Solved: After installing commercial cert Host name verification failed when connecting to ldap master

[pennybristow]

Steps to import the new commercial cert into the server via the CLI. I am looking at this document and am confused. First of all I am using 9 not 8.7 or below. https://wiki.zimbra.com/wiki/Installing ... ng_the_CLI If you look at note 2 it states for ZCS 8.7 or higher to tun as zimbra user, but then on step 6 it states to run as root user. So which is correct?

I followed these earlier and used the zimbra user now, due to another issue with the SANs not being picked up in the CSR for the reissue of my cert, none of the services will stay started. I tried also as zimbra user to go back to a self signed cert to bail out but that still gives me the same Unable to start TLS: hostname verification failed when connecting to ldap master.

I was trying to follow a previous solved issue in this forum: viewtopic.php?t=60965

I ran the debug as well for ldap and got this (note that domain is nothing I entered ever so not sure where its coming from)

Last login: Wed Sep 16 22:16:14 2020
penny@sdzimbra:~$ sudo /opt/zimbra/libexec/zmslapd -l LOCAL0 -u zimbra -h 'ldap://zimbra1.corp.domain.com ldapi:///' -F /opt/zimbra/data/ldap/config -d4
[sudo] password for penny:
5f62ab6a @(#) $OpenLDAP: slapd 2.4.49 (Jun 9 2020 11:25:24) $
openldap
5f62ab6a daemon_init: ldap://zimbra1.corp.domain.com ldapi:///
5f62ab6a daemon: bind(7) failed errno=99 (Cannot assign requested address)
5f62ab6a slapd stopped.
5f62ab6a connections_destroy: nothing to destroy.


my host file shows the internal IP of the host of the zimbra server not the IP of the external mx record. 209.135.219.122 (note the mail.blabla.net is my exchange server in the lab)

192.168.168.26 sdzimbra.blababa.dev sdzimbra
127.0.0.1 localhost
127.0.1.1 sdzimbra
192.168.168.11 mail.blababa.net

What I am unclear on is this:
my zimbra host name is sdzimbra.blabla.dev internally but the mx record was created as mail.blabla.dev the csr I created had the name as mail.blablabla.dev and the SAN of sdzimbra.blabla.dev. IS that a problem?

How to I get back to at least getting things started again. At this point before I messed with the cert all was working, after first cert which missed the san, and the replacement of self signed cert I haven't made much progress.

[pennybristow]

