Error on deploying SSL certificates
Re: Error on deploying SSL certificates
Anyone else has any idea what else I could try?
- JDunphy
- Outstanding Member
- Posts: 889
- Joined: Fri Sep 12, 2014 11:18 pm
- Location: Victoria, BC
- ZCS/ZD Version: 9.0.0_P39 NETWORK Edition
Re: Error on deploying SSL certificates
zmcertmgr has a debug option... add it at the end and it will tell you the commands that are being executed.
Here is what I did for my zimbra.sh that I use for the deploy method with acme.sh
/opt/zimbra/bin/zmcertmgr deploycrt comm "$_ccert" "${_cca}.real" --debug 3|| return 1
Can you add that and see if around the error what it thinks is happening. We can then compare with a working example that I have here.
Here is what you can expect to see:
Jim
Here is what I did for my zimbra.sh that I use for the deploy method with acme.sh
/opt/zimbra/bin/zmcertmgr deploycrt comm "$_ccert" "${_cca}.real" --debug 3|| return 1
Can you add that and see if around the error what it thinks is happening. We can then compare with a working example that I have here.
Here is what you can expect to see:
Code: Select all
/opt/zimbra/common/bin/keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass Yourpassword 2>&1
DEBUG: run(rc=0) results(#=0)
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
DEBUG: run command: /opt/zimbra/common/bin/openssl pkcs12 -inkey /opt/zimbra/ssl/zimbra/commercial/commercial.key -in /opt/zimbra/ssl/zimbra/commercial/commercial.crt -name jetty -export -out /opt/zimbra/ssl/zimbra/jetty.pkcs12 -passout pass:Yourpassword 2>&1
DEBUG: run(rc=0) results(#=0)
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
DEBUG: run command: /opt/zimbra/common/bin/java -classpath /opt/zimbra/lib/ext/com_zimbra_cert_manager/com_zimbra_cert_manager.jar com.zimbra.cert.MyPKCS12Import /opt/zimbra/ssl/zimbra/jetty.pkcs12 /opt/zimbra/mailboxd/etc/keystore Yourpassword Yourpassword 2>&1
DEBUG: run(rc=0) results(#=2):
Alias 0: jetty
Adding key for alias jetty
...
Re: Error on deploying SSL certificates
Code: Select all
[root@mail ~]# free -m
total used free shared buff/cache available
Mem: 7808 7219 99 425 489 1
Swap: 0 0 0
[root@mail ~]# df -h
Filesystem Size Used Avail Use% Mounted on
devtmpfs 3.8G 0 3.8G 0% /dev
tmpfs 3.9G 0 3.9G 0% /dev/shm
tmpfs 3.9G 425M 3.4G 11% /run
tmpfs 3.9G 0 3.9G 0% /sys/fs/cgroup
/dev/vda2 75G 38G 37G 51% /
/dev/vda1 110M 6.8M 104M 7% /boot/efi
tmpfs 781M 0 781M 0% /run/user/0
tmpfs 781M 0 781M 0% /run/user/988
[root@mail ~]# su - zimbra
Last login: Wed Jan 12 11:59:09 UTC 2022 on pts/1
[zimbra@mail ~]$ /opt/zimbra/bin/zmcertmgr deploycrt comm "$_ccert" "${_cca}.real" --debug 3|| return 1
DEBUG: CertMgr->Command(deploycrt)
DEBUG: CertMgr->Debug(3)
DEBUG: CertMgr->Type(comm)
OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory(0x0000000085e00000, 130023424, 0) failed; error='Not enough space' (errno=12)
Use of uninitialized value $val in substitution (s///) at /opt/zimbra/bin/zmcertmgr line 2626, <$fh> line 1.
Use of uninitialized value $val in substitution (s///) at /opt/zimbra/bin/zmcertmgr line 2627, <$fh> line 1.
Use of uninitialized value $val in substitution (s///) at /opt/zimbra/bin/zmcertmgr line 2626, <$fh> line 2.
Use of uninitialized value $val in substitution (s///) at /opt/zimbra/bin/zmcertmgr line 2627, <$fh> line 2.
Use of uninitialized value $val in substitution (s///) at /opt/zimbra/bin/zmcertmgr line 2626, <$fh> line 3.
