Cannot login via the proxy

[tupoar]

Please excuse me if this is in the wrong section,

Last week I upgraded our office server from v8.7.6 to 8.8.8 as part of our plans to make the server PCI compliant. I also followed some guides to harden the server. At some point, the web interface stopped working.

I can get the login page, I can enter my login details and once I click 'log in' nothing happens, it just sits there 'waiting for server'. I have searched the nginx logs but they show nothing out of the ordinary. I have compared to the config files to my home installation (which I upgraded before hand as a test) and nothing is different. I'm at a loss.

I must point out, that I CAN log in via port 8443, so I believe it is a proxy side of things.

Can anyone point me in the right direction on where to look or how to fix this? I can provide logs etc if needed.

Thanks in advance

T

[tupoar]

Days later, I've fixed it.

I set up a test server and discovered things stopped working when i made changes to mailboxd_java_options.

After adding '-Djavax.net.debug=ssl,handshake,data' to the options and tailing /opt/zimbra/log/zmmailboxd.out i got the following

Code: Select all

qtp1684106402-147, fatal error: 40: Client requested protocol TLSv1 not enabled or not supported
javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1 not enabled or not supported
qtp1684106402-147, SEND TLSv1.2 ALERT:  fatal, description = handshake_failure
qtp1684106402-147, WRITE: TLSv1.2 Alert, length = 2
qtp1684106402-147, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1 not enabled or not supported

Further searching lead me to the following file

/opt/zimbra/jetty_base/start.d/setuid.ini

and the line

zimbraMailboxdSSLProtocols=SSLv2Hello TLSv1.1 TLSv1.2

Adding 'TLVSv1' to that line and preforming a 'zmcontrol restart' fixed it.