before someone asks here is my ldap settings the ldap master URL looks correct. that is the name of the server
ldap_accesslog_envflags = writemap nometasync
ldap_accesslog_maxsize = 85899345920
ldap_amavis_password = *
ldap_bes_searcher_password = *
ldap_bind_url =
ldap_cache_account_maxage = 15
ldap_cache_account_maxsize = 20000
ldap_cache_alwaysoncluster_maxage = 15
ldap_cache_alwaysoncluster_maxsize = 100
ldap_cache_cos_maxage = 15
ldap_cache_cos_maxsize = 100
ldap_cache_custom_dynamic_group_membership_maxage_ms = 600000
ldap_cache_domain_maxage = 15
ldap_cache_domain_maxsize = 500
ldap_cache_external_domain_maxage = 15
ldap_cache_external_domain_maxsize = 10000
ldap_cache_group_maxage = 15
ldap_cache_group_maxsize = 2000
ldap_cache_mime_maxage = 15
ldap_cache_reverseproxylookup_domain_maxage = 15
ldap_cache_reverseproxylookup_domain_maxsize = 100
ldap_cache_reverseproxylookup_server_maxage = 15
ldap_cache_reverseproxylookup_server_maxsize = 100
ldap_cache_right_maxage = 15
ldap_cache_right_maxsize = 100
ldap_cache_server_maxage = 15
ldap_cache_server_maxsize = 100
ldap_cache_share_locator_maxage = 15
ldap_cache_share_locator_maxsize = 5000
ldap_cache_timezone_maxsize = 100
ldap_cache_ucservice_maxage = 15
ldap_cache_ucservice_maxsize = 100
ldap_cache_xmppcomponent_maxage = 15
ldap_cache_xmppcomponent_maxsize = 100
ldap_cache_zimlet_maxage = 15
ldap_cache_zimlet_maxsize = 100
ldap_common_loglevel = 49152
ldap_common_require_tls = 0
ldap_common_threads = 8
ldap_common_tlsciphersuite = MEDIUM:HIGH
ldap_common_tlsprotocolmin = 3.1
ldap_common_toolthreads = 2
ldap_common_writetimeout = 360
ldap_connect_pool_debug = false
ldap_connect_pool_health_check_background_interval_millis = 30000
ldap_connect_pool_health_check_max_response_time_millis = 30000
ldap_connect_pool_health_check_on_checkout_enabled = false
ldap_connect_pool_initsize = 1
ldap_connect_pool_master = false
ldap_connect_pool_maxsize = 50
ldap_connect_pool_prefsize = 0
ldap_connect_pool_timeout = 120000
ldap_connect_timeout = 30000
ldap_db_envflags = writemap nometasync
ldap_db_maxsize = 85899345920
ldap_db_rtxnsize = 0
ldap_deref_aliases = always
ldap_dit_base_dn_admin =
ldap_dit_base_dn_alwaysoncluster =
ldap_dit_base_dn_appadmin =
ldap_dit_base_dn_config =
ldap_dit_base_dn_cos =
ldap_dit_base_dn_domain =
ldap_dit_base_dn_global_dynamicgroup =
ldap_dit_base_dn_mail =
ldap_dit_base_dn_mime =
ldap_dit_base_dn_server =
ldap_dit_base_dn_share_locator =
ldap_dit_base_dn_ucservice =
ldap_dit_base_dn_xmppcomponent =
ldap_dit_base_dn_zimlet =
ldap_dit_naming_rdn_attr_cos =
ldap_dit_naming_rdn_attr_dynamicgroup =
ldap_dit_naming_rdn_attr_globalconfig =
ldap_dit_naming_rdn_attr_globalgrant =
ldap_dit_naming_rdn_attr_mime =
ldap_dit_naming_rdn_attr_server =
ldap_dit_naming_rdn_attr_share_locator =
ldap_dit_naming_rdn_attr_ucservice =
ldap_dit_naming_rdn_attr_user =
ldap_dit_naming_rdn_attr_xmppcomponent =
ldap_dit_naming_rdn_attr_zimlet =
ldap_host = sdzimbra.syncdog.dev
ldap_is_master = true
ldap_ldapi_socket_file = ${zimbra_home}/data/ldap/state/run/ldapi
ldap_master_url = ldap://sdzimbra.syncdog.dev:389
ldap_monitor_alert_only = true
ldap_monitor_critical = 90
ldap_monitor_growth = 25
ldap_monitor_mdb = true
ldap_monitor_warning = 80
ldap_nginx_password = *
ldap_overlay_accesslog_logpurge = 01+00:00 00+04:00
ldap_overlay_syncprov_checkpoint = 20 10
ldap_overlay_syncprov_sessionlog = 10000000
ldap_port = 389
ldap_postfix_password = *
ldap_read_timeout = 300000
ldap_replication_password = *
ldap_root_password = *
ldap_starttls_required = true
ldap_starttls_supported = 1
ldap_url = ldap://sdzimbra.syncdog.dev:389

[fs.schmidt]

Hello,

I see that you use an internal domain name on your server: " ldap://sdzimbra.syncdog.dev:389"


Your certificate contains only your public domain, right?

[pennybristow]

Thanks for replying FsSchmidt. Correct, the one I ordered had dropped the SAN names that were in the csr I had created and I just realized that. I have reordered and ready to install the new one, the common name is the public and the SAN includes the private, public and just domain itself. I also found a way to temporarily get everything back up so I could just use the mmc to create a new CSR by disabling the ldap startttls config items. My question is now, after I install the new cert (via CLI) will I need to update these two entries in my config , before restarting the services?




zmlocalconfig -e ldap_starttls_required=false
zmlocalconfig -e ldap_starttls_supported=0

[fs.schmidt]

Yes, in this case you need to disable the TLS for ldap.

You can see the full documentation here: https://wiki.zimbra.com/wiki/TLS/STARTT ... fig_Values

[pennybristow]

Thank you again, the main purpose was to be able to use mobile (activesync) without any SSL errors. Leaving the values set disabled will not interfere with any processes on this box? Its a single installation box and no users on it yet that I need to worry about other than my own acct.


Just to clarify I should leave them as false and 0 vs the original settings of True and 1, correct?

[fs.schmidt]

Thank you again, the main purpose was to be able to use mobile (activesync) without any SSL errors. Leaving the values set disabled will not interfere with any processes on this box? Its a single installation box and no users on it yet that I need to worry about other than my own acct.


Just to clarify I should leave them as false and 0 vs the original settings of True and 1, correct?

It won't affect the activesync. Yes, you need to set the parameters to "0" or "false".

[pennybristow]

That did the trick, on a side note all the relay data I had previously entered and my COS for mobile have vaporized! I reentered the relay data but now I see nothing to set for mobile or policies in the COS... I cannot figure out how that went missing.