Zimbra 7->8.5 upgrade ssl failure
Zimbra 7->8.5 upgrade ssl failure
I have one master and one replica. LDAP Replication Installation.
$ zmlocalconfig -s ldap_host
ldap_host = alfa-ldap01.my.domain
--
Bartek
$ zmlocalconfig -s ldap_host
ldap_host = alfa-ldap01.my.domain
--
Bartek
Zimbra 7->8.5 upgrade ssl failure
What is the output of this command
/opt/zimbra/bin/zmcertmgr viewdeployedcrt
run this as root
/opt/zimbra/bin/zmcertmgr viewdeployedcrt
run this as root
Zimbra 7->8.5 upgrade ssl failure
[root@alfa-ldap01 ca]# /opt/zimbra/bin/zmcertmgr viewdeployedcrt
::service mta::
notBefore=Sep 3 08:45:10 2014 GMT
notAfter=Sep 3 08:45:10 2015 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Server/OU=Zimbra Collaboration Server/CN=alfa-zmbox01.my.domain
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Server/OU=Zimbra Collaboration Server/CN=alfa-ldap01.my.domain
SubjectAltName=
::service proxy::
notBefore=Sep 3 08:45:10 2014 GMT
notAfter=Sep 3 08:45:10 2015 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Server/OU=Zimbra Collaboration Server/CN=alfa-zmbox01.my.domain
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Server/OU=Zimbra Collaboration Server/CN=alfa-ldap01.my.domain
SubjectAltName=
::service ldap::
notBefore=Sep 3 08:45:10 2014 GMT
notAfter=Sep 3 08:45:10 2015 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Server/OU=Zimbra Collaboration Server/CN=alfa-zmbox01.my.domain
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Server/OU=Zimbra Collaboration Server/CN=alfa-ldap01.my.domain
SubjectAltName=
::service mta::
notBefore=Sep 3 08:45:10 2014 GMT
notAfter=Sep 3 08:45:10 2015 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Server/OU=Zimbra Collaboration Server/CN=alfa-zmbox01.my.domain
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Server/OU=Zimbra Collaboration Server/CN=alfa-ldap01.my.domain
SubjectAltName=
::service proxy::
notBefore=Sep 3 08:45:10 2014 GMT
notAfter=Sep 3 08:45:10 2015 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Server/OU=Zimbra Collaboration Server/CN=alfa-zmbox01.my.domain
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Server/OU=Zimbra Collaboration Server/CN=alfa-ldap01.my.domain
SubjectAltName=
::service ldap::
notBefore=Sep 3 08:45:10 2014 GMT
notAfter=Sep 3 08:45:10 2015 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Server/OU=Zimbra Collaboration Server/CN=alfa-zmbox01.my.domain
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Server/OU=Zimbra Collaboration Server/CN=alfa-ldap01.my.domain
SubjectAltName=
Zimbra 7->8.5 upgrade ssl failure
Hi,
when you create the new self signed what common name have you selected?
Try to follow the instruction on
http://wiki.zimbra.com/wiki/Administrat ... cate_Tools
on the part
Multi-Node Self-Signed Certificate
and try to use the *.my.domain as common name
--
Laragio
when you create the new self signed what common name have you selected?
Try to follow the instruction on
http://wiki.zimbra.com/wiki/Administrat ... cate_Tools
on the part
Multi-Node Self-Signed Certificate
and try to use the *.my.domain as common name
--
Laragio
Zimbra 7->8.5 upgrade ssl failure
Thank you very much for your support Laragio. This may be the solution. I will be able to check it next week.
Zimbra 7->8.5 upgrade ssl failure
I managed to check it today. Unfortunately, problem still exists. What I did:
[root@alfa-ldap01 ~]# /opt/zimbra/bin/zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/alfa-ldap01.my.domain.pkcs12...done.
