crt against<br />
/opt/zimbra/ssl/zimbra/commercial/commercial.key<br />
Certificate (/tmp/commercial.crt) and private key<br />
(/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.<br />
Valid Certificate: /tmpt/commercial.crt: OK<br />
**Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt<br />
**Appending CA chain /tmp/ca_chain.crt to<br />
/opt/zimbra/ssl/zimbra/commercial/commercial.crt<br />
**Saving server config key zimbraSSLCeretificate…done.<br />
**Saving server config key zimbraSSLPrivateKey…done.<br />
**Installing mta certificate and key…done.<br />
**Installing slapd certificate and key…done.<br />
**Installing proxy certificate and key…done.<br />
**Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12…done.<br />
**Creating keystore file /opt/zimbra/mailbox/etc/keystore…done.<br />
**Installing CA to /opt/zimbra/conf/ca…done.<br />
<br />
8. To finish, verify the certificate was deployed.<br />
<br />
/opt/zimbra/bin/zmcertmgr viewdeployedcrt<br />
<br />
==A quick Fix till the root CA is installed==<br />
<br />
We can disable the TLS on the LDAP server for the time being till the certificates are re deployed<br />
<br />
Please execute the below commands on the LDAP servers<br />
<br />
zmlocalconfig -e ldap_starttls_required=false<br />
zmlocalconfig -e ldap_starttls_supported=0<br />
zmcontrol restart<br />
<br />
<br />
{| class="wikitable" style="background-color:#d0f0c0;" cellpadding="10"<br />
|'''Submitted by''': Samrat Sarkar<br />
|}<br />
<br />
{{Article Footer|ZCS 8.8.x, 9.0|2020-06-01}}</div>Sam4wikihttps://wiki.zimbra.com/index.php?title=Root_CA_certificate_has_expired&diff=67279Root CA certificate has expired2020-06-01T10:40:39Z<p>Sam4wiki: </p>
<hr />
<div>{{BC|Certified}}<br />
__FORCETOC__<br />
<div class="col-md-12 ibox-content"><br />
=CA_root_certificate_has_expired=<br />
{{KB|{{ZC}}|{{ZCS 8.8}}|{{ZCS 9.0}}|}}<br />
{{WIP}}<br />
<br />
==Problem==<br />
<br />
Ldap servers are unable to communicate with other servers in the ZCS environment <br />
<br />
We get the below error when checking the LDAP status<br />
<br />
zmcontrol status<br />
Unable to start TLS: SSL connect attempt failed error:14090086:SSL<br />
<br />
OR<br />
<br />
ldap status<br />
Unable to start TLS: SSL connect attempt failed error:14090086:SSL<br />
<br />
==How to verify the Root CA has expired==<br />
<br />
su - zimbra<br />
cd /opt/zimbra/ssl/zimbra/commercial/<br />
zimbra@mail commercial]$ /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt<br />
** Verifying 'commercial.crt' against 'commercial.key'<br />
Certificate 'commercial.crt' and private key 'commercial.key' match.<br />
** Verifying 'commercial.crt' against 'commercial_ca.crt'<br />
ERROR: Unable to validate certificate chain: commercial.crt: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root<br />
error 10 at 3 depth lookup:certificate has expired<br />
C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority<br />
error 10 at 2 depth lookup:certificate has expired<br />
OK<br />
<br />
==Solution==<br />
<br />
This issue has cropped up because '''Sectigo (Comodo) Root certificate''' which is namely '''AddTrust External CA Root''' have expired on '''May 30, 2020'''. The successor of this root certificate is named the '''Comodo RSA Certification authority Root''', and wil expire in '''2038'''. We need to download the new Comodo RSA Certification authority Root and re deploy the SSL certificate.<br />
<br />
The new Comodo RSA Certification authority Root can be downloaded from here [https://support.comodo.com/index.php?/Knowledgebase/Article/View/969/108/root-comodo-rsa-certification-authority-sha-2 link]<br />
<br />
==Steps to re deploy the certs==<br />
<br />
1. Download and save the root CA. (e.g. /tmp/ca.crt) <br />
<br />
2. Download any intermediary CAs from your provider to a temporary file. (e.g. /tmp/ca_intermediary.crt)<br />
<br />
3. Combine root and intermediary CAs into a temporary file.<br />
<br />
cat /tmp/ca_intermediary.crt /tmp/ca.crt > /tmp/ca_chain.crt<br />
<br />
4. Move the old certs and recreate the necessary folders<br />
<br />
mv /opt/zimbra/ssl/zimbra/ /opt/zimbra/ssl/zimbra.old<br />
mkdir /opt/zimbra/ssl/zimbra/<br />
mkdir -p /opt/zimbra/ssl/zimbra/{ca,commercial,server}<br />
mv /opt/zimbra/ssl/zimbra.old/commercial/commercial.key /opt/zimbra/ssl/zimbra/commercial/commercial.key<br />
chmod 750 /opt/zimbra/ssl/zimbra<br />
chmod 750 /opt/zimbra/ssl/zimbra/*<br />
<br />
<br />
5. Verify your commercial certificate.<br />
<br />
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt<br />
**Verifying /tmp/commercial.crt against<br />
/opt/zimbra/ssl/zimbra/commercial/commercial.key<br />
Certificate (/tmp/commercial.crt) and private key<br />
(/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.<br />
Valid Certificate: /tmp/commercial.crt: OK<br />
<br />
7. Deploy your commercial certificate.<br />
<br />
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt<br />
** Verifying /tmp/commercial.crt against<br />
/opt/zimbra/ssl/zimbra/commercial/commercial.key<br />
Certificate (/tmp/commercial.crt) and private key<br />
(/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.<br />
Valid Certificate: /tmpt/commercial.crt: OK<br />
**Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt<br />
**Appending CA chain /tmp/ca_chain.crt to<br />
/opt/zimbra/ssl/zimbra/commercial/commercial.crt<br />
**Saving server config key zimbraSSLCeretificate…done.<br />
**Saving server config key zimbraSSLPrivateKey…done.<br />
**Installing mta certificate and key…done.<br />
**Installing slapd certificate and key…done.<br />
**Installing proxy certificate and key…done.<br />
**Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12…done.<br />
**Creating keystore file /opt/zimbra/mailbox/etc/keystore…done.<br />
**Installing CA to /opt/zimbra/conf/ca…done.<br />
<br />
8. To finish, verify the certificate was deployed.<br />
<br />
/opt/zimbra/bin/zmcertmgr viewdeployedcrt<br />
<br />
==A quick Fix till the root CA is installed==<br />
<br />
We can disable the TLS on the LDAP server for the time being till the certificates are re deployed<br />
<br />
Please execute the below commands on the LDAP servers<br />
<br />
zmlocalconfig -e ldap_starttls_required=false<br />
zmlocalconfig -e ldap_starttls_supported=0<br />
zmcontrol restart<br />
<br />
<br />
{| class="wikitable" style="background-color:#d0f0c0;" cellpadding="10"<br />
|'''Submitted by''': Samrat Sarkar<br />
|}<br />
<br />
{{Article Footer|ZCS 8.8.x, 9.0|2020-06-01}}</div>Sam4wikihttps://wiki.zimbra.com/index.php?title=Root_CA_certificate_has_expired&diff=67278Root CA certificate has expired2020-06-01T10:39:09Z<p>Sam4wiki: </p>
<hr />
<div>{{BC|Certified}}<br />
__FORCETOC__<br />
<div class="col-md-12 ibox-content"><br />
=CA_root_certificate_has_expired=<br />
{{KB|{{ZC}}|{{ZCS 8.8}}|{{ZCS 9.0}}|}}<br />
{{WIP}}<br />
<br />
==Problem==<br />
<br />
