Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters
Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters
This answer to use ldaps is completely wrong. There's never been a requirement to use ldaps, and there never will be, as it is a deprecated method that was never even a standard.
--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters
If you are going to mix self signed certs and commercial certs, then the CA chains for all of them must be present for validation.
--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
-
jorgedlcruz
- Zimbra Alumni
- Posts: 2782
- Joined: Thu May 22, 2014 4:47 pm
Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters
Hi guys, could you please update this thread with your results?
Best regards
Best regards
Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters
Hi Jorge,
I don't understand quanah suggested answer. My certificate and CA chains are valid.
My server hostname does not match the CN on certificate but this configuration was valid before 8.6.0.
I can't renew my certificates and add subjectaltnames for a private DNS domain.
I think that the only option for me in this thread is to rename my zimbra server (and I'm not sure that it will work with a wilcard cert without subjectaltnames). It's quite a big change and I can't afford to apply it without testing.
Regards.
I don't understand quanah suggested answer. My certificate and CA chains are valid.
My server hostname does not match the CN on certificate but this configuration was valid before 8.6.0.
I can't renew my certificates and add subjectaltnames for a private DNS domain.
I think that the only option for me in this thread is to rename my zimbra server (and I'm not sure that it will work with a wilcard cert without subjectaltnames). It's quite a big change and I can't afford to apply it without testing.
Regards.
Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters
Hi Jorge,
i talked to Namecheap about PositiveSSL Multi-Domain. They said, that their certificates cannot be used to secure internal domain names. If i tried to set SubjectAltNames within the CSR it would get ignored.
So this is not an option
Anything else you suggest? What about migrate to a self signed certificate prior to the upgrade and then reinstall the commercial one afterwards?
Thomas
i talked to Namecheap about PositiveSSL Multi-Domain. They said, that their certificates cannot be used to secure internal domain names. If i tried to set SubjectAltNames within the CSR it would get ignored.
So this is not an option
Anything else you suggest? What about migrate to a self signed certificate prior to the upgrade and then reinstall the commercial one afterwards?
Thomas
Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters
Another option if you know your certs are valid is to just skip the upgrade check at the beginning using:
./install.sh --skip-upgrade-check
This will just skip the check that is causing the issue. It still presents the option to check mailbox integrity of you want that option.
./install.sh --skip-upgrade-check
This will just skip the check that is causing the issue. It still presents the option to check mailbox integrity of you want that option.
Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters
Thanks you cppetrie.
I was finally able to install the Update. Everything went very well!
I was finally able to install the Update. Everything went very well!
-
jorgedlcruz
- Zimbra Alumni
- Posts: 2782
- Joined: Thu May 22, 2014 4:47 pm
Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters
Good feedback,
So you can confirm that you are in 8.6 with the same SSL certificate?
Best regards
So you can confirm that you are in 8.6 with the same SSL certificate?
Best regards
Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters
Yes, i do! Everything works as before.
Thanks again
Thanks again
-
liverpoolfcfan
- Elite member
- Posts: 1112
- Joined: Sat Sep 13, 2014 12:47 am
Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters
I have exactly the same situation. My zimbra server has an internal hostname while my Commercial Certificate is in the name of the externally addressable URL. I would see this as a normal configuration - yet the install tool for 8.6 is not allowing it.
Consider the situation of a multi-server install - you can have only one certificate on the proxy with the external URL. Yet you could have 2 or more servers behind with non-public hostnames. Potentially, you could have more than one LDAP server configured with the need to be able to promote any of them to being the master at any time. How can you accomodate this and still pass this new test?
Is it a case that a self-signed certificate should be used for LDAP only, while the Conmmercial Certificate should be used for securing all external connections? And, if this is the case, how could you go about deploying a self-signed certificate to just the LDAP part?
I am keen to upgrade to 8.6 - knowing that my commercial certificate install is good - but wary of using the --skip-upgrade-check option in case something breaks down the line.
Consider the situation of a multi-server install - you can have only one certificate on the proxy with the external URL. Yet you could have 2 or more servers behind with non-public hostnames. Potentially, you could have more than one LDAP server configured with the need to be able to promote any of them to being the master at any time. How can you accomodate this and still pass this new test?
Is it a case that a self-signed certificate should be used for LDAP only, while the Conmmercial Certificate should be used for securing all external connections? And, if this is the case, how could you go about deploying a self-signed certificate to just the LDAP part?
I am keen to upgrade to 8.6 - knowing that my commercial certificate install is good - but wary of using the --skip-upgrade-check option in case something breaks down the line.