** Creating keystore file /opt/zimbra/conf/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
[root@alfa-ldap01 ~]# /opt/zimbra/bin/zmcertmgr createca -new
** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.
[root@alfa-ldap01 ~]# /opt/zimbra/bin/zmcertmgr deployca
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
** Saving global config key zimbraCertAuthorityCertSelfSigned...done.
** Saving global config key zimbraCertAuthorityKeySelfSigned...done.
** Copying CA to /opt/zimbra/conf/ca...done.
[root@alfa-ldap01 ~]# /opt/zimbra/bin/zmcertmgr createcrt -new -days 1825 -subjectAltNames "alfa-ldap01.my.domain,alfa-ldap02.my.domain ,alfa-zmbox01.my.domain,alfa-zmbox02.my.domain,alfa-mta01.my.domain,alfa-mta02.my.domain,alfa-proxy01.my.domain"
Validation days: 1825
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20141031072717
** Generating a server csr for download self -new -keysize 2048 -digest sha256
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20141031072717
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
[root@alfa-ldap01 ~]# /opt/zimbra/bin/zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/alfa-ldap01.my.domain.pkcs12...done.
** Creating keystore file /opt/zimbra/conf/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.opo
Now deploy certs to all servers
[root@alfa-ldap01 ~]# /opt/zimbra/bin/zmcertmgr deploycrt self -allserver
** Saving global config key zimbraSSLCertificate...done.
** Saving global config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/alfa-ldap01.my.domain.pkcs12...done.
** Creating keystore file /opt/zimbra/conf/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
STARTCMD: alfa-ldap02.my.domain sudo /opt/zimbra/bin/zmcertmgr getcrt self -allserver
** Retrieving global config key zimbraSSLCertificate...done.
** Retrieving global config key zimbraSSLPrivateKey...done.
ENDCMD: alfa-ldap02.my.domain sudo /opt/zimbra/bin/zmcertmgr getcrt self -allserver
STARTCMD: alfa-ldap02.my.domain sudo /opt/zimbra/bin/zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/alfa-ldap02.my.domain.pkcs12...done.
** Creating keystore file /opt/zimbra/conf/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
ENDCMD: alfa-ldap02.my.domain sudo /opt/zimbra/bin/zmcertmgr deploycrt self
Warning: Permanently added 'alfa-mta01.my.domain,172.20.1.21' (RSA) to the list of known hosts.
STARTCMD: alfa-mta01.my.domain sudo /opt/zimbra/bin/zmcertmgr getcrt self -allserver
** Retrieving global config key zimbraSSLCertificate...done.
** Retrieving global config key zimbraSSLPrivateKey...done.
ENDCMD: alfa-mta01.my.domain sudo /opt/zimbra/bin/zmcertmgr getcrt self -allserver
STARTCMD: alfa-mta01.my.domain sudo /opt/zimbra/bin/zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/alfa-mta01.my.domain.pkcs12...done.
** Creating keystore file /opt/zimbra/conf/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
ENDCMD: alfa-mta01.my.domain sudo /opt/zimbra/bin/zmcertmgr deploycrt self
Warning: Permanently added 'alfa-mta02.my.domain,172.20.1.22' (RSA) to the list of known hosts.
STARTCMD: alfa-mta02.my.domain sudo /opt/zimbra/bin/zmcertmgr getcrt self -allserver
** Retrieving global config key zimbraSSLCertificate...done.
** Retrieving global config key zimbraSSLPrivateKey...done.
ENDCMD: alfa-mta02.my.domain sudo /opt/zimbra/bin/zmcertmgr getcrt self -allserver
STARTCMD: alfa-mta02.my.domain sudo /opt/zimbra/bin/zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/alfa-mta02.my.domain.pkcs12...done.
** Creating keystore file /opt/zimbra/conf/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
ENDCMD: alfa-mta02.my.domain sudo /opt/zimbra/bin/zmcertmgr deploycrt self
Warning: Permanently added 'alfa-proxy01.my.domain,172.20.1.20' (RSA) to the list of known hosts.
STARTCMD: alfa-proxy01.my.domain sudo /opt/zimbra/bin/zmcertmgr getcrt self -allserver
** Retrieving global config key zimbraSSLCertificate...done.
** Retrieving global config key zimbraSSLPrivateKey...done.
ENDCMD: alfa-proxy01.my.domain sudo /opt/zimbra/bin/zmcertmgr getcrt self -allserver
STARTCMD: alfa-proxy01.my.domain sudo /opt/zimbra/bin/zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/alfa-proxy01.my.domain.pkcs12...done.
