Zimbra Forums

Hello,

I'm trying to upgrade Zimbra 8.5.0 to latest 8.6.0 on CentOS 6.5. System is up to date. I'm using a commercial cert for mailbox and it is valid.
[root@ZIMBRA zcs-8.6.0_GA_1153.RHEL6_64.20141215151155]# ./install.sh

Operations logged to /tmp/install.log.22738
Checking for existing installation...
    zimbra-ldap...FOUND zimbra-ldap-8.5.0_GA_3042
    zimbra-logger...FOUND zimbra-logger-8.5.0_GA_3042
    zimbra-mta...FOUND zimbra-mta-8.5.0_GA_3042
    zimbra-dnscache...FOUND zimbra-dnscache-8.5.0_GA_3042
    zimbra-snmp...FOUND zimbra-snmp-8.5.0_GA_3042
    zimbra-store...FOUND zimbra-store-8.5.0_GA_3042
    zimbra-apache...FOUND zimbra-apache-8.5.0_GA_3042
    zimbra-spell...FOUND zimbra-spell-8.5.0_GA_3042
    zimbra-convertd...NOT FOUND
    zimbra-memcached...FOUND zimbra-memcached-8.5.0_GA_3042
    zimbra-proxy...NOT FOUND
    zimbra-archiving...NOT FOUND
    zimbra-core...FOUND zimbra-core-8.5.0_GA_3042
ZCS upgrade from 8.5.0 to 8.6.0 will be performed.
Validating ldap configuration
Error: Unable to create a successful TLS connection to the ldap masters.
       Fix cert configuration prior to upgrading.
I tried to debug a little :
[root@ZIMBRA zcs-8.6.0_GA_1153.RHEL6_64.20141215151155]# bin/zmValidateLdap.pl -l --vmajor 8 --vminor 5
ERROR: Unable to connect via startTLS to master: ldap://zimbra.domain.intra:389


[root@ZIMBRA zcs-8.6.0_GA_1153.RHEL6_64.20141215151155]# /opt/zimbra/bin/zmlocalconfig | grep ldap | grep tls
ldap_common_require_tls = 0
ldap_starttls_required = true
ldap_starttls_supported = 1
[root@ZIMBRA zcs-8.6.0_GA_1153.RHEL6_64.20141215151155]# /opt/zimbra/bin/zmlocalconfig | grep ldap_master
ldap_master_url = ldap://zimbra.domain.intra:389
If anyone can help me to solve this problem ?
Regards

Hi sub1,

I saw this error before, let me take a look into my notes and chat with the rest of the team.



Best regards

I also have the same issue on Ubuntu 14.04, let me know if you need anything.

Is this a multi-server install? What's the CN on the cert? Is your zmlocalconfig `ldap_url` different from `ldap_master_url`?



See if this is relevant https://bugzilla.zimbra.com/show_bug.cgi?id=95420

Hi,



In my case, it's a mono-server installation.



[root@ZIMBRA zcs-8.6.0_GA_1153.RHEL6_64.20141215151155]# "/opt/zimbra/bin/zmlocalconfig" | grep ldap | grep url

ldap_bind_url =

ldap_master_url = ldap://zimbra.domain.intra:389

ldap_url = ldap://zimbra.domain.intra:389



CN on cert is "*.domain.com" and my server is named "zimbra.domain.intra"





Concerning bug id 95420, if i replace in "bin/zmValidateLdap.pl"



$mesgp = $ldapp->start_tls(

verify => 'require',

capath => "/opt/zimbra/conf/ca",

);

by

$mesgp = $ldapp->start_tls(

verify => 'none',

capath => "/opt/zimbra/conf/ca",

);



Validation is OK.



It seems that I can't anymore have a commercial cert with a DN not matching hostname. This configuration was valid before 8.6.

Any ideas on the best way to solve this issue ?



Regards.

I have a same issue upgrading from 8.5.1 to 8.6.0. Mono server install. Exactly same output in validation commands.

I have (supposingly) the same issue too.

- commercial certificate (not expired!)

- Zimbra 8.5.1_GA_3056 (build 20141103151510)

- single server



Validating ldap configuration

Error: Unable to create a successful TLS connection to the ldap masters.

Fix cert configuration prior to upgrading.



Any suggestions?

Hi guys,
I'm taking a look deeper with the rest of the Zimbra Team. Please could you launch this command like root:
root@zimbra-sn-u14-01:/home/oper# /opt/zimbra/bin/zmcertmgr viewdeployedcrt

And tell us if the hostname of your Single Server, is included in the CN (I guess not because in the CN you have the FQDN) or if your hostname of your Single Server is included at least in the SubjectAltName?
Best regards

Hi Jorge,



thanks for looking into our issue. Your assumption is right. Running zmcertmgr reveals that the hostname is NOT included. Both CN and SubjectAltName carry the official FQDN and are identical.



Do you need the output?



Best regards

Thomas

Hi  t.goetten,
No, no, is enough.
Some SSL Certificates can be updated if is still valid. Could you please try to regenerate again the SSL with the next command, with your country, etc, please pay pecial attention to the CN and the subjectaltnames:
/opt/zimbra/bin/zmcertmgr createcsr comm -new -subject "/C=GB/ST=London/L=London/O=Zimbra/OU=Zimbra IT/CN=FQDN" -subjectAltNames "FQDN,HOSTNAME"
And then reissue the SSL, apply to Zimbra, launch the viewdeployedcrt command again, and if you have the hostname in the subjectaltnames correctly, then try to upgrade again.
We are looking into this problem.
Best regards