Use of uninitialized value $val in substitution (s///) at /opt/zimbra/bin/zmcertmgr line 2627, <$fh> line 3.
Use of uninitialized value $val in substitution (s///) at /opt/zimbra/bin/zmcertmgr line 2626, <$fh> line 4.
Use of uninitialized value $val in substitution (s///) at /opt/zimbra/bin/zmcertmgr line 2627, <$fh> line 4.
Use of uninitialized value $val in substitution (s///) at /opt/zimbra/bin/zmcertmgr line 2626, <$fh> line 5.
Use of uninitialized value $val in substitution (s///) at /opt/zimbra/bin/zmcertmgr line 2627, <$fh> line 5.
DEBUG: deploycrt(comm .real)
DEBUG: initSSLDirs
zmcertmgr: ERROR deploycrt(comm .real) failed:
sslFiles: no match for key 'cacerts'
at /opt/zimbra/bin/zmcertmgr line 2238.
CertMgr::sslFiles(CertMgr=HASH(0x5650ff0497a0), "cacerts") called at /opt/zimbra/bin/zmcertmgr line 2133
CertMgr::initSSLDirs(CertMgr=HASH(0x5650ff0497a0)) called at /opt/zimbra/bin/zmcertmgr line 1065
CertMgr::deploycrt(CertMgr=HASH(0x5650ff0497a0), "comm", "", ".real") called at /opt/zimbra/bin/zmcertmgr line 419
eval {...} called at /opt/zimbra/bin/zmcertmgr line 419
-bash: return: can only `return' from a function or sourced script
[zimbra@mail ~]$
Re: Error on deploying SSL certificates
The problem is clear... add swap or upgrade your ram.octet wrote:Code: Select all
[root@mail ~]# free -m total used free shared buff/cache available Mem: 7808 7219 99 425 489 1 Swap: 0 0 0 [root@mail ~]# df -h Filesystem Size Used Avail Use% Mounted on devtmpfs 3.8G 0 3.8G 0% /dev tmpfs 3.9G 0 3.9G 0% /dev/shm tmpfs 3.9G 425M 3.4G 11% /run tmpfs 3.9G 0 3.9G 0% /sys/fs/cgroup /dev/vda2 75G 38G 37G 51% / /dev/vda1 110M 6.8M 104M 7% /boot/efi tmpfs 781M 0 781M 0% /run/user/0 tmpfs 781M 0 781M 0% /run/user/988 [root@mail ~]# su - zimbra Last login: Wed Jan 12 11:59:09 UTC 2022 on pts/1 [zimbra@mail ~]$ /opt/zimbra/bin/zmcertmgr deploycrt comm "$_ccert" "${_cca}.real" --debug 3|| return 1 DEBUG: CertMgr->Command(deploycrt) DEBUG: CertMgr->Debug(3) DEBUG: CertMgr->Type(comm) OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory(0x0000000085e00000, 130023424, 0) failed; error='Not enough space' (errno=12) Use of uninitialized value $val in substitution (s///) at /opt/zimbra/bin/zmcertmgr line 2626, <$fh> line 1. Use of uninitialized value $val in substitution (s///) at /opt/zimbra/bin/zmcertmgr line 2627, <$fh> line 1. Use of uninitialized value $val in substitution (s///) at /opt/zimbra/bin/zmcertmgr line 2626, <$fh> line 2. Use of uninitialized value $val in substitution (s///) at /opt/zimbra/bin/zmcertmgr line 2627, <$fh> line 2. Use of uninitialized value $val in substitution (s///) at /opt/zimbra/bin/zmcertmgr line 2626, <$fh> line 3. Use of uninitialized value $val in substitution (s///) at /opt/zimbra/bin/zmcertmgr line 2627, <$fh> line 3. Use of uninitialized value $val in substitution (s///) at /opt/zimbra/bin/zmcertmgr line 2626, <$fh> line 4. Use of uninitialized value $val in substitution (s///) at /opt/zimbra/bin/zmcertmgr line 2627, <$fh> line 4. Use of uninitialized value $val in substitution (s///) at /opt/zimbra/bin/zmcertmgr line 2626, <$fh> line 5. Use of uninitialized value $val in substitution (s///) at /opt/zimbra/bin/zmcertmgr line 2627, <$fh> line 5. DEBUG: deploycrt(comm .real) DEBUG: initSSLDirs zmcertmgr: ERROR deploycrt(comm .real) failed: sslFiles: no match for key 'cacerts' at /opt/zimbra/bin/zmcertmgr line 2238. CertMgr::sslFiles(CertMgr=HASH(0x5650ff0497a0), "cacerts") called at /opt/zimbra/bin/zmcertmgr line 2133 CertMgr::initSSLDirs(CertMgr=HASH(0x5650ff0497a0)) called at /opt/zimbra/bin/zmcertmgr line 1065 CertMgr::deploycrt(CertMgr=HASH(0x5650ff0497a0), "comm", "", ".real") called at /opt/zimbra/bin/zmcertmgr line 419 eval {...} called at /opt/zimbra/bin/zmcertmgr line 419 -bash: return: can only `return' from a function or sourced script [zimbra@mail ~]$
- JDunphy
- Outstanding Member
- Posts: 889
- Joined: Fri Sep 12, 2014 11:18 pm
- Location: Victoria, BC
- ZCS/ZD Version: 9.0.0_P39 NETWORK Edition
Re: Error on deploying SSL certificates
I showed an example of how I did it with debug. You are not running my deploy script according to an earlier post so your usage would be something like this.