** Creating keystore file /opt/zimbra/conf/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
ENDCMD: alfa-proxy01.my.domain sudo /opt/zimbra/bin/zmcertmgr deploycrt self
STARTCMD: alfa-zmbox01.my.domain sudo /opt/zimbra/bin/zmcertmgr getcrt self -allserver
** Retrieving global config key zimbraSSLCertificate...done.
** Retrieving global config key zimbraSSLPrivateKey...done.
ENDCMD: alfa-zmbox01.my.domain sudo /opt/zimbra/bin/zmcertmgr getcrt self -allserver
STARTCMD: alfa-zmbox01.my.domain sudo /opt/zimbra/bin/zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
ENDCMD: alfa-zmbox01.my.domain sudo /opt/zimbra/bin/zmcertmgr deploycrt self
STARTCMD: alfa-zmbox02.my.domain sudo /opt/zimbra/bin/zmcertmgr getcrt self -allserver
** Retrieving global config key zimbraSSLCertificate...done.
** Retrieving global config key zimbraSSLPrivateKey...done.
ENDCMD: alfa-zmbox02.my.domain sudo /opt/zimbra/bin/zmcertmgr getcrt self -allserver
STARTCMD: alfa-zmbox02.my.domain sudo /opt/zimbra/bin/zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
ENDCMD: alfa-zmbox02.my.domain sudo /opt/zimbra/bin/zmcertmgr deploycrt self
Just in case:
[root@alfa-ldap01 ~]# /etc/init.d/zimbra restart
And now verify the certificate was deployed.
[root@alfa-ldap01 ~]# /opt/zimbra/bin/zmcertmgr viewdeployedcrt
::service mta::
notBefore=Oct 31 06:27:22 2014 GMT
notAfter=Oct 30 06:27:22 2019 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Server/OU=Zimbra Collaboration Server/CN=alfa-ldap01.my.domain
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Server/OU=Zimbra Collaboration Server/CN=alfa-ldap01.my.domain
SubjectAltName= alfa-ldap01.my.domain, alfa-ldap02.my.domain, alfa-mta01.my.domain, alfa-mta02.my.domain, alfa-proxy01.my.domain, alfa-zmbox01.my.domain, alfa-zmbox02.my.domain
::service proxy::
notBefore=Oct 31 06:27:22 2014 GMT
notAfter=Oct 30 06:27:22 2019 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Server/OU=Zimbra Collaboration Server/CN=alfa-ldap01.my.domain
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Server/OU=Zimbra Collaboration Server/CN=alfa-ldap01.my.domain
SubjectAltName= alfa-ldap01.my.domain, alfa-ldap02.my.domain, alfa-mta01.my.domain, alfa-mta02.my.domain, alfa-proxy01.my.domain, alfa-zmbox01.my.domain, alfa-zmbox02.my.domain
::service ldap::
notBefore=Oct 31 06:27:22 2014 GMT
notAfter=Oct 30 06:27:22 2019 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Server/OU=Zimbra Collaboration Server/CN=alfa-ldap01.my.domain
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Server/OU=Zimbra Collaboration Server/CN=alfa-ldap01.my.domain
SubjectAltName= alfa-ldap01.my.domain, alfa-ldap02.my.domain, alfa-mta01.my.domain, alfa-mta02.my.domain, alfa-proxy01.my.domain, alfa-zmbox01.my.domain, alfa-zmbox02.my.domain
And verification on MTA server
[root@alfa-mta01 ~]# /opt/zimbra/bin/zmcertmgr viewdeployedcrt
::service mta::
notBefore=Oct 31 06:27:22 2014 GMT
notAfter=Oct 30 06:27:22 2019 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Server/OU=Zimbra Collaboration Server/CN=alfa-ldap01.my.domain
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Server/OU=Zimbra Collaboration Server/CN=alfa-ldap01.my.domain
SubjectAltName= alfa-ldap01.my.domain, alfa-ldap02.my.domain, alfa-mta01.my.domain, alfa-mta02.my.domain, alfa-proxy01.my.domain, alfa-zmbox01.my.domain, alfa-zmbox02.my.domain
::service proxy::
notBefore=Oct 31 06:27:22 2014 GMT
notAfter=Oct 30 06:27:22 2019 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Server/OU=Zimbra Collaboration Server/CN=alfa-ldap01.my.domain