Ldap servers are unable to communicate with other servers in the ZCS environment <br />
<br />
We get the below error when checking the LDAP status<br />
<br />
zmcontrol status<br />
Unable to start TLS: SSL connect attempt failed error:14090086:SSL<br />
<br />
OR<br />
<br />
ldap status<br />
Unable to start TLS: SSL connect attempt failed error:14090086:SSL<br />
<br />
==How to verify the Root CA has expired==<br />
<br />
su - zimbra<br />
cd /opt/zimbra/ssl/zimbra/commercial/<br />
zimbra@mail commercial]$ /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt<br />
** Verifying 'commercial.crt' against 'commercial.key'<br />
Certificate 'commercial.crt' and private key 'commercial.key' match.<br />
** Verifying 'commercial.crt' against 'commercial_ca.crt'<br />
ERROR: Unable to validate certificate chain: commercial.crt: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root<br />
error 10 at 3 depth lookup:certificate has expired<br />
C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority<br />
error 10 at 2 depth lookup:certificate has expired<br />
OK<br />
<br />
==Solution==<br />
<br />
This issue has cropped up because '''Sectigo (Comodo) Root certificate''' which is namely '''AddTrust External CA Root''' have expired on '''May 30, 2020'''. The successor of this root certificate is named the '''Comodo RSA Certification authority Root''', and wil expire in '''2038'''. We need to download the new Comodo RSA Certification authority Root and re deploy the SSL certificate.<br />
<br />
The new Comodo RSA Certification authority Root can be downloaded from here [https://support.comodo.com/index.php?/Knowledgebase/Article/View/969/108/root-comodo-rsa-certification-authority-sha-2 link]<br />
<br />
==Steps to re deploy the certs==<br />
<br />
1. Download and save the root CA. (e.g. /tmp/ca.crt) <br />
2. Download any intermediary CAs from your provider to a temporary file. (e.g. /tmp/ca_intermediary.crt)<br />
3. Combine root and intermediary CAs into a temporary file.<br />
<br />
cat /tmp/ca_intermediary.crt /tmp/ca.crt > /tmp/ca_chain.crt<br />
<br />
4. Move the old certs and recreate the necessary folders<br />
<br />
mv /opt/zimbra/ssl/zimbra/ /opt/zimbra/ssl/zimbra.old<br />
mkdir /opt/zimbra/ssl/zimbra/<br />
mkdir -p /opt/zimbra/ssl/zimbra/{ca,commercial,server}<br />
mv /opt/zimbra/ssl/zimbra.old/commercial/commercial.key /opt/zimbra/ssl/zimbra/commercial/commercial.key<br />
chmod 750 /opt/zimbra/ssl/zimbra<br />
chmod 750 /opt/zimbra/ssl/zimbra/*<br />
<br />
5. Verify your commercial certificate.<br />
<br />
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt<br />
**Verifying /tmp/commercial.crt against<br />
/opt/zimbra/ssl/zimbra/commercial/commercial.key<br />
Certificate (/tmp/commercial.crt) and private key<br />
(/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.<br />
Valid Certificate: /tmp/commercial.crt: OK<br />
<br />
7. Deploy your commercial certificate.<br />
<br />
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt<br />
** Verifying /tmp/commercial.crt against<br />
/opt/zimbra/ssl/zimbra/commercial/commercial.key<br />
Certificate (/tmp/commercial.crt) and private key<br />
(/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.<br />
Valid Certificate: /tmpt/commercial.crt: OK<br />
**Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt<br />
**Appending CA chain /tmp/ca_chain.crt to<br />
/opt/zimbra/ssl/zimbra/commercial/commercial.crt<br />
**Saving server config key zimbraSSLCeretificate…done.<br />
**Saving server config key zimbraSSLPrivateKey…done.<br />
**Installing mta certificate and key…done.<br />
**Installing slapd certificate and key…done.<br />
**Installing proxy certificate and key…done.<br />
**Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12…done.<br />
**Creating keystore file /opt/zimbra/mailbox/etc/keystore…done.<br />
**Installing CA to /opt/zimbra/conf/ca…done.<br />
<br />
8. To finish, verify the certificate was deployed.<br />
<br />
/opt/zimbra/bin/zmcertmgr viewdeployedcrt<br />
<br />
==A quick Fix till the root CA is installed==<br />
<br />
We can disable the TLS on the LDAP server for the time being till the certificates are re deployed<br />
<br />
Please execute the below commands on the LDAP servers<br />
<br />
zmlocalconfig -e ldap_starttls_required=false<br />
zmlocalconfig -e ldap_starttls_supported=0<br />
zmcontrol restart<br />
<br />
<br />
{| class="wikitable" style="background-color:#d0f0c0;" cellpadding="10"<br />
|'''Submitted by''': Samrat Sarkar<br />
|}<br />
<br />
{{Article Footer|ZCS 8.8.x, 9.0|2020-06-01}}</div>Sam4wikihttps://wiki.zimbra.com/index.php?title=Root_CA_certificate_has_expired&diff=67277Root CA certificate has expired2020-06-01T10:38:50Z<p>Sam4wiki: </p>
<hr />
<div>{{BC|Certified}}<br />
__FORCETOC__<br />
<div class="col-md-12 ibox-content"><br />
=CA_root_certificate_has_expired=<br />
{{KB|{{ZC}}|{{ZCS 8.8}}|{{ZCS 9.0}}|}}<br />
{{WIP}}<br />
<br />
==Problem==<br />
<br />
Ldap servers are unable to communicate with other servers in the ZCS environment <br />
<br />
We get the below error when checking the LDAP status<br />
<br />
zmcontrol status<br />
Unable to start TLS: SSL connect attempt failed error:14090086:SSL<br />
<br />
OR<br />
<br />
ldap status<br />
Unable to start TLS: SSL connect attempt failed error:14090086:SSL<br />
<br />
==How to verify the Root CA has expired==<br />
<br />
su - zimbra<br />
cd /opt/zimbra/ssl/zimbra/commercial/<br />
zimbra@mail commercial]$ /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt<br />
** Verifying 'commercial.crt' against 'commercial.key'<br />
Certificate 'commercial.crt' and private key 'commercial.key' match.<br />
** Verifying 'commercial.crt' against 'commercial_ca.crt'<br />
ERROR: Unable to validate certificate chain: commercial.crt: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root<br />
error 10 at 3 depth lookup:certificate has expired<br />
C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority<br />
error 10 at 2 depth lookup:certificate has expired<br />
OK<br />
<br />
==Solution==<br />
<br />
This issue has cropped up because '''Sectigo (Comodo) Root certificate''' which is namely '''AddTrust External CA Root''' have expired on '''May 30, 2020'''. The successor of this root certificate is named the '''Comodo RSA Certification authority Root''', and wil expire in '''2038'''. We need to download the new Comodo RSA Certification authority Root and re deploy the SSL certificate.<br />
<br />
The new Comodo RSA Certification authority Root can be downloaded from here [https://support.comodo.com/index.php?/Knowledgebase/Article/View/969/108/root-comodo-rsa-certification-authority-sha-2 link]<br />
<br />
==Steps to re deploy the certs==<br />
<br />
1. Download and save the root CA. (e.g. /tmp/ca.crt) <br />
<br />
2. Download any intermediary CAs from your provider to a temporary file. (e.g. /tmp/ca_intermediary.crt)<br />
<br />
3. Combine root and intermediary CAs into a temporary file.<br />