If you are running my deploy script then you modify the deploy script and don't run it from the command line with the shell variables. Those would be undefined which zmcertmgr is telling you in addition to swap.
Jim
Code: Select all
[zimbra@mail tmp]$ /opt/zimbra/bin/zmcertmgr deploycrt comm mail.XXX.com.cer fullchain.cer --debug 3
Jim
Re: Error on deploying SSL certificates
JDunphy wrote:I showed an example of how I did it with debug. You are not running my deploy script according to an earlier post so your usage would be something like this.If you are running my deploy script then you modify the deploy script and don't run it from the command line with the shell variables. Those would be undefined which zmcertmgr is telling you in addition to swap.Code: Select all
[zimbra@mail tmp]$ /opt/zimbra/bin/zmcertmgr deploycrt comm mail.XXX.com.cer fullchain.cer --debug 3
Jim
Code: Select all
[zimbra@mail tmp]$ /opt/zimbra/bin/zmcertmgr deploycrt comm mail.XXX.com.cer fullchain.cer --debug 3
DEBUG: CertMgr->Type(comm)
DEBUG: CertMgr->Debug(3)
DEBUG: CertMgr->Command(deploycrt)
DEBUG: deploycrt(comm mail.XXX.com.cer fullchain.cer)
DEBUG: initSSLDirs
DEBUG: Checking line endings: mail.XXX.com.cer fullchain.cer
DEBUG: verifycrt(comm /opt/zimbra/ssl/zimbra/commercial/commercial.key mail.XXX.com.cer fullchain.cer)
DEBUG: verifycrtkey(/opt/zimbra/ssl/zimbra/commercial/commercial.key mail.XXX.com.cer)
** Verifying 'mail.XXX.com.cer' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
DEBUG: run command: /opt/zimbra/common/bin/openssl rsa -noout -modulus -in '/opt/zimbra/ssl/zimbra/commercial/commercial.key' | /opt/zimbra/common/bin/openssl sha256
DEBUG: run(rc=0) results(#=1):
(stdin)= c5c5251d38d41aeb4aaf322ff46b3e91b15fcf73f836f9d151ec574b5dc811a3
DEBUG: run command: /opt/zimbra/common/bin/openssl x509 -noout -modulus -in 'mail.XXX.com.cer' | /opt/zimbra/common/bin/openssl sha256
DEBUG: run(rc=0) results(#=1):
(stdin)= c5c5251d38d41aeb4aaf322ff46b3e91b15fcf73f836f9d151ec574b5dc811a3
Certificate 'mail.XXX.com.cer' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
DEBUG: verifycrtchain(fullchain.cer mail.XXX.com.cer)
** Verifying 'mail.XXX.com.cer' against 'fullchain.cer'
DEBUG: run command: /opt/zimbra/common/bin/openssl verify -purpose sslserver -CAfile fullchain.cer mail.XXX.com.cer 2>&1
DEBUG: run(rc=0) results(#=1):
mail.XXX.com.cer: OK
Valid certificate chain: mail.XXX.com.cer: OK
** Copying 'mail.XXX.com.cer' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Copying 'fullchain.cer' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
** Appending ca chain 'fullchain.cer' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
DEBUG: addcacert(/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt)
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'
DEBUG: run command: /opt/zimbra/common/bin/keytool -delete -alias zcs-user-commercial_ca -keystore /opt/zimbra/common/lib/jvm/java/lib/security/cacerts -storepass changeit 2>&1
DEBUG: run(rc=0) results(#=1):
Warning: use -cacerts option to access cacerts keystore
DEBUG: run command: /opt/zimbra/common/bin/keytool -import -alias zcs-user-commercial_ca -noprompt -file /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt -keystore /opt/zimbra/common/lib/jvm/java/lib/security/cacerts -storepass changeit 2>&1
DEBUG: run(rc=0) results(#=2):