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Server/OU=Zimbra Collaboration Server/CN=alfa-ldap01.my.domain
SubjectAltName= alfa-ldap01.my.domain, alfa-ldap02.my.domain, alfa-mta01.my.domain, alfa-mta02.my.domain, alfa-proxy01.my.domain, alfa-zmbox01.my.domain, alfa-zmbox02.my.domain
::service ldap::
notBefore=Oct 31 06:27:22 2014 GMT
notAfter=Oct 30 06:27:22 2019 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Server/OU=Zimbra Collaboration Server/CN=alfa-ldap01.my.domain
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Server/OU=Zimbra Collaboration Server/CN=alfa-ldap01.my.domain
SubjectAltName= alfa-ldap01.my.domain, alfa-ldap02.my.domain, alfa-mta01.my.domain, alfa-mta02.my.domain, alfa-proxy01.my.domain, alfa-zmbox01.my.domain, alfa-zmbox02.my.domain
[root@alfa-mta01 zcs-8.5.0_GA_3042.RHEL6_64.20140828192005]# ./install.sh
...
...
This appears to be 8.0.7_GA
Unable to start TLS: SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed when connecting to ldap master.
UPGRADE FAILED - exiting.
[root@alfa-ldap01 ~]# /opt/zimbra/bin/zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/alfa-ldap01.my.domain.pkcs12...done.
** Creating keystore file /opt/zimbra/conf/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
[root@alfa-ldap01 ~]# /opt/zimbra/bin/zmcertmgr createca -new
** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.
[root@alfa-ldap01 ~]# /opt/zimbra/bin/zmcertmgr deployca
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
** Saving global config key zimbraCertAuthorityCertSelfSigned...done.
** Saving global config key zimbraCertAuthorityKeySelfSigned...done.
** Copying CA to /opt/zimbra/conf/ca...done.
[root@alfa-ldap01 ~]# /opt/zimbra/bin/zmcertmgr createcrt -new -days 1825 -subjectAltNames "alfa-ldap01.my.domain,alfa-ldap02.my.domain ,alfa-zmbox01.my.domain,alfa-zmbox02.my.domain,alfa-mta01.my.domain,alfa-mta02.my.domain,alfa-proxy01.my.domain"
Validation days: 1825
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20141031072717
** Generating a server csr for download self -new -keysize 2048 -digest sha256
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20141031072717
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
[root@alfa-ldap01 ~]# /opt/zimbra/bin/zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/alfa-ldap01.my.domain.pkcs12...done.
** Creating keystore file /opt/zimbra/conf/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.opo
Now deploy certs to all servers
[root@alfa-ldap01 ~]# /opt/zimbra/bin/zmcertmgr deploycrt self -allserver
** Saving global config key zimbraSSLCertificate...done.
** Saving global config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/alfa-ldap01.my.domain.pkcs12...done.
** Creating keystore file /opt/zimbra/conf/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
STARTCMD: alfa-ldap02.my.domain sudo /opt/zimbra/bin/zmcertmgr getcrt self -allserver
** Retrieving global config key zimbraSSLCertificate...done.
** Retrieving global config key zimbraSSLPrivateKey...done.
ENDCMD: alfa-ldap02.my.domain sudo /opt/zimbra/bin/zmcertmgr getcrt self -allserver
STARTCMD: alfa-ldap02.my.domain sudo /opt/zimbra/bin/zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/alfa-ldap02.my.domain.pkcs12...done.
** Creating keystore file /opt/zimbra/conf/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
ENDCMD: alfa-ldap02.my.domain sudo /opt/zimbra/bin/zmcertmgr deploycrt self
Warning: Permanently added 'alfa-mta01.my.domain,172.20.1.21' (RSA) to the list of known hosts.