<br />
cat /tmp/ca_intermediary.crt /tmp/ca.crt > /tmp/ca_chain.crt<br />
<br />
4. Move the old certs and recreate the necessary folders<br />
<br />
mv /opt/zimbra/ssl/zimbra/ /opt/zimbra/ssl/zimbra.old<br />
mkdir /opt/zimbra/ssl/zimbra/<br />
mkdir -p /opt/zimbra/ssl/zimbra/{ca,commercial,server}<br />
mv /opt/zimbra/ssl/zimbra.old/commercial/commercial.key /opt/zimbra/ssl/zimbra/commercial/commercial.key<br />
chmod 750 /opt/zimbra/ssl/zimbra<br />
chmod 750 /opt/zimbra/ssl/zimbra/*<br />
<br />
<br />
5. Verify your commercial certificate.<br />
<br />
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt<br />
**Verifying /tmp/commercial.crt against<br />
/opt/zimbra/ssl/zimbra/commercial/commercial.key<br />
Certificate (/tmp/commercial.crt) and private key<br />
(/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.<br />
Valid Certificate: /tmp/commercial.crt: OK<br />
<br />
6. Deploy your commercial certificate.<br />
<br />
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt<br />
** Verifying /tmp/commercial.crt against<br />
/opt/zimbra/ssl/zimbra/commercial/commercial.key<br />
Certificate (/tmp/commercial.crt) and private key<br />
(/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.<br />
Valid Certificate: /tmpt/commercial.crt: OK<br />
**Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt<br />
**Appending CA chain /tmp/ca_chain.crt to<br />
/opt/zimbra/ssl/zimbra/commercial/commercial.crt<br />
**Saving server config key zimbraSSLCeretificate…done.<br />
**Saving server config key zimbraSSLPrivateKey…done.<br />
**Installing mta certificate and key…done.<br />
**Installing slapd certificate and key…done.<br />
**Installing proxy certificate and key…done.<br />
**Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12…done.<br />
**Creating keystore file /opt/zimbra/mailbox/etc/keystore…done.<br />
**Installing CA to /opt/zimbra/conf/ca…done.<br />
<br />
7. To finish, verify the certificate was deployed.<br />
<br />
/opt/zimbra/bin/zmcertmgr viewdeployedcrt<br />
<br />
==A quick Fix till the root CA is installed==<br />
<br />
We can disable the TLS on the LDAP server for the time being till the certificates are re deployed<br />
<br />
Please execute the below commands on the LDAP servers<br />
<br />
zmlocalconfig -e ldap_starttls_required=false<br />
zmlocalconfig -e ldap_starttls_supported=0<br />
zmcontrol restart<br />
<br />
<br />
{| class="wikitable" style="background-color:#d0f0c0;" cellpadding="10"<br />
|'''Submitted by''': Samrat Sarkar<br />
|}<br />
<br />
{{Article Footer|ZCS 8.8.x, 9.0|2020-06-01}}</div>Sam4wikihttps://wiki.zimbra.com/index.php?title=Root_CA_certificate_has_expired&diff=67276Root CA certificate has expired2020-06-01T10:37:15Z<p>Sam4wiki: </p>
<hr />
<div>{{BC|Certified}}<br />
__FORCETOC__<br />
<div class="col-md-12 ibox-content"><br />
=CA_root_certificate_has_expired=<br />
{{KB|{{ZC}}|{{ZCS 8.8}}|{{ZCS 9.0}}|}}<br />
{{WIP}}<br />
<br />
==Problem==<br />
<br />
Ldap servers are unable to communicate with other servers in the ZCS environment <br />
<br />
We get the below error when checking the LDAP status<br />
<br />
zmcontrol status<br />
Unable to start TLS: SSL connect attempt failed error:14090086:SSL<br />
<br />
OR<br />
<br />
ldap status<br />
Unable to start TLS: SSL connect attempt failed error:14090086:SSL<br />
<br />
==How to verify the Root CA has expired==<br />
<br />
su - zimbra<br />
cd /opt/zimbra/ssl/zimbra/commercial/<br />
zimbra@mail commercial]$ /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt<br />
** Verifying 'commercial.crt' against 'commercial.key'<br />
Certificate 'commercial.crt' and private key 'commercial.key' match.<br />
** Verifying 'commercial.crt' against 'commercial_ca.crt'<br />
ERROR: Unable to validate certificate chain: commercial.crt: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root<br />
error 10 at 3 depth lookup:certificate has expired<br />
C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority<br />
error 10 at 2 depth lookup:certificate has expired<br />
OK<br />
<br />
==Solution==<br />
<br />
This issue has cropped up because '''Sectigo (Comodo) Root certificate''' which is namely '''AddTrust External CA Root''' have expired on '''May 30, 2020'''. The successor of this root certificate is named the '''Comodo RSA Certification authority Root''', and wil expire in '''2038'''. We need to download the new Comodo RSA Certification authority Root and re deploy the SSL certificate.<br />
<br />
The new Comodo RSA Certification authority Root can be downloaded from here [https://support.comodo.com/index.php?/Knowledgebase/Article/View/969/108/root-comodo-rsa-certification-authority-sha-2 link]<br />
<br />
==Steps to re deploy the certs==<br />
<br />
1. Download and save the root CA. (e.g. /tmp/ca.crt) <br />
2. Download any intermediary CAs from your provider to a temporary file. (e.g. /tmp/ca_intermediary.crt)<br />
3. Combine root and intermediary CAs into a temporary file.<br />
<br />
cat /tmp/ca_intermediary.crt /tmp/ca.crt > /tmp/ca_chain.crt<br />
<br />
4. Move the old certs and recreate the necessary folders<br />
<br />
mv /opt/zimbra/ssl/zimbra/ /opt/zimbra/ssl/zimbra.old<br />
mkdir /opt/zimbra/ssl/zimbra/<br />
mkdir -p /opt/zimbra/ssl/zimbra/{ca,commercial,server}<br />
mv /opt/zimbra/ssl/zimbra.old/commercial/commercial.key /opt/zimbra/ssl/zimbra/commercial/commercial.key<br />
chmod 750 /opt/zimbra/ssl/zimbra<br />
chmod 750 /opt/zimbra/ssl/zimbra/*<br />
<br />
5. Verify your commercial certificate.<br />
<br />
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt<br />
**Verifying /tmp/commercial.crt against<br />
/opt/zimbra/ssl/zimbra/commercial/commercial.key<br />
Certificate (/tmp/commercial.crt) and private key<br />
(/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.<br />
Valid Certificate: /tmp/commercial.crt: OK<br />
<br />
6. Deploy your commercial certificate.<br />
<br />
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt<br />
** Verifying /tmp/commercial.crt against<br />
/opt/zimbra/ssl/zimbra/commercial/commercial.key<br />
Certificate (/tmp/commercial.crt) and private key<br />
(/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.<br />
Valid Certificate: /tmpt/commercial.crt: OK<br />
**Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt<br />
**Appending CA chain /tmp/ca_chain.crt to<br />
/opt/zimbra/ssl/zimbra/commercial/commercial.crt<br />
**Saving server config key zimbraSSLCeretificate…done.<br />
**Saving server config key zimbraSSLPrivateKey…done.<br />
**Installing mta certificate and key…done.<br />
**Installing slapd certificate and key…done.<br />
**Installing proxy certificate and key…done.<br />
**Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12…done.<br />
**Creating keystore file /opt/zimbra/mailbox/etc/keystore…done.<br />
**Installing CA to /opt/zimbra/conf/ca…done.<br />
<br />
7. To finish, verify the certificate was deployed.<br />
<br />