Warning: use -cacerts option to access cacerts keystore
Certificate was added to keystore
** NOTE: restart mailboxd to use the imported certificate.
DEBUG: savecrt(comm)
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.XXX.com...DEBUG: run command: /opt/zimbra/bin/zmprov -m -l modifyServer mail.XXX.com zimbraSSLCertificate '-----BEGIN CERTIFICATE-----
MIIFIjCCBAqgAwIBAgISBDS2BIYoS4G3MCGIM4PbaqOIMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
....
-----END RSA PRIVATE KEY-----
'
DEBUG: run(rc=0) results(#=0)
ok
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'
DEBUG: createimapdkeystore(comm)
DEBUG: run command: /opt/zimbra/common/bin/keytool -delete -alias jetty -keystore /opt/zimbra/conf/imapd.keystore -storepass ecMJv6Cn6L 2>&1
DEBUG: run(rc=256) results(#=1):
keytool error: java.security.cert.CertificateParsingException: signed overrun, bytes = 88
ERROR: imapd keytool(-delete -alias jetty) returned non-zero(1):
keytool error: java.security.cert.CertificateParsingException: signed overrun, bytes = 88
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
DEBUG: run command: /opt/zimbra/common/bin/openssl pkcs12 -inkey /opt/zimbra/conf/imapd.key -in /opt/zimbra/conf/imapd.crt -name jetty -export -out /opt/zimbra/ssl/zimbra/jetty.pkcs12 -passout pass:ecMJv6Cn6L 2>&1
DEBUG: run(rc=0) results(#=0)
** Creating keystore '/opt/zimbra/conf/imapd.keystore'
DEBUG: run command: /opt/zimbra/common/bin/java -classpath /opt/zimbra/lib/ext/com_zimbra_cert_manager/com_zimbra_cert_manager.jar com.zimbra.cert.MyPKCS12Import /opt/zimbra/ssl/zimbra/jetty.pkcs12 /opt/zimbra/conf/imapd.keystore ecMJv6Cn6L ecMJv6Cn6L 2>&1
DEBUG: run(rc=256) results(#=9):
Exception in thread "main" java.security.cert.CertificateParsingException: signed overrun, bytes = 88
at java.base/sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1820)
at java.base/sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:188)
at java.base/sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:105)
at java.base/java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:355)
at java.base/sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:725)
at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:222)
at java.base/java.security.KeyStore.load(KeyStore.java:1472)
at com.zimbra.cert.MyPKCS12Import.main(MyPKCS12Import.java:104)
ERROR: com.zimbra.cert.MyPKCS12Import to '/opt/zimbra/ssl/zimbra/jetty.pkcs12' returned non-zero(1):
Exception in thread "main" java.security.cert.CertificateParsingException: signed overrun, bytes = 88
at java.base/sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1820)
at java.base/sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:188)
at java.base/sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:105)
at java.base/java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:355)
at java.base/sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:725)
at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:222)
at java.base/java.security.KeyStore.load(KeyStore.java:1472)
at com.zimbra.cert.MyPKCS12Import.main(MyPKCS12Import.java:104)
[zimbra@mail tmp]$
- JDunphy
- Outstanding Member
- Posts: 889
- Joined: Fri Sep 12, 2014 11:18 pm
- Location: Victoria, BC
- ZCS/ZD Version: 9.0.0_P39 NETWORK Edition
Re: Error on deploying SSL certificates
Here is what I did on my end. I removed /opt/zimbra/conf/imapd.keystore and then ran this keytool command above. It exited with this:octet wrote: DEBUG: run(rc=0) results(#=0)