STARTCMD: alfa-mta01.my.domain sudo /opt/zimbra/bin/zmcertmgr getcrt self -allserver
** Retrieving global config key zimbraSSLCertificate...done.
** Retrieving global config key zimbraSSLPrivateKey...done.
ENDCMD: alfa-mta01.my.domain sudo /opt/zimbra/bin/zmcertmgr getcrt self -allserver
STARTCMD: alfa-mta01.my.domain sudo /opt/zimbra/bin/zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/alfa-mta01.my.domain.pkcs12...done.
** Creating keystore file /opt/zimbra/conf/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
ENDCMD: alfa-mta01.my.domain sudo /opt/zimbra/bin/zmcertmgr deploycrt self
Warning: Permanently added 'alfa-mta02.my.domain,172.20.1.22' (RSA) to the list of known hosts.
STARTCMD: alfa-mta02.my.domain sudo /opt/zimbra/bin/zmcertmgr getcrt self -allserver
** Retrieving global config key zimbraSSLCertificate...done.
** Retrieving global config key zimbraSSLPrivateKey...done.
ENDCMD: alfa-mta02.my.domain sudo /opt/zimbra/bin/zmcertmgr getcrt self -allserver
STARTCMD: alfa-mta02.my.domain sudo /opt/zimbra/bin/zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/alfa-mta02.my.domain.pkcs12...done.
** Creating keystore file /opt/zimbra/conf/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
ENDCMD: alfa-mta02.my.domain sudo /opt/zimbra/bin/zmcertmgr deploycrt self
Warning: Permanently added 'alfa-proxy01.my.domain,172.20.1.20' (RSA) to the list of known hosts.
STARTCMD: alfa-proxy01.my.domain sudo /opt/zimbra/bin/zmcertmgr getcrt self -allserver
** Retrieving global config key zimbraSSLCertificate...done.
** Retrieving global config key zimbraSSLPrivateKey...done.
ENDCMD: alfa-proxy01.my.domain sudo /opt/zimbra/bin/zmcertmgr getcrt self -allserver
STARTCMD: alfa-proxy01.my.domain sudo /opt/zimbra/bin/zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/alfa-proxy01.my.domain.pkcs12...done.
** Creating keystore file /opt/zimbra/conf/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
ENDCMD: alfa-proxy01.my.domain sudo /opt/zimbra/bin/zmcertmgr deploycrt self
STARTCMD: alfa-zmbox01.my.domain sudo /opt/zimbra/bin/zmcertmgr getcrt self -allserver
** Retrieving global config key zimbraSSLCertificate...done.
** Retrieving global config key zimbraSSLPrivateKey...done.
ENDCMD: alfa-zmbox01.my.domain sudo /opt/zimbra/bin/zmcertmgr getcrt self -allserver
STARTCMD: alfa-zmbox01.my.domain sudo /opt/zimbra/bin/zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
ENDCMD: alfa-zmbox01.my.domain sudo /opt/zimbra/bin/zmcertmgr deploycrt self
STARTCMD: alfa-zmbox02.my.domain sudo /opt/zimbra/bin/zmcertmgr getcrt self -allserver
** Retrieving global config key zimbraSSLCertificate...done.
** Retrieving global config key zimbraSSLPrivateKey...done.
ENDCMD: alfa-zmbox02.my.domain sudo /opt/zimbra/bin/zmcertmgr getcrt self -allserver
STARTCMD: alfa-zmbox02.my.domain sudo /opt/zimbra/bin/zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
ENDCMD: alfa-zmbox02.my.domain sudo /opt/zimbra/bin/zmcertmgr deploycrt self
Just in case:
[root@alfa-ldap01 ~]# /etc/init.d/zimbra restart
And now verify the certificate was deployed.