/opt/zimbra/bin/zmcertmgr viewdeployedcrt<br />
<br />
==A quick Fix till the root CA is installed==<br />
<br />
We can disable the TLS on the LDAP server for the time being till the certificates are re deployed<br />
<br />
Please execute the below commands on the LDAP servers<br />
<br />
zmlocalconfig -e ldap_starttls_required=false<br />
zmlocalconfig -e ldap_starttls_supported=0<br />
zmcontrol restart<br />
<br />
<br />
{| class="wikitable" style="background-color:#d0f0c0;" cellpadding="10"<br />
|'''Submitted by''': Samrat Sarkar<br />
|}<br />
<br />
{{Article Footer|ZCS 8.8.x, 9.0|2020-06-01}}</div>Sam4wikihttps://wiki.zimbra.com/index.php?title=Root_CA_certificate_has_expired&diff=67275Root CA certificate has expired2020-06-01T10:36:17Z<p>Sam4wiki: </p>
<hr />
<div>{{BC|Certified}}<br />
__FORCETOC__<br />
<div class="col-md-12 ibox-content"><br />
=CA_root_certificate_has_expired=<br />
{{KB|{{ZC}}|{{ZCS 8.8}}|{{ZCS 9.0}}|}}<br />
{{WIP}}<br />
<br />
==Problem==<br />
<br />
Ldap servers are unable to communicate with other servers in the ZCS environment <br />
<br />
We get the below error when checking the LDAP status<br />
<br />
zmcontrol status<br />
Unable to start TLS: SSL connect attempt failed error:14090086:SSL<br />
<br />
OR<br />
<br />
ldap status<br />
Unable to start TLS: SSL connect attempt failed error:14090086:SSL<br />
<br />
==How to verify the Root CA has expired==<br />
<br />
su - zimbra<br />
cd /opt/zimbra/ssl/zimbra/commercial/<br />
zimbra@mail commercial]$ /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt<br />
** Verifying 'commercial.crt' against 'commercial.key'<br />
Certificate 'commercial.crt' and private key 'commercial.key' match.<br />
** Verifying 'commercial.crt' against 'commercial_ca.crt'<br />
ERROR: Unable to validate certificate chain: commercial.crt: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root<br />
error 10 at 3 depth lookup:certificate has expired<br />
C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority<br />
error 10 at 2 depth lookup:certificate has expired<br />
OK<br />
<br />
==Solution==<br />
<br />
This issue has cropped up because '''Sectigo (Comodo) Root certificate''' which is namely '''AddTrust External CA Root''' have expired on '''May 30, 2020'''. The successor of this root certificate is named the '''Comodo RSA Certification authority Root''', and wil expire in '''2038'''. We need to download the new Comodo RSA Certification authority Root and re deploy the SSL certificate.<br />
<br />
The new Comodo RSA Certification authority Root can be downloaded from here [https://support.comodo.com/index.php?/Knowledgebase/Article/View/969/108/root-comodo-rsa-certification-authority-sha-2 link]<br />
<br />
==Steps to re deploy the certs==<br />
<br />
1. Download and save the root CA. (e.g. /tmp/ca.crt) <br />
2. Download any intermediary CAs from your provider to a temporary file. (e.g. /tmp/ca_intermediary.crt)<br />
3. Combine root and intermediary CAs into a temporary file.<br />
<br />
cat /tmp/ca_intermediary.crt /tmp/ca.crt > /tmp/ca_chain.crt<br />
<br />
4. Move the old certs and recreate the necessary folders<br />
<br />
mv /opt/zimbra/ssl/zimbra/ /opt/zimbra/ssl/zimbra.old<br />
mkdir /opt/zimbra/ssl/zimbra/<br />
mkdir -p /opt/zimbra/ssl/zimbra/{ca,commercial,server}<br />
mv /opt/zimbra/ssl/zimbra.old/commercial/commercial.key /opt/zimbra/ssl/zimbra/commercial/commercial.key<br />
chmod 750 /opt/zimbra/ssl/zimbra<br />
chmod 750 /opt/zimbra/ssl/zimbra/*<br />
<br />
<br />
5. Verify your commercial certificate.<br />
<br />
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt<br />
**Verifying /tmp/commercial.crt against<br />
/opt/zimbra/ssl/zimbra/commercial/commercial.key<br />
Certificate (/tmp/commercial.crt) and private key<br />
(/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.<br />
Valid Certificate: /tmp/commercial.crt: OK<br />
<br />
7. Deploy your commercial certificate.<br />
<br />
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt<br />
** Verifying /tmp/commercial.crt against<br />
/opt/zimbra/ssl/zimbra/commercial/commercial.key<br />
Certificate (/tmp/commercial.crt) and private key<br />
(/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.<br />
Valid Certificate: /tmpt/commercial.crt: OK<br />
**Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt<br />
**Appending CA chain /tmp/ca_chain.crt to<br />
/opt/zimbra/ssl/zimbra/commercial/commercial.crt<br />
**Saving server config key zimbraSSLCeretificate…done.<br />
**Saving server config key zimbraSSLPrivateKey…done.<br />
**Installing mta certificate and key…done.<br />
**Installing slapd certificate and key…done.<br />
**Installing proxy certificate and key…done.<br />
**Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12…done.<br />
**Creating keystore file /opt/zimbra/mailbox/etc/keystore…done.<br />
**Installing CA to /opt/zimbra/conf/ca…done.<br />
<br />
8. To finish, verify the certificate was deployed.<br />
<br />
/opt/zimbra/bin/zmcertmgr viewdeployedcrt<br />
<br />
==A quick Fix till the root CA is installed==<br />
<br />
We can disable the TLS on the LDAP server for the time being till the certificates are re deployed<br />
<br />
Please execute the below commands on the LDAP servers<br />
<br />
zmlocalconfig -e ldap_starttls_required=false<br />
zmlocalconfig -e ldap_starttls_supported=0<br />
zmcontrol restart<br />
<br />
<br />
{| class="wikitable" style="background-color:#d0f0c0;" cellpadding="10"<br />
|'''Submitted by''': Samrat Sarkar<br />
|}<br />
<br />
{{Article Footer|ZCS 8.8.x, 9.0|2020-06-01}}</div>Sam4wikihttps://wiki.zimbra.com/index.php?title=Root_CA_certificate_has_expired&diff=67274Root CA certificate has expired2020-06-01T10:18:33Z<p>Sam4wiki: /* CA_root_certificate_has_expired */</p>
<hr />
<div>{{BC|Certified}}<br />
__FORCETOC__<br />
<div class="col-md-12 ibox-content"><br />
=CA_root_certificate_has_expired=<br />
{{KB|{{ZC}}|{{ZCS 8.8}}|{{ZCS 9.0}}|}}<br />
{{WIP}}<br />
<br />
==Problem==<br />
<br />
Ldap servers are unable to communicate with other servers in the ZCS environment <br />
<br />
We get the below error when checking the LDAP status<br />
<br />
zmcontrol status<br />
Unable to start TLS: SSL connect attempt failed error:14090086:SSL<br />
<br />
OR<br />
<br />
ldap status<br />
Unable to start TLS: SSL connect attempt failed error:14090086:SSL<br />
<br />
==How to verify the Root CA has expired==<br />
<br />
su - zimbra<br />
cd /opt/zimbra/ssl/zimbra/commercial/<br />
zimbra@mail commercial]$ /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt<br />
** Verifying 'commercial.crt' against 'commercial.key'<br />
Certificate 'commercial.crt' and private key 'commercial.key' match.<br />
** Verifying 'commercial.crt' against 'commercial_ca.crt'<br />
ERROR: Unable to validate certificate chain: commercial.crt: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root<br />
error 10 at 3 depth lookup:certificate has expired<br />