ok
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'
DEBUG: createimapdkeystore(comm)
DEBUG: run command: /opt/zimbra/common/bin/keytool -delete -alias jetty -keystore /opt/zimbra/conf/imapd.keystore -storepass ecMJv6Cn6L 2>&1
DEBUG: run(rc=256) results(#=1):
keytool error: java.security.cert.CertificateParsingException: signed overrun, bytes = 88
Code: Select all
# su - zimbra
% cd /opt/zimbra/conf; mv imapd.keystore imapd.keystore-
% /opt/zimbra/common/bin/keytool -delete -alias jetty -keystore /opt/zimbra/conf/imapd.keystore -storepass ecMJv6Cn6L
keytool error: java.lang.Exception: Keystore file does not exist: /opt/zimbra/conf/imapd.keystore
% > /opt/zimbra/conf/imapd.keystore
% /opt/zimbra/common/bin/keytool -delete -alias jetty -keystore /opt/zimbra/conf/imapd.keystore -storepass ecMJv6Cn6L
keytool error: java.lang.Exception: Keystore file exists, but is empty: /opt/zimbra/conf/imapd.keystore
Code: Select all
/opt/zimbra/common/bin/java -classpath /opt/zimbra/lib/ext/com_zimbra_cert_manager/com_zimbra_cert_manager.jar com.zimbra.cert.MyPKCS12Import /opt/zimbra/ssl/zimbra/jetty.pkcs12 /opt/zimbra/conf/imapd.keystore ecMJv6Cn6L ecMJv6Cn6L
You have stated and shown that you can not generate a self-signed certificate which is how this would be created so this could be a challenge.
Option 1: normally this would create that file for you.
Code: Select all
# su - zimbra
% cd /opt/zimbra/conf
% /opt/zimbra/common/bin/java -classpath /opt/zimbra/lib/ext/com_zimbra_cert_manager/com_zimbra_cert_manager.jar com.zimbra.cert.MyPKCS12Import /opt/zimbra/ssl/zimbra/jetty.pkcs12 /opt/zimbra/conf/imapd.keystore ecMJv6Cn6L ecMJv6Cn6L
Code: Select all
# su - zimbra
% ldap start # you need ldap running so do this if it isn't
% /opt/zimbra/bin/zmcertmgr deploycrt comm mail.XXX.com.cer fullchain.cer # assumes you are in same directory as these .cer files
% zmcontrol restart
Code: Select all
# su - zimbra
% cd /opt/zimbra/conf
% mv imapd.keystore imapd.keystore-
% zmcontrol stop
% ldap start
% zmmailboxdctl start
% /opt/zimbra/bin/zmcertmgr createca -new --debug 3
% /opt/zimbra/bin/zmcertmgr deployca -debug 3
% /opt/zimbra/bin/zmcertmgr createcrt -new -days 365 --debug 3
% /opt/zimbra/bin/zmcertmgr deploycrt self --debug 3
% ls -l imapd.keystore
Here is the missing piece that you have not seen before after the last deploycrt step above.
Code: Select all
DEBUG: createimapdkeystore(self)
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
DEBUG: run command: /opt/zimbra/common/bin/openssl pkcs12 -inkey /opt/zimbra/conf/imapd.key -in /opt/zimbra/conf/imapd.crt -name jetty -export -out /opt/zimbra/ssl/zimbra/jetty.pkcs12 -passout pass:ecMJv6Cn6L 2>&1
DEBUG: run(rc=0) results(#=0)
** Creating keystore '/opt/zimbra/conf/imapd.keystore'
DEBUG: run command: /opt/zimbra/common/bin/java -classpath /opt/zimbra/lib/ext/com_zimbra_cert_manager/com_zimbra_cert_manager.jar com.zimbra.cert.MyPKCS12Import /opt/zimbra/ssl/zimbra/jetty.pkcs12 /opt/zimbra/conf/imapd.keystore ecMJv6Cn6L ecMJv6Cn6L 2>&1
DEBUG: run(rc=0) results(#=2):
Alias 0: jetty
Adding key for alias jetty
Re: Error on deploying SSL certificates
That's awesome, it seems it worked:
After that I've deployed the LE certificates:
Web interface still didn't work, so I've ran the installation again:
No errors, result! Thanks, Jim!
