Difference between revisions of "Unable to create a successful TLS connection to the ldap masters"

(When upgrading to 8.5x, "Unable to create a successful TLS connection to the ldap masters" comes up)
 
(8 intermediate revisions by 3 users not shown)
Line 1: Line 1:
===<h1>When upgrading to 8.5x, "Unable to create a successful TLS connection to the ldap masters" comes up</h1>===
+
{{BC|Certified}}
 +
__FORCETOC__
 +
<div class="col-md-12 ibox-content">
 +
=When upgrading to 8.5x, "Unable to create a successful TLS connection to the ldap masters" comes up=  
 
<hr>
 
<hr>
<br>
+
{{KB|{{ZC}}|{{ZCS 8.8}}|{{ZCS 8.7}}|{{ZCS 8.6}}|{{ZCS 8.5}}|}}
<h2>Problem:
+
 
</h2>
+
 
 +
====Problem====
 
When upgrading from 7.x or 8.0.x to 8.5+, the upgrade stops with the error :
 
When upgrading from 7.x or 8.0.x to 8.5+, the upgrade stops with the error :
<pre>
 
Unable to create a successful TLS connection to the ldap masters.
 
      Fix cert configuration prior to upgrading
 
</pre>
 
  
<h2>Solution:</h2>
+
Unable to create a successful TLS connection to the ldap masters.
 +
Fix cert configuration prior to upgrading
 +
 
 +
 
 +
====Solution====
  
 
To fix this, any one of the following can be tried :
 
To fix this, any one of the following can be tried :
  
====Using a commercial certificate====
+
=====Method 1: Using a commercial certificate=====
  
 
If there is a valid commercial certificate, like a wild card one, just deploying that on all the nodes will fix the error.
 
If there is a valid commercial certificate, like a wild card one, just deploying that on all the nodes will fix the error.
  
====Deploying a certificate using the LDAP's CA====
 
  
a. Copy the CA from the ldap server to the other servers :
+
=====Method 2: Deploying a certificate using the LDAP's CA=====
  
 +
* Copy the CA from the ldap server to the other servers :
 
  rsync -Pa /opt/zimbra/ssl/zimbra/ca/ root@otherserver.example.com:/opt/zimbra/ssl/zimbra/ca/
 
  rsync -Pa /opt/zimbra/ssl/zimbra/ca/ root@otherserver.example.com:/opt/zimbra/ssl/zimbra/ca/
 
+
* Deploy this CA on the other servers :
b. Deploy this CA on the other servers :
 
 
 
 
  /opt/zimbra/bin/zmcertmgr deployca
 
  /opt/zimbra/bin/zmcertmgr deployca
 
+
* Recreate and redeploy the self-signed cert on the other servers :
c. Recreate and redeploy the self-signed cert on the other servers :
 
 
 
 
  /opt/zimbra/bin/zmcertmgr createcrt -new -days 3650
 
  /opt/zimbra/bin/zmcertmgr createcrt -new -days 3650
 
  /opt/zimbra/bin/zmcertmgr deploycrt self
 
  /opt/zimbra/bin/zmcertmgr deploycrt self
  
The certificates now will be created using the LDAP's newly deployed CA, so the ldap should recognize these as valid certificates now.
+
The certificates now will be created using the LDAP's newly deployed CA, so the ldap should recognize these as valid certificates now.<br>
 +
This would be the best way to do it if self-signed certificates are used.
  
This would be the best way to do it if self-signed certificates are used.
 
  
====Disabling all TLS connections====
+
=====Method 3: Disabling all TLS connections=====
  
 
Run this on the ldap and proxy servers before the upgrade
 
Run this on the ldap and proxy servers before the upgrade
Line 52: Line 52:
  
  
"Shashank Tewari"
+
{| class="wikitable" style="background-color:#d0f0c0;" cellpadding="10"
 +
|'''Submitted by''':  Shashank Shekhar Tewari
 +
|}
  
<stewari@zimbra.com>
+
{{Article Footer|ZCS 8.8, 8.7, 8.6, 8.5|2018-08-17}}

Latest revision as of 14:07, 31 August 2018

When upgrading to 8.5x, "Unable to create a successful TLS connection to the ldap masters" comes up


   KB 23366        Last updated on 2018-08-31  




0.00
(0 votes)


Problem

When upgrading from 7.x or 8.0.x to 8.5+, the upgrade stops with the error :

Unable to create a successful TLS connection to the ldap masters.
Fix cert configuration prior to upgrading


Solution

To fix this, any one of the following can be tried :

Method 1: Using a commercial certificate

If there is a valid commercial certificate, like a wild card one, just deploying that on all the nodes will fix the error.


Method 2: Deploying a certificate using the LDAP's CA
  • Copy the CA from the ldap server to the other servers :
rsync -Pa /opt/zimbra/ssl/zimbra/ca/ root@otherserver.example.com:/opt/zimbra/ssl/zimbra/ca/
  • Deploy this CA on the other servers :
/opt/zimbra/bin/zmcertmgr deployca
  • Recreate and redeploy the self-signed cert on the other servers :
/opt/zimbra/bin/zmcertmgr createcrt -new -days 3650
/opt/zimbra/bin/zmcertmgr deploycrt self

The certificates now will be created using the LDAP's newly deployed CA, so the ldap should recognize these as valid certificates now.
This would be the best way to do it if self-signed certificates are used.


Method 3: Disabling all TLS connections

Run this on the ldap and proxy servers before the upgrade

su - zimbra 
zmlocalconfig -e ssl_allow_untrusted_certs=true 
zmlocalconfig -e ldap_starttls_supported=0
zmlocalconfig -e ldap_starttls_required=false
zmlocalconfig -e ldap_common_require_tls=0
zmcontrol restart

After the upgrade is done, a new self-signed CA and certificate can be deployed across the environment, and then TLS can be enabled again by flipping the values for the above.


Submitted by: Shashank Shekhar Tewari
Verified Against: ZCS 8.8, 8.7, 8.6, 8.5 Date Created: 2018-08-17
Article ID: https://wiki.zimbra.com/index.php?title=Unable_to_create_a_successful_TLS_connection_to_the_ldap_masters Date Modified: 2018-08-31



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Jump to: navigation, search