Unable to create a successful TLS connection to the ldap masters: Difference between revisions
No edit summary |
No edit summary |
||
Line 1: | Line 1: | ||
== | {{BC|Certified}} | ||
__FORCETOC__ | |||
<div class="col-md-12 ibox-content"> | |||
=When upgrading to 8.5x, "Unable to create a successful TLS connection to the ldap masters" comes up= | |||
{{WIP}} | |||
====Problem==== | |||
When upgrading from 7.x or 8.0.x to 8.5+, the upgrade stops with the error : | When upgrading from 7.x or 8.0.x to 8.5+, the upgrade stops with the error : | ||
<pre> | <pre> | ||
Unable to create a successful TLS connection to the ldap masters. | Unable to create a successful TLS connection to the ldap masters. | ||
Line 10: | Line 13: | ||
</pre> | </pre> | ||
====Solution==== | |||
To fix this, any one of the following can be tried : | To fix this, any one of the following can be tried : | ||
====Using a commercial certificate==== | ====Method 1==== | ||
=====Using a commercial certificate===== | |||
If there is a valid commercial certificate, like a wild card one, just deploying that on all the nodes will fix the error. | If there is a valid commercial certificate, like a wild card one, just deploying that on all the nodes will fix the error. | ||
a | ====Method 2==== | ||
=====Deploying a certificate using the LDAP's CA===== | |||
======Step 1====== | |||
Copy the CA from the ldap server to the other servers : | |||
rsync -Pa /opt/zimbra/ssl/zimbra/ca/ root@otherserver.example.com:/opt/zimbra/ssl/zimbra/ca/ | rsync -Pa /opt/zimbra/ssl/zimbra/ca/ root@otherserver.example.com:/opt/zimbra/ssl/zimbra/ca/ | ||
======Step 2====== | |||
Deploy this CA on the other servers : | |||
/opt/zimbra/bin/zmcertmgr deployca | /opt/zimbra/bin/zmcertmgr deployca | ||
======Step 3====== | |||
Recreate and redeploy the self-signed cert on the other servers : | |||
/opt/zimbra/bin/zmcertmgr createcrt -new -days 3650 | /opt/zimbra/bin/zmcertmgr createcrt -new -days 3650 | ||
Line 37: | Line 48: | ||
This would be the best way to do it if self-signed certificates are used. | This would be the best way to do it if self-signed certificates are used. | ||
====Disabling all TLS connections==== | ====Method 3==== | ||
=====Disabling all TLS connections===== | |||
Run this on the ldap and proxy servers before the upgrade | Run this on the ldap and proxy servers before the upgrade | ||
Line 50: | Line 62: | ||
After the upgrade is done, a new self-signed CA and certificate can be deployed across the environment, and then TLS can be enabled again by flipping the values for the above. | After the upgrade is done, a new self-signed CA and certificate can be deployed across the environment, and then TLS can be enabled again by flipping the values for the above. | ||
This [https://www.mediawiki.org/wiki/Help:Formatting external link] contains more information about formatting. | |||
Submitted by: Shashank Tewari | Submitted by: Shashank Tewari |
Revision as of 00:08, 31 July 2018
When upgrading to 8.5x, "Unable to create a successful TLS connection to the ldap masters" comes up
Problem
When upgrading from 7.x or 8.0.x to 8.5+, the upgrade stops with the error :
Unable to create a successful TLS connection to the ldap masters. Fix cert configuration prior to upgrading
Solution
To fix this, any one of the following can be tried :
Method 1
Using a commercial certificate
If there is a valid commercial certificate, like a wild card one, just deploying that on all the nodes will fix the error.
Method 2
Deploying a certificate using the LDAP's CA
Step 1
Copy the CA from the ldap server to the other servers :
rsync -Pa /opt/zimbra/ssl/zimbra/ca/ root@otherserver.example.com:/opt/zimbra/ssl/zimbra/ca/
Step 2
Deploy this CA on the other servers :
/opt/zimbra/bin/zmcertmgr deployca
Step 3
Recreate and redeploy the self-signed cert on the other servers :
/opt/zimbra/bin/zmcertmgr createcrt -new -days 3650 /opt/zimbra/bin/zmcertmgr deploycrt self
The certificates now will be created using the LDAP's newly deployed CA, so the ldap should recognize these as valid certificates now.
This would be the best way to do it if self-signed certificates are used.
Method 3
Disabling all TLS connections
Run this on the ldap and proxy servers before the upgrade
su - zimbra zmlocalconfig -e ssl_allow_untrusted_certs=true zmlocalconfig -e ldap_starttls_supported=0 zmlocalconfig -e ldap_starttls_required=false zmlocalconfig -e ldap_common_require_tls=0 zmcontrol restart
After the upgrade is done, a new self-signed CA and certificate can be deployed across the environment, and then TLS can be enabled again by flipping the values for the above.
This external link contains more information about formatting.
Submitted by: Shashank Tewari