Web interface still doesn work, I get this:
Code: Select all
[zimbra@mail tmp]$ cd /opt/zimbra/conf
[zimbra@mail conf]$ /opt/zimbra/common/bin/java -classpath /opt/zimbra/lib/ext/com_zimbra_cert_manager/com_zimbra_cert_manager.jar com.zimbra.cert.MyPKCS12Import /opt/zimbra/ssl/zimbra/jetty.pkcs12 /opt/zimbra/conf/imapd.keystore ecMJv6Cn6L ecMJv6Cn6L
Exception in thread "main" java.security.cert.CertificateParsingException: signed overrun, bytes = 88
at java.base/sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1820)
at java.base/sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:188)
at java.base/sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:105)
at java.base/java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:355)
at java.base/sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:725)
at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:222)
at java.base/java.security.KeyStore.load(KeyStore.java:1472)
at com.zimbra.cert.MyPKCS12Import.main(MyPKCS12Import.java:104)
[zimbra@mail conf]$ mv imapd.keystore imapd.keystore-
[zimbra@mail conf]$ zmcontrol stop
Host mail.XXX.com
Stopping zmconfigd...Done.
Stopping imapd...Done.
Stopping zimlet webapp...Done.
Stopping zimbraAdmin webapp...Done.
Stopping zimbra webapp...Done.
Stopping service webapp...Done.
Stopping stats...Done.
Stopping mta...Done.
Stopping spell...Done.
Stopping snmp...Done.
Stopping cbpolicyd...Done.
Stopping archiving...Done.
Stopping opendkim...Done.
Stopping amavis...Done.
Stopping antivirus...Done.
Stopping antispam...Done.
Stopping proxy...Done.
Stopping memcached...Done.
Stopping mailbox...Done.
Stopping logger...Done.
Stopping dnscache...Done.
Stopping ldap...Done.
[zimbra@mail conf]$ ldap start
Started slapd: pid 3998674
[zimbra@mail conf]$ zmmailboxdctl start
Starting mailboxd...done.
[zimbra@mail conf]$ /opt/zimbra/bin/zmcertmgr createca -new --debug 3
DEBUG: CertMgr->Debug(3)
DEBUG: CertMgr->New(1)
DEBUG: CertMgr->Command(createca)
DEBUG: createca
DEBUG: initSSLDirs
DEBUG: createConf '/opt/zimbra/ssl/zimbra/ca/zmssl.cnf' altnames: mail.XXX.com
** Recreating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf
DEBUG: createca skipping CA cert
** Using CA private key in '/opt/zimbra/ssl/zimbra/ca/ca.key'
DEBUG: createca skipping Commercial CA cert
DEBUG: docreateca
DEBUG: createCASerial
DEBUG: skipping initSSLDirs
** Creating CA with existing private key /opt/zimbra/ssl/zimbra/ca/ca.key
DEBUG: run command: /opt/zimbra/common/bin/openssl req -batch -nodes -new -sha256 -subj '/O=CA/OU=Zimbra Collaboration Server/CN=mail.XXX.com' -days 1825 -config /opt/zimbra/ssl/zimbra/ca/zmssl.cnf -out /opt/zimbra/ssl/zimbra/ca/ca.pem -key /opt/zimbra/ssl/zimbra/ca/ca.key -extensions v3_ca -x509
DEBUG: run(rc=0) results(#=0)
[zimbra@mail conf]$ /opt/zimbra/bin/zmcertmgr deployca -debug 3
DEBUG: CertMgr->Command(deployca)
DEBUG: CertMgr->Debug(3)
DEBUG: deployca
DEBUG: initSSLDirs
** Saving config key 'zimbraCertAuthorityCertSelfSigned' via zmprov modifyConfig...DEBUG: run command: /opt/zimbra/bin/zmprov -m -l modifyConfig zimbraCertAuthorityCertSelfSigned '-----BEGIN CERTIFICATE-----
......
......
-----END CERTIFICATE-----
'
DEBUG: run(rc=0) results(#=0)
ok
** Saving config key 'zimbraCertAuthorityKeySelfSigned' via zmprov modifyConfig...DEBUG: run command: /opt/zimbra/bin/zmprov -m -l modifyConfig zimbraCertAuthorityKeySelfSigned '-----BEGIN PRIVATE KEY-----
......
