Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters

[jorgedlcruz]

Hi guys,

We are still talking about this topic. I will write some Wiki article with help in this days. With all the possible options including the Proxy one livepoolfcfan.



I will return with the Wiki article.



Best regards

[kocarb]

try with ./install.sh --skip-upgrade-check

[jorgedlcruz]

This solution was provided before in this Thread, but is not the recommended. In the next upgrade from 8.6 to 8.7, etc. Will have the same error, the best thing is try to fix the problem with the SSL Certificate now.



Best regards.

[faulumpy]

I assume you have split DNS set up. Would it be feasible to change the A name for your DMZ zone to "zimbra.<MYDOMAIN>.de" and introduce a CNAME of "zimbra.dmz.<MYDOMAIN>.de" an also change /etc/hosts on your Zimbra server to contain zimbra.<MYDOMAIN>.de?

[j2b]

I have a slightly different ZCS layout, but the problem is the same. In Multiserver OSE installation, I was upgrading from 8.0.7 to 8.6. All servers, that had Zimbra created self-signed SSLs, updated well, remained a couple, that had commercial Certs. Main differences:



* LDAP is not on ldaps - it's on 389 (internal networks)

* Initially, ZCS was installed with it's own self signed certs, and afterwards for a several years commercial certs were deployed with CLI, as Admin UI never worked, and there were no problems on this until now

* all of my ZCS servers' hostnames are the same used in all ZCS stack, including public facing servers, where SSLs CN contain the same hostname, as it is in SSL and on server

* we use Split DNS, and resolutions are fine



My assumption is, that there's a difference, between SSL and TLS (https://community.thawte.com/blog-posts ... sl-and-tls). Due to error, that is given, the problem is in TLS connection, not SSL, as commercial one has to have public key available, to do encryption, where as TLS - should not (please correct me if I'm wrong).



In such a case, if even ldaps is launched, other servers do not get auth access to it, as they were reaching LDAP over regular port. Would it be enough, just to change zmlocalconfig? I think, that keys should be populated to LDAP database, to go with building a communication, but just changing ldap to ldaps, would not populate these keys, or do they?



Upgrade without verification would result in other issues on next upgrades, so I'd prefer to avoid it, but can not find an info, on how to move from this point further. ZCS servers, that do not upgrade to 8.6, are Proxy and MTA server (each on separate machines).



Thank you for update on this information.

[sub1]

Hi j2b,



for my case, I was able to update after modifying bin/zmValidateLdap.pl in source folder.



66 if ($ldapp = Net::LDAP->new($master) ) {

67 $mesgp = $ldapp->start_tls(

68 verify => 'verify',

69 capath => "/opt/zimbra/conf/ca",

70 );





line 68 was

verify => 'require',



But I was not in a Multi-server installation.

[jorgedlcruz]

Hi sub1,

It was better run the ./install.sh script with the --skip-upgrade-check I think isn't sub1?



I will take a look with the rest of the team.



Best regards

[j2b]

Hi, sub1!



OK, that's what I've understood from this long discussion. But to my understanding, it's actually the same, as go with ./install.sh --skip-upgrade-check, just you did find a place in script, where to solve this. Isn't so?



--skip-upgrade-check: I actually did that once on proxy. Update process finished very fast (too fast, to acknowledge, that it was actually updated), and there were errors on outcome of it. Yet, zmcontrol -v did displayed updated ZCS version. I was not sure, if it actually did upgraded, and decided to revert back.



Still trying to understand the core of problem, to solve. Here in this thread and on IRC, I got confirmation, that there's an issue in 8.6, when commercial and self signed certs are used together, but for now, I do not have any resolution on this, as well, I think, it's kind of strange, why Zimbra would like to enforce commercial certs on every MultiServer installation node. I'ts kind of not their business, nor it actually enforces real security, especially, if people use ZCS in internal networks. As a minimum, it rise server load and complexity.

[j2b]

Hi, guys, again!



Just re-run upgrade with --skip-upgrade-check - 46 seconds since answered all wizard default questions, and the result is:



Upgrading from 8.0.7_GA_6020 to 8.6.0_GA_1153

Stopping zimbra services...done.

This appears to be 8.0.7_GA

Unable to start TLS: SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed when connecting to ldap master.

UPGRADE FAILED - exiting.



~$ zmcontrol -v

Release 8.6.0.GA.1153.UBUNTU12.64 UBUNTU12_64 FOSS edition.



So, apparently, there's a bug in upgrade script, or zmcontro -v variable is just changed. How to find out, whether upgrade is really done just without creating connection?



SSL (commercial) was visible before in Admin UI for particular server. Just did it on Proxy... (reverting back)...

[jorgedlcruz]

Hi j2b,

The problem is not to force to move to commercial certificates, the problem is have different CA in the same mailbox, this is the real issue and not well supported.

So you can use Self Signed, or Commercial, but not both mixed. Well you can do the next trick if choose Commercial only:

1.- Put like SAN domains all the hostnames inside your Infrastructure, example: zmb01.domain.com, zmb02.domain.com, zmmta01.domain.com, etc. Also you can protect other domains that you have like client1.domain1.com, client2.domain2.net, etc. The same if you are using not TLD domains, like zmb01.domain.chicagolocal, zmb02.chicagolocal, etc. And then deploy the Commercial SSL in all of your Hosts.

2.- If you have a valid TLD external domain like *.example.com, for example: zmb01.domain.com, zmb02.domain.com, zmmta01.domain.com, etc. Just buy a Wildcard SSL certificate and protect all the Hosts with the same SSL certificate.

3.- I didn't try this last one, but, have all the commercial SSL per domain in the Proxy, and a Self Signed SSL for the rest of environment. Maybe in the Proxy you need to run the skip check flag, I'm not 100% sure.



If you run the skip check, Zimbra will continue and will install without problem, but is always good fix the Cert issue, because maybe in the future it will not be the skip check flag, who knows.



Best regards