C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority<br />
error 10 at 2 depth lookup:certificate has expired<br />
OK<br />
<br />
==Solution==<br />
<br />
This issue has cropped up because '''Sectigo (Comodo) Root certificate''' which is namely '''AddTrust External CA Root''' have expired on '''May 30, 2020'''. The successor of this root certificate is named the '''Comodo RSA Certification authority Root''', and wil expire in '''2038'''. We need to download the new Comodo RSA Certification authority Root and re deploy the SSL certificate.<br />
<br />
The new Comodo RSA Certification authority Root can be downloaded from here [https://support.comodo.com/index.php?/Knowledgebase/Article/View/969/108/root-comodo-rsa-certification-authority-sha-2 link]<br />
<br />
==Steps to re deploy the certs==<br />
<br />
1. Download and save the root CA. (e.g. /tmp/ca.crt) <br />
2. Download any intermediary CAs from your provider to a temporary file. (e.g. /tmp/ca_intermediary.crt)<br />
3. Combine root and intermediary CAs into a temporary file.<br />
<br />
cat /tmp/ca_intermediary.crt /tmp/ca.crt > /tmp/ca_chain.crt<br />
<br />
4. Move the old certs and recreate the necessary folders<br />
<br />
mv /opt/zimbra/ssl/zimbra/ /opt/zimbra/ssl/zimbra.old<br />
mkdir /opt/zimbra/ssl/zimbra/<br />
mkdir -p /opt/zimbra/ssl/zimbra/{ca,commercial,server}<br />
mv /opt/zimbra/ssl/zimbra.old/commercial/commercial.key /opt/zimbra/ssl/zimbra/commercial/commercial.key<br />
chmod 750 /opt/zimbra/ssl/zimbra<br />
chmod 750 /opt/zimbra/ssl/zimbra/*<br />
<br />
<br />
5. Verify your commercial certificate.<br />
<br />
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt<br />
**Verifying /tmp/commercial.crt against<br />
/opt/zimbra/ssl/zimbra/commercial/commercial.key<br />
Certificate (/tmp/commercial.crt) and private key<br />
(/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.<br />
Valid Certificate: /tmp/commercial.crt: OK<br />
<br />
7. Deploy your commercial certificate.<br />
<br />
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt<br />
** Verifying /tmp/commercial.crt against<br />
/opt/zimbra/ssl/zimbra/commercial/commercial.key<br />
Certificate (/tmp/commercial.crt) and private key<br />
(/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.<br />
Valid Certificate: /tmpt/commercial.crt: OK<br />
**Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt<br />
**Appending CA chain /tmp/ca_chain.crt to<br />
/opt/zimbra/ssl/zimbra/commercial/commercial.crt<br />
**Saving server config key zimbraSSLCeretificate…done.<br />
**Saving server config key zimbraSSLPrivateKey…done.<br />
**Installing mta certificate and key…done.<br />
**Installing slapd certificate and key…done.<br />
**Installing proxy certificate and key…done.<br />
**Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12…done.<br />
**Creating keystore file /opt/zimbra/mailbox/etc/keystore…done.<br />
**Installing CA to /opt/zimbra/conf/ca…done.<br />
<br />
8. To finish, verify the certificate was deployed.<br />
<br />
/opt/zimbra/bin/zmcertmgr viewdeployedcrt<br />
<br />
{| class="wikitable" style="background-color:#d0f0c0;" cellpadding="10"<br />
|'''Submitted by''': Samrat Sarkar<br />
|}<br />
<br />
{{Article Footer|ZCS 8.8.x, 9.0|2020-06-01}}</div>Sam4wikihttps://wiki.zimbra.com/index.php?title=Root_CA_certificate_has_expired&diff=67273Root CA certificate has expired2020-06-01T10:14:15Z<p>Sam4wiki: Created page with "{{BC|Certified}} __FORCETOC__ <div class="col-md-12 ibox-content"> =CA_root_certificate_has_expired= {{KB|{{ZC}}|{{ZCS 8.8}}|{{ZCS 9.0}}|}} {{WIP}} ==Problem== Ldap servers..."</p>
<hr />
<div>{{BC|Certified}}<br />
__FORCETOC__<br />
<div class="col-md-12 ibox-content"><br />
=CA_root_certificate_has_expired=<br />
{{KB|{{ZC}}|{{ZCS 8.8}}|{{ZCS 9.0}}|}}<br />
{{WIP}}<br />
<br />
==Problem==<br />
<br />
Ldap servers are unable to communicate with other servers in the ZCS environment <br />
<br />
We get the below error when checking the LDAP status<br />
<br />
zmcontrol status or ldap status<br />
Unable to start TLS: SSL connect attempt failed error:14090086:SSL<br />
<br />
==How to verify the Root CA has expired==<br />
<br />
su - zimbra<br />
cd /opt/zimbra/ssl/zimbra/commercial/<br />
zimbra@mail commercial]$ /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt<br />
** Verifying 'commercial.crt' against 'commercial.key'<br />
Certificate 'commercial.crt' and private key 'commercial.key' match.<br />
** Verifying 'commercial.crt' against 'commercial_ca.crt'<br />
ERROR: Unable to validate certificate chain: commercial.crt: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root<br />
error 10 at 3 depth lookup:certificate has expired<br />
C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority<br />
error 10 at 2 depth lookup:certificate has expired<br />
OK<br />
<br />
==Solution==<br />
<br />
This issue has cropped up because Sectigo (Comodo) Root certificate which is namely AddTrust External CA Root have expired on May 30, 2020. The successor of this root certificate is named the Comodo RSA Certification authority Root, and wil expire in 2038. We need to download the new Comodo RSA Certification authority Root and re deploy the SSL certificate.<br />
<br />
The new Comodo RSA Certification authority Root can be downloaded from here [https://support.comodo.com/index.php?/Knowledgebase/Article/View/969/108/root-comodo-rsa-certification-authority-sha-2 link]<br />
<br />
==Steps to re deploy the certs==<br />
<br />
1. Download and save the root CA. (e.g. /tmp/ca.crt) <br />
2. Download any intermediary CAs from your provider to a temporary file. (e.g. /tmp/ca_intermediary.crt)<br />
3. Combine root and intermediary CAs into a temporary file.<br />
<br />
cat /tmp/ca_intermediary.crt /tmp/ca.crt > /tmp/ca_chain.crt<br />
<br />
4. Move the old certs and recreate the necessary folders<br />
<br />
mv /opt/zimbra/ssl/zimbra/ /opt/zimbra/ssl/zimbra.old<br />
mkdir /opt/zimbra/ssl/zimbra/<br />
mkdir -p /opt/zimbra/ssl/zimbra/{ca,commercial,server}<br />
mv /opt/zimbra/ssl/zimbra.old/commercial/commercial.key /opt/zimbra/ssl/zimbra/commercial/commercial.key<br />
chmod 750 /opt/zimbra/ssl/zimbra<br />
chmod 750 /opt/zimbra/ssl/zimbra/*<br />
<br />
<br />
5. Verify your commercial certificate.<br />
<br />
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt<br />
**Verifying /tmp/commercial.crt against<br />
/opt/zimbra/ssl/zimbra/commercial/commercial.key<br />
Certificate (/tmp/commercial.crt) and private key<br />
(/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.<br />
Valid Certificate: /tmp/commercial.crt: OK<br />
<br />
7. Deploy your commercial certificate.<br />
<br />
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt<br />
** Verifying /tmp/commercial.crt against<br />
/opt/zimbra/ssl/zimbra/commercial/commercial.key<br />
Certificate (/tmp/commercial.crt) and private key<br />
(/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.<br />
Valid Certificate: /tmpt/commercial.crt: OK<br />
**Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt<br />
**Appending CA chain /tmp/ca_chain.crt to<br />
/opt/zimbra/ssl/zimbra/commercial/commercial.crt<br />
**Saving server config key zimbraSSLCeretificate…done.<br />
**Saving server config key zimbraSSLPrivateKey…done.<br />
**Installing mta certificate and key…done.<br />
**Installing slapd certificate and key…done.<br />
**Installing proxy certificate and key…done.<br />
**Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12…done.<br />
**Creating keystore file /opt/zimbra/mailbox/etc/keystore…done.<br />
**Installing CA to /opt/zimbra/conf/ca…done.<br />
<br />
8. To finish, verify the certificate was deployed.<br />
<br />
/opt/zimbra/bin/zmcertmgr viewdeployedcrt<br />
<br />
{| class="wikitable" style="background-color:#d0f0c0;" cellpadding="10"<br />
|'''Submitted by''': Samrat Sarkar<br />
|}<br />
<br />
{{Article Footer|ZCS 8.8.x, 9.0|2020-06-01}}</div>Sam4wikihttps://wiki.zimbra.com/index.php?title=Issue_with_ZCO_after_doing_NG_Migration&diff=67264Issue with ZCO after doing NG Migration2020-05-29T07:53:09Z<p>Sam4wiki: /* ZCO, IMAP, POP not re syncing after NG Migration */</p>
<hr />
<div>{{BC|Certified}}<br />
__FORCETOC__<br />
<div class="col-md-12 ibox-content"><br />
{{BC|Certified}}<br />
__FORCETOC__<br />
<div class="col-md-12 ibox-content"><br />
=ZCO, IMAP, POP not re syncing after NG Migration= <br />
<hr><br />
{{KB|{{ZC}}|{{ZCS 9.0}}|{{ZCS 8.8}}|{{ZCS 8.7}}|{{ZCS 8.6}}|}}<br />
{{WIP}} <br />
<br />
<br />
===Problem===<br />
After doing a Migration of ZCS using the NG Migration method accounts configured with MAPI, IMAP, POP protocol stops syncing with the existing profile. <br />
<br />
===Analysis===<br />
NG export import is designed in such a way that it only deals with user data and not the server side data namely Tokens. Tokens are the one that act as an index between server and MUA. When an index is broken the existing profile does not know from where to start the sync and as a result it fails.<br />
<br />
====User-Side Data====<br />
*Emails and Attachments<br />
*Folders (local and shared)<br />
*Calendars<br />
*Documents (for 6.x exports)<br />
*Briefcases<br />
*Tasks<br />
*User Preferences<br />
<br />
<br />
====Server-side Data====<br />
*COSs<br />
*LDAP user Configs (such as External Auth)<br />
*Domain Settings<br />
<br />
====Error Logs==== <br />
We can get the below log pattern on mailbox.log when an sync request comes from an migrated existing ZCO profile<br />
2020-04-23 06:10:46,621 WARN [qtp1225197672-10057://example.com/service/soap/WaitSetRequest] [name=user@domain.com;mid=30;ip=192.168.0.1;port=60872;ua=Zimbra-ZCO/8.8.15.1867 (10.0.18363 en-US) P2440 T4bd0 R17;soapId=264f7b68;] SoapEngine - handler exceptioncom.zimbra.common.service.ServiceException: permission denied: can not access account 7a9bef11-558a-4bdf-b3e7-d25577438541<br />
<br />
We can get the below log pattern on mailbox.log when an sync request comes from an migrated existing ZDesktop profile<br />
2020-04-23 06:23:52,915 INFO [qtp1225197672-10084://pudge.ursolutions.ph/service/soap/AuthRequest] [ip=172.104.101.223;port=50522;ua=Zimbra Desktop/7.3.1_13063_Windows;soapId=264f7b9e;] SoapEngine - handler exception: authentication failed for [7a9bef11-558a-4bdf-b3e7-d25577438541], account not found<br />
<br />
===Solution===<br />
The only solution for this is to re create the profiles once again. <br />
<br />
=====To avoid this we recommend to do Rsync method of migration, which will avoid re creating of profiles after migration. This [https://wiki.zimbra.com/wiki/Steps_To_Rebuild_ZCS_Server wiki] contains more information.=====<br />
<br />
<br />
{{SubmittedBy|Samrat Sarkar}}<br />
<br />
{{Article Footer|ZCS 9.0, ZCS 8.8.x|2020-05-29}}</div>Sam4wikihttps://wiki.zimbra.com/index.php?title=Issue_with_ZCO_after_doing_NG_Migration&diff=67263Issue with ZCO after doing NG Migration2020-05-29T07:39:52Z<p>Sam4wiki: Created page with "{{BC|Certified}} __FORCETOC__ <div class="col-md-12 ibox-content"> =ZCO, IMAP, POP not re syncing after NG Migration= <hr> {{KB|{{ZC}}|{{ZCS 9.0}}|{{ZCS 8.8.x}}}} {{WIP}}..."</p>
<hr />
<div>{{BC|Certified}}<br />
__FORCETOC__<br />
<div class="col-md-12 ibox-content"><br />
=ZCO, IMAP, POP not re syncing after NG Migration= <br />
<hr><br />
{{KB|{{ZC}}|{{ZCS 9.0}}|{{ZCS 8.8.x}}}}<br />
{{WIP}} <br />
<br />
<br />
===Problem===<br />
After doing a Migration of ZCS using the NG Migration method accounts configured with MAPI, IMAP, POP protocol stops syncing with the existing profile. <br />
<br />
===Analysis===<br />
NG export import is designed in such a way that it only deals with user data and not the server side data namely Tokens. Tokens are the one that act as an index between server and MUA. When an index is broken the existing profile does not know from where to start the sync and as a result it fails.<br />
<br />
====User-Side Data====<br />
*Emails and Attachments<br />
*Folders (local and shared)<br />
*Calendars<br />
*Documents (for 6.x exports)<br />
*Briefcases<br />
*Tasks<br />
*User Preferences<br />
<br />
<br />
====Server-side Data====<br />
*COSs<br />
*LDAP user Configs (such as External Auth)<br />
*Domain Settings<br />
<br />
====Error Logs==== <br />
We can get the below log pattern on mailbox.log when an sync request comes from an migrated existing ZCO profile<br />
2020-04-23 06:10:46,621 WARN [qtp1225197672-10057://example.com/service/soap/WaitSetRequest] [name=user@domain.com;mid=30;ip=192.168.0.1;port=60872;ua=Zimbra-ZCO/8.8.15.1867 (10.0.18363 en-US) P2440 T4bd0 R17;soapId=264f7b68;] SoapEngine - handler exceptioncom.zimbra.common.service.ServiceException: permission denied: can not access account 7a9bef11-558a-4bdf-b3e7-d25577438541<br />
<br />
We can get the below log pattern on mailbox.log when an sync request comes from an migrated existing ZDesktop profile<br />
2020-04-23 06:23:52,915 INFO [qtp1225197672-10084://pudge.ursolutions.ph/service/soap/AuthRequest] [ip=172.104.101.223;port=50522;ua=Zimbra Desktop/7.3.1_13063_Windows;soapId=264f7b9e;] SoapEngine - handler exception: authentication failed for [7a9bef11-558a-4bdf-b3e7-d25577438541], account not found<br />
<br />
===Solution===<br />
The only solution for this is to re create the profiles once again. <br />
<br />
=====To avoid this we recommend to do Rsync method of migration, which will avoid re creating of profiles after migration. This [https://wiki.zimbra.com/wiki/Steps_To_Rebuild_ZCS_Server wiki] contains more information.=====<br />
<br />
<br />
{{SubmittedBy|Samrat Sarkar}}<br />
<br />
{{Article Footer|ZCS 9.0, ZCS 8.8.x|2020-05-29}}</div>Sam4wikihttps://wiki.zimbra.com/index.php?title=Full_backups_failing_with_error_Missing_Account_List&diff=67218Full backups failing with error Missing Account List2020-05-11T06:48:32Z<p>Sam4wiki: </p>
<hr />
<div>{{BC|Certified}}<br />
__FORCETOC__<br />
<div class="col-md-12 ibox-content"><br />
=Error : "Missing account list" while running Legacy full backup=<br />
<hr><br />
{{KB|{{ZC}}|{{ZCS 8.7}}||||}} <br />
<br />
<br />
====Problem: ====<br />
<br />
Following error appears when a full backup is executed :<br />
/opt/zimbra/bin/zmbackup -f - all <br />
Error occurred: invalid request: Missing account list .</p><br />
<br />
Following error is observed in /opt/zimbra/log/mailbox.log file :<br />
Error occurred: invalid request: Missing account list<br />
class=com.zimbra.common.soap.SoapFaultException<br />
message=invalid request: Missing account list<br />
isReceiversFault=false<br />
mIsLocal=false<br />
mDetail=<soapetail><Error xmlns="urn:zimbra"><Code>service.INVALID_REQUEST</Code><Trace>qtp509886383-7512:https://127.0.0.1:7071/service/admin/soap/BackupRequest:1440585474466:7971caa86fd4f1d9</Trace></Error></soapetail><br />
mFault=<soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>invalid request: Missing account list</soap:Text></soap:Reason><soapetail><Error xmlns="urn:zimbra"><Code>service.INVALID_REQUEST</Code><Trace>qtp509886383-7512:https://127.0.0.1:7071/service/admin/soap/BackupRequest:1440585474466:7971caa86fd4f1d9</Trace></Error></soapetail></soap:Fault><br />
<br />
====Solution====<br />
This issue is seen when the /opt/zimbra/backup/accounts.xml file is missing or corrupt, it makes the new backup unable to read the previous backup entry. <br />
Move the old sessions directory and corrupt accounts.xml file to resolve this issue using the given steps :<br />
<br />
su - zimbra <br />
cd /opt/zimbra/backup <br />
mv sessions sessions.OLD <br />
mv accounts.xml accounts.xml.OLD<br />
<br />
Verify the solution by taking a full backup again -<br />
<br />
/opt/zimbra/bin/zmbackup -f -a all<br />
<br />
====Suggestion====<br />
zmbackup is replaced by NG backup from ZCS 8.8,x onwards. The current LTS version is ZCS 8.8.15. <br />
<br />
{{SubmittedBy| Sourabh Bhushan}}<br />
<br />
<br />
{{Article Footer|ZCS 8.7|2020-04-13}}</div>Sam4wikihttps://wiki.zimbra.com/index.php?title=Location_where_and_how_zimbra_stores_user_session_information_-_Eg:_IP,_browser&diff=67216Location where and how zimbra stores user session information - Eg: IP, browser2020-05-10T16:19:15Z<p>Sam4wiki: </p>
<hr />
<div>{{BC|Certified}}<br />
__FORCETOC__<br />
<div class="col-md-12 ibox-content"><br />
=Location where (and how) zimbra stores user session information - Eg: IP, browser= <br />
<hr><br />
{{KB|{{ZC}}|{{ZCS 9.0}}|{{ZCS 8.8}}|{{ZCS 8.7}}|{{ZCS 8.6}}|{{ZCS 8.5}}|}} <br />
<br />
<br />
====Query====<br />
<br />
How can we locate where (and how) zimbra stores user session information - Eg: IP, browser, etc<br />
<br />
====Info for ZCS 8.8.x and Older====<br />
<br />
This information logged in the mailbox.log, are as follows:<br />
<br />
2015-05-19 09:18:14,671 INFO [qtp662845511-6940538:http://117.114.5.44:80/service/upload?fmt=extended,raw] [name=user@example.com;mid=2429;ip=137.194.52.34;oip=157.119.49.4;ua=Mozilla/5.0 (Windows NT 6.1;; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36;] FileUploadServlet - Received plain: Upload: { accountId=xxxxxxx-xxxx-xxxx-xxxx-dxxxxxxexa, time=Tue May 19 09:18:14 IST 2015, size=6522832, uploadId=xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx:xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx, name=testfile.pdf, path=/opt/zimbra/data/tmp/upload/upload_fxxxxxx_xxxxxxxxx__8000_0123456.tmp }<br />
<br />
Where,<br />
<br />
http://117.114.5.44:80/service/upload?fmt=extended,raw<br />
is service being accessed on the mailbox server, and shows the protocol being used as well<br />
<br />
name=user@example.com<br />
is the user name.<br />
<br />
oip=157.119.49.4<br />
is the IP of the user accessing the server<br />
<br />
ua=Mozilla/5.0 (Windows NT 6.1;; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36<br />
is the user agent being used. The user is using the Chrome browser.<br />
<br />
<br />
====Info for ZCS 9.0 Modern UI====<br />
<br />
This information logged in the mailbox.log, are as follows:<br />
<br />
2020-05-10 11:52:24,437 INFO [qtp366590980-371:https://ssarkar3.zimbrasupportlab.com/service/soap/BatchRequest] [name=samrat@pune.in;mid=4;ip=10.137.26.170;port=59890;ua=ZimbraXWebClient - FF76 (Windows)/9.0.0_GA_3935;soapId=70f87d96;] soap - (batch) SearchRequest elapsed=26<br />
<br />
Where,<br />
<br />
2020-05-10 11:52:24,437 INFO <br />
is self explanatory<br />
<br />
[qtp366590980-371:https://ssarkar3.zimbrasupportlab.com/service/soap/BatchRequest]<br />
This implies which soap request is being server <br />
<br />
name=samrat@pune.in<br />
The user which is being authenticated<br />
<br />
oip=10.137.26.170<br />
The client IP<br />
<br />
ua=ZimbraXWebClient - FF76 (Windows)/9.0.0_GA_3935<br />
The user agent, zclient means zimbra modern web client, if access from ZCO it will be ua=zco<br />
<br />
soapId=70f87d96;] soap - (batch) SearchRequest<br />
The soap ID and the soap request<br />
<br />
elapsed=26<br />
The time in seconds that it elapsed since the soap request was initiated. <br />
<br />
<br />
{{Article Footer|ZCS 9.0, 8.8, 8.7, 8.6|2018-08-13}}</div>Sam4wikihttps://wiki.zimbra.com/index.php?title=Steps_to_fix_zmdailyreport_where_mutliple_MTAs_are_present&diff=67215Steps to fix zmdailyreport where mutliple MTAs are present2020-05-10T15:44:15Z<p>Sam4wiki: </p>
<hr />
<div>{{BC|Certified}}<br />
__FORCETOC__<br />
<div class="col-md-12 ibox-content"><br />
=Fix "zmdailyreport" where mutliple MTAs are present=<br />
<hr><br />
{{KB|{{ZC}}|{{ZCS 9.0}}|{{ZCS 8.8}}|{{ZCS 8.7}}|{{ZCS 8.6}}|{{ZCS 8.5}}|}} <br />
<br />
<br />
====Problem====<br />
* "zmdailyreport" does not support SMTP fail-over. <br />
* "zmdailyreport" sometimes not working if more than one MTAs are present in ZCS environment. <br />
<br />
<br />
====Solution For ZCS 8.8.x and Older====<br />
If multiple MTAs configured with ZCS setup then some time smtp hosts are not loading with the dailyreport script.<br />
We found a workaround for this issue, where we need to define a single smtphost name in script instead of variable.<br />
<br />
<br />
=====Workaround 1:-=====<br />
To do this edit "''/opt/zimbra/libexec/zmdailyreport''" from ROOT user, and make following changes. <br />
<br />
'''Before Changes:- '''<br />
$ENV{MAILADDRESS} = $from_address;<br />
my $mailer = Mail::Mailer->new( "smtp", Server => $smtphost, Port => $smtpport );<br />
$mailer->open(<br />
<br />
'''After Changes:- '''<br />
$ENV{MAILADDRESS} = $from_address;<br />
my $mailer = Mail::Mailer->new( "smtp", Server => "zimbra-smtp1.example.com", Port => $smtpport );<br />
$mailer->open(<br />
<br />
<br />
<br />
=====Workaround 2:-=====<br />
Edit "''/opt/zimbra/libexec/zmdailyreport''" and comment "''smtphost''" entry and define direct SMTP server like below example. <br />
#my $smtphost = getLdapConfigValue("zimbraSmtpHostname") || "localhost";<br />
my $smtphost = " zimbra-smtp1.example.com "; <br />