[root@alfa-ldap01 ~]# /opt/zimbra/bin/zmcertmgr viewdeployedcrt
::service mta::
notBefore=Oct 31 06:27:22 2014 GMT
notAfter=Oct 30 06:27:22 2019 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Server/OU=Zimbra Collaboration Server/CN=alfa-ldap01.my.domain
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Server/OU=Zimbra Collaboration Server/CN=alfa-ldap01.my.domain
SubjectAltName= alfa-ldap01.my.domain, alfa-ldap02.my.domain, alfa-mta01.my.domain, alfa-mta02.my.domain, alfa-proxy01.my.domain, alfa-zmbox01.my.domain, alfa-zmbox02.my.domain
::service proxy::
notBefore=Oct 31 06:27:22 2014 GMT
notAfter=Oct 30 06:27:22 2019 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Server/OU=Zimbra Collaboration Server/CN=alfa-ldap01.my.domain
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Server/OU=Zimbra Collaboration Server/CN=alfa-ldap01.my.domain
SubjectAltName= alfa-ldap01.my.domain, alfa-ldap02.my.domain, alfa-mta01.my.domain, alfa-mta02.my.domain, alfa-proxy01.my.domain, alfa-zmbox01.my.domain, alfa-zmbox02.my.domain
::service ldap::
notBefore=Oct 31 06:27:22 2014 GMT
notAfter=Oct 30 06:27:22 2019 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Server/OU=Zimbra Collaboration Server/CN=alfa-ldap01.my.domain
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Server/OU=Zimbra Collaboration Server/CN=alfa-ldap01.my.domain
SubjectAltName= alfa-ldap01.my.domain, alfa-ldap02.my.domain, alfa-mta01.my.domain, alfa-mta02.my.domain, alfa-proxy01.my.domain, alfa-zmbox01.my.domain, alfa-zmbox02.my.domain
And verification on MTA server
[root@alfa-mta01 ~]# /opt/zimbra/bin/zmcertmgr viewdeployedcrt
::service mta::
notBefore=Oct 31 06:27:22 2014 GMT
notAfter=Oct 30 06:27:22 2019 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Server/OU=Zimbra Collaboration Server/CN=alfa-ldap01.my.domain
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Server/OU=Zimbra Collaboration Server/CN=alfa-ldap01.my.domain
SubjectAltName= alfa-ldap01.my.domain, alfa-ldap02.my.domain, alfa-mta01.my.domain, alfa-mta02.my.domain, alfa-proxy01.my.domain, alfa-zmbox01.my.domain, alfa-zmbox02.my.domain
::service proxy::
notBefore=Oct 31 06:27:22 2014 GMT
notAfter=Oct 30 06:27:22 2019 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Server/OU=Zimbra Collaboration Server/CN=alfa-ldap01.my.domain
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Server/OU=Zimbra Collaboration Server/CN=alfa-ldap01.my.domain
SubjectAltName= alfa-ldap01.my.domain, alfa-ldap02.my.domain, alfa-mta01.my.domain, alfa-mta02.my.domain, alfa-proxy01.my.domain, alfa-zmbox01.my.domain, alfa-zmbox02.my.domain
::service ldap::
notBefore=Oct 31 06:27:22 2014 GMT
notAfter=Oct 30 06:27:22 2019 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Server/OU=Zimbra Collaboration Server/CN=alfa-ldap01.my.domain
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Server/OU=Zimbra Collaboration Server/CN=alfa-ldap01.my.domain
SubjectAltName= alfa-ldap01.my.domain, alfa-ldap02.my.domain, alfa-mta01.my.domain, alfa-mta02.my.domain, alfa-proxy01.my.domain, alfa-zmbox01.my.domain, alfa-zmbox02.my.domain
[root@alfa-mta01 zcs-8.5.0_GA_3042.RHEL6_64.20140828192005]# ./install.sh
...
...
This appears to be 8.0.7_GA
Unable to start TLS: SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed when connecting to ldap master.
UPGRADE FAILED - exiting.
Zimbra 7->8.5 upgrade ssl failure
Hi,
did you test using this command
/opt/zimbra/bin/zmcertmgr createcrt -new -days 1825 -subjectAltNames "*.example.com"
replacing example.com with your domain?
after that i don't' know what is the problem. A solution is to buy a commercial certificate.