......
-----END PRIVATE KEY-----
'
DEBUG: run(rc=0) results(#=0)
ok
DEBUG: addcacert(/opt/zimbra/ssl/zimbra/ca/ca.pem my_ca)
** Importing cert '/opt/zimbra/ssl/zimbra/ca/ca.pem' as 'my_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'
DEBUG: run command: /opt/zimbra/common/bin/keytool -delete -alias my_ca -keystore /opt/zimbra/common/lib/jvm/java/lib/security/cacerts -storepass changeit 2>&1
DEBUG: run(rc=0) results(#=1):
Warning: use -cacerts option to access cacerts keystore
DEBUG: run command: /opt/zimbra/common/bin/keytool -import -alias my_ca -noprompt -file /opt/zimbra/ssl/zimbra/ca/ca.pem -keystore /opt/zimbra/common/lib/jvm/java/lib/security/cacerts -storepass changeit 2>&1
DEBUG: run(rc=0) results(#=2):
Warning: use -cacerts option to access cacerts keystore
Certificate was added to keystore
** NOTE: restart mailboxd to use the imported certificate.
DEBUG: installCA
** Cleaning up 9 files from '/opt/zimbra/conf/ca'
** Removing /opt/zimbra/conf/ca/ca.key
** Removing /opt/zimbra/conf/ca/ca.pem
** Removing /opt/zimbra/conf/ca/597f220c.0
** Removing /opt/zimbra/conf/ca/commercial_ca_1.crt
** Removing /opt/zimbra/conf/ca/f9c438b7.0
** Removing /opt/zimbra/conf/ca/commercial_ca_2.crt
** Removing /opt/zimbra/conf/ca/8d33f237.0
** Removing /opt/zimbra/conf/ca/commercial_ca_3.crt
** Removing /opt/zimbra/conf/ca/4042bcee.0
** Copying CA to /opt/zimbra/conf/ca
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'
DEBUG: run command: /opt/zimbra/common/bin/openssl x509 -hash -noout -in /opt/zimbra/conf/ca/ca.pem 2>&1
DEBUG: run(rc=0) results(#=1):
597f220c
** Creating CA hash symlink '597f220c.0' -> 'ca.pem'
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
DEBUG: run command: /opt/zimbra/common/bin/openssl x509 -hash -noout -in /opt/zimbra/conf/ca/commercial_ca_1.crt 2>&1
DEBUG: run(rc=0) results(#=1):
f9c438b7
** Creating CA hash symlink 'f9c438b7.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
DEBUG: run command: /opt/zimbra/common/bin/openssl x509 -hash -noout -in /opt/zimbra/conf/ca/commercial_ca_2.crt 2>&1
DEBUG: run(rc=0) results(#=1):
8d33f237
** Creating CA hash symlink '8d33f237.0' -> 'commercial_ca_2.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_3.crt
DEBUG: run command: /opt/zimbra/common/bin/openssl x509 -hash -noout -in /opt/zimbra/conf/ca/commercial_ca_3.crt 2>&1
DEBUG: run(rc=0) results(#=1):
4042bcee
** Creating CA hash symlink '4042bcee.0' -> 'commercial_ca_3.crt'
[zimbra@mail conf]$ /opt/zimbra/bin/zmcertmgr createcrt -new -days 365 --debug 3
DEBUG: CertMgr->New(1)
DEBUG: CertMgr->Debug(3)
DEBUG: CertMgr->Command(createcrt)
DEBUG: CertMgr->Days(365)
DEBUG: createcrt
DEBUG: backupSSLDirs(/opt/zimbra/ssl/zimbra)
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20220113121854
DEBUG: initSSLDirs
DEBUG: createCASerial
DEBUG: skipping initSSLDirs
DEBUG: createConf '/opt/zimbra/conf/zmssl.cnf' altnames: mail.XXX.com
** Recreating /opt/zimbra/conf/zmssl.cnf
DEBUG: createcsr(self)
** Generating a server CSR of type 'self' for download
DEBUG: createConf '/opt/zimbra/conf/zmssl.cnf' altnames: mail.XXX.com
DEBUG: skipping backupSSLDirs
DEBUG: skipping initSSLDirs
DEBUG: createca
DEBUG: skipping initSSLDirs
** Using CA cert in '/opt/zimbra/ssl/zimbra/ca/ca.pem'
** Using CA private key in '/opt/zimbra/ssl/zimbra/ca/ca.key'
** Using Commercial CA cert in '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
DEBUG: createServerCertReq(self)
DEBUG: createConf '/opt/zimbra/conf/zmssl.cnf' altnames: mail.XXX.com
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr with keysize=2048 digest=sha256
DEBUG: run command: /opt/zimbra/common/bin/openssl req -batch -nodes -new -sha256 -subj '/OU=Zimbra Collaboration Server/CN=mail.XXX.com' -config /opt/zimbra/conf/zmssl.cnf -out /opt/zimbra/ssl/zimbra/server/server.csr -newkey rsa:2048 -keyout /opt/zimbra/ssl/zimbra/server/server.key 2>&1
DEBUG: run(rc=0) results(#=5):
Generating a RSA private key
.....+++++
.........................+++++
writing new private key to '/opt/zimbra/ssl/zimbra/server/server.key'
-----
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer mail.XXX.com...DEBUG: run command: /opt/zimbra/bin/zmprov -m -l modifyServer mail.XXX.com zimbraSSLPrivateKey '-----BEGIN PRIVATE KEY-----
......