<br />
<br />
<br />
====Solution For ZCS 9.0====<br />
If multiple MTAs configured with ZCS setup then some time smtp hosts are not loading with the dailyreport script.<br />
We found a workaround for this issue, where we need to define a single smtphost name in script instead of variable.<br />
<br />
<br />
=====Workaround =====<br />
To do this edit "''/opt/zimbra/libexec/zmdailyreport''" from ROOT user, and make following changes. <br />
<br />
'''Before Changes:- '''<br />
$ENV{MAILADDRESS} = $from_address;<br />
my $mailer = Mail::Mailer->new( "smtp", Server => $smtphost, Port => $smtpport );<br />
$mailer->open(<br />
<br />
'''After Changes:- '''<br />
$ENV{MAILADDRESS} = $from_address;<br />
my $mailer = Mail::Mailer->new( "smtp", Server => "zimbra-smtp1.example.com", Port => $smtpport );<br />
$mailer->open(<br />
<br />
<br />
Here are two bugs reported for this issue:- <br />
https://bugzilla.zimbra.com/show_bug.cgi?id=85161<br />
https://bugzilla.zimbra.com/show_bug.cgi?id=97024<br />
<br />
<br />
{| class="wikitable" style="background-color:#d0f0c0;" cellpadding="10"<br />
|'''Submitted by''': Heera Singh Koranga<br />
|}<br />
<br />
{{Article Footer|ZCS 9.0, 8.8, 8.7, 8.6|2017-08-23}}</div>Sam4wikihttps://wiki.zimbra.com/index.php?title=End-User_Distribution_List_Management&diff=67214End-User Distribution List Management2020-05-10T15:22:55Z<p>Sam4wiki: </p>
<hr />
<div>{{BC|Certified}}<br />
__FORCETOC__<br />
<div class="col-md-12 ibox-content"><br />
=End-User Distribution List Management=<br />
{{KB|{{ZC}}|{{ZCS 9.0}}|{{ZCS 8.8}}|{{ZCS 8.7}}|{{ZCS 8.6}}|}}<br />
<br />
==Problem ==<br />
How to enable End-User Distribution List Management<br />
<br />
==Solution==<br />
We can enable End-User Distribution List Management by giving the following grants to the user:<br />
<br />
zmprov grantRight domain domain.com usr user@domain.com createDistList<br />
zmprov fc -a account user@domain.com <br />
<br />
This is an ACL that will allow the user to create distribution lists.<br />
<br />
The user can then create and control DLs from the web interface itself.<br />
<br />
To do so, <br />
# Login to user account<br />
# Click on the 'Contacts' tab<br />
# Click on the drop down menu arrow on the 'New Contact' button and select 'Distribution List'.<br />The user can now create a new DL, add members to it, and can change the properties as needed.<br />
<br />
{| class="wikitable" style="background-color:#d0f0c0;" cellpadding="10"<br />
|'''Submitted by''': Sourabh Bhushan<br />
|}<br />
<br />
{{Article Footer|ZCS 9.0 Classic UI, 8.8, 8.7, 8.6, 8.0|8/8/2017}}<br />
{{NeedSME|Sourabh|SME2|Copyeditor}}<br />
[[Category:Troubleshooting MTA]]</div>Sam4wikihttps://wiki.zimbra.com/index.php?title=Steps_to_fix_NULL_disclaimer_on_outgoing_emails&diff=67213Steps to fix NULL disclaimer on outgoing emails2020-05-10T13:54:58Z<p>Sam4wiki: </p>
<hr />
<div>{{BC|Certified}}<br />
__FORCETOC__<br />
<div class="col-md-12 ibox-content"><br />
=How to fix NULL disclaimer on outgoing emails=<br />
<hr><br />
{{KB|{{ZC}}|{{ZCS 8.8}}|{{ZCS 8.7}}|{{ZCS 8.6}}|{{ZCS 8.5}}|}} <br />
<br />
<hr><br />
<br />
<br />
====Problem====<br />
The outgoing emails from the domains which are not configured with domain-disclaimer contain NULL at the end of each outgoing email<br />
<br />
<br />
====Solution====<br />
<br />
Configuring ''zimbraDomainMandatoryMailSignatureEnabled=TRUE'' at global config enables disclaimer for all domains and adds NULL as the disclaimer where ''zimbraAmavisDomainDisclaimerHTML'' and ''zimbraAmavisDomainDisclaimerText'' are still not configured. <br />
<br />
As a workaround to prevent adding NULL from other domain's outgoing emails, configure a blank disclaimer. <br />
<br />
With the steps below, three empty disclaimer files (.b64, .html, .txt) are generated in the path "/opt/zimbra/data/altermime/" :<br />
<br />
=====Step 1=====<br />
zmprov md <OTHER-DOMAIN> zimbraAmavisDomainDisclaimerHTML ""<br />
<br />
=====Step 2=====<br />
zmprov md <OTHER-DOMAIN> zimbraAmavisDomainDisclaimerText ""<br />
<br />
=====Step 3=====<br />
./libexec/zmaltermimeconfig -e <OTHER-DOMAIN> <br />
<br />
=====Step 4=====<br />
For setups with multiple Zimbra MTAs, make sure to run the zmaltermimeconfig command (no options) on the other zimbra MTA's after enabling or disabling a domain disclaimer.<br> <br />
./libexec/zmaltermimeconfig<br />
<br />
<br />
Related bug - https://bugzilla.zimbra.com/show_bug.cgi?id=101069<br />
<br />
<br />
<br />
{| class="wikitable" style="background-color:#d0f0c0;" cellpadding="10"<br />
|'''Submitted by''': Heera Singh Koranga<br />
|}<br />
<br />
{{Article Footer|ZCS 9.0, 8.8, 8.7, 8.6, 8.5|2017-08-23}}</div>Sam4wikihttps://wiki.zimbra.com/index.php?title=Full_backups_failing_with_error_Missing_Account_List&diff=67212Full backups failing with error Missing Account List2020-05-10T13:05:01Z<p>Sam4wiki: </p>
<hr />
<div>{{BC|Certified}}<br />
__FORCETOC__<br />
<div class="col-md-12 ibox-content"><br />
=Error : "Missing account list" while running Legacy full backup=<br />
<hr><br />
{{KB|{{ZC}}|{{ZCS 8.7}}||||}} <br />
<br />
<br />
====Problem: ====<br />
<br />
Following error appears when a full backup is executed :<br />
/opt/zimbra/bin/zmbackup -f - all <br />
Error occurred: invalid request: Missing account list .</p><br />
<br />
Following error is observed in /opt/zimbra/log/mailbox.log file :<br />
Error occurred: invalid request: Missing account list<br />
class=com.zimbra.common.soap.SoapFaultException<br />
message=invalid request: Missing account list<br />
isReceiversFault=false<br />
mIsLocal=false<br />
mDetail=<soapetail><Error xmlns="urn:zimbra"><Code>service.INVALID_REQUEST</Code><Trace>qtp509886383-7512:https://127.0.0.1:7071/service/admin/soap/BackupRequest:1440585474466:7971caa86fd4f1d9</Trace></Error></soapetail><br />
mFault=<soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>invalid request: Missing account list</soap:Text></soap:Reason><soapetail><Error xmlns="urn:zimbra"><Code>service.INVALID_REQUEST</Code><Trace>qtp509886383-7512:https://127.0.0.1:7071/service/admin/soap/BackupRequest:1440585474466:7971caa86fd4f1d9</Trace></Error></soapetail></soap:Fault><br />
<br />
====Solution====<br />
This issue is seen when the /opt/zimbra/backup/accounts.xml file is missing or corrupt, it makes the new backup unable to read the previous backup entry. <br />
Move the old sessions directory and corrupt accounts.xml file to resolve this issue using the given steps :<br />
<br />
su - zimbra <br />
cd /opt/zimbra/backup <br />
mv sessions sessions.OLD <br />
mv accounts.xml accounts.xml.OLD<br />
<br />
Verify the solution by taking a full backup again -<br />
<br />
/opt/zimbra/bin/zmbackup -f -a all<br />
<br />
====Suggestion====<br />
<br />
Legacy Backup is depreciated, we will recommend to use NG Backup <br />
<br />
{{SubmittedBy| Sourabh Bhushan}}<br />
<br />
<br />
{{Article Footer|ZCS 8.8|2020-04-13}}</div>Sam4wiki