--
Laragio
did you test using this command
/opt/zimbra/bin/zmcertmgr createcrt -new -days 1825 -subjectAltNames "*.example.com"
replacing example.com with your domain?
after that i don't' know what is the problem. A solution is to buy a commercial certificate.
--
Laragio
Zimbra 7->8.5 upgrade ssl failure
Finally we decided to reinstall whole Zimbra enviroment using 8.0.9 and wait for more stable 8.5.x version. We also resigned from separate servers for ldap's and proxy.
--
Bartek
--
Bartek
Zimbra 7->8.5 upgrade ssl failure
I had the same _annoying_ problem (I wish this can be overridden..)
Your proxy certs need to match the LDAP cert.
This is what I did. I have a root certificate from Entrust.net which is *.example.com
Copy the cert to your LDAP server and do this:
cp commercial.key /opt/zimbra/ssl/zimbra/commercial/commercial.key
cp commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial.crt
cp commercial_ca.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
/opt/zimbra/openssl/bin/openssl verify -CAfile commercial_ca.crt commercial.crt
/opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
su - zimbra
zmcontrol stop
zmcontrol start
Then on your Proxy servers, do the same thing:
cp commercial.key /opt/zimbra/ssl/zimbra/commercial/commercial.key
cp commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial.crt
cp commercial_ca.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
/opt/zimbra/openssl/bin/openssl verify -CAfile commercial_ca.crt commercial.crt
/opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
su - zimbra
zmcontrol stop
zmcontrol start
Then run through the Proxy upgrade again and it will work.
I tried ALL the methods you mention such as
/opt/zimbra/bin/zmcertmgr deploycrt self
and
/opt/zimbra/bin/zmcertmgr deploycrt self -allserver
They did not work for me, but the method I used worked with no issues in my Dev, Staging and Production environment every time.
I hope it helps.
Your proxy certs need to match the LDAP cert.
This is what I did. I have a root certificate from Entrust.net which is *.example.com
Copy the cert to your LDAP server and do this:
cp commercial.key /opt/zimbra/ssl/zimbra/commercial/commercial.key
cp commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial.crt
cp commercial_ca.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
/opt/zimbra/openssl/bin/openssl verify -CAfile commercial_ca.crt commercial.crt
/opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
su - zimbra
zmcontrol stop
zmcontrol start
Then on your Proxy servers, do the same thing:
cp commercial.key /opt/zimbra/ssl/zimbra/commercial/commercial.key
cp commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial.crt
cp commercial_ca.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
/opt/zimbra/openssl/bin/openssl verify -CAfile commercial_ca.crt commercial.crt
/opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
su - zimbra
zmcontrol stop
zmcontrol start
Then run through the Proxy upgrade again and it will work.
I tried ALL the methods you mention such as
/opt/zimbra/bin/zmcertmgr deploycrt self
and
/opt/zimbra/bin/zmcertmgr deploycrt self -allserver
They did not work for me, but the method I used worked with no issues in my Dev, Staging and Production environment every time.
I hope it helps.
Re: Zimbra 7->8.5 upgrade ssl failure
i'm facing issues with ldap installation
first it was giving :
then i manually changed the URL and now services wont start
first it was giving :
Code: Select all
Unable to start TLS: hostname verification failed when connecting to ldap master.
Code: Select all
zimbra@unreal:~/conf/nginx/includes$ zmcontrol status
Size error: Unable to determine enabled services from ldap.
Enabled services read from cache. Service list may be inaccurate.
Host unreal.cafe
amavis Running
antispam Running
antivirus Running
ldap Running
logger Stopped
zmlogswatchctl is not running
mailbox Stopped
zmmailboxdctl is not running.
memcached Running
mta Running
opendkim Running
proxy Running
service webapp Stopped
zmmailboxdctl is not running.
snmp Running
spell Running
stats Running
zimbra webapp Stopped
zmmailboxdctl is not running.
zimbraAdmin webapp Stopped
zmmailboxdctl is not running.
zimlet webapp Stopped
zmmailboxdctl is not running.
zmconfigd Stopped
zmconfigd is not running.