......
-----END PRIVATE KEY-----
'
DEBUG: run(rc=0) results(#=0)
ok
DEBUG: removing '/opt/zimbra/ssl/zimbra/ca/index.txt.attr'
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr
DEBUG: run command: /opt/zimbra/common/bin/openssl ca -batch -notext -policy policy_anything -days 365 -md sha256 -config /opt/zimbra/conf/zmssl.cnf -in /opt/zimbra/ssl/zimbra/server/server.csr -out /opt/zimbra/ssl/zimbra/server/server.crt -cert /opt/zimbra/ssl/zimbra/ca/ca.pem -keyfile /opt/zimbra/ssl/zimbra/ca/ca.key -extfile /opt/zimbra/conf/zmssl.cnf -extensions v3_req 2>&1
DEBUG: run(rc=0) results(#=22):
Using configuration from /opt/zimbra/conf/zmssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 95597060916 (0x1642076334)
Validity
Not Before: Jan 13 12:18:57 2022 GMT
Not After : Jan 13 12:18:57 2023 GMT
Subject:
organizationalUnitName = Zimbra Collaboration Server
commonName = mail.XXX.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:mail.XXX.com
Certificate is to be certified until Jan 13 12:18:57 2023 GMT (365 days)
Write out database with 1 new entries
Data Base Updated
[zimbra@mail conf]$ /opt/zimbra/bin/zmcertmgr deploycrt self --debug 3
DEBUG: CertMgr->Command(deploycrt)
DEBUG: CertMgr->Debug(3)
DEBUG: CertMgr->Type(self)
DEBUG: deploycrt(self)
DEBUG: initSSLDirs
DEBUG: savecrt(self)
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.XXX.com...DEBUG: run command: /opt/zimbra/bin/zmprov -m -l modifyServer mail.XXX.com zimbraSSLCertificate '-----BEGIN CERTIFICATE-----
......
......
-----END CERTIFICATE-----
'
DEBUG: run(rc=0) results(#=0)
ok
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer mail.XXX.com...DEBUG: run command: /opt/zimbra/bin/zmprov -m -l modifyServer mail.XXX.com zimbraSSLPrivateKey '-----BEGIN PRIVATE KEY-----
......
......
-----END PRIVATE KEY-----
'
DEBUG: run(rc=0) results(#=0)
ok
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/server/server.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/server/server.key' to '/opt/zimbra/conf/imapd.key'
DEBUG: createimapdkeystore(self)
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
DEBUG: run command: /opt/zimbra/common/bin/openssl pkcs12 -inkey /opt/zimbra/conf/imapd.key -in /opt/zimbra/conf/imapd.crt -name jetty -export -out /opt/zimbra/ssl/zimbra/jetty.pkcs12 -passout pass:ecMJv6Cn6L 2>&1
DEBUG: run(rc=0) results(#=0)
** Creating keystore '/opt/zimbra/conf/imapd.keystore'
DEBUG: run command: /opt/zimbra/common/bin/java -classpath /opt/zimbra/lib/ext/com_zimbra_cert_manager/com_zimbra_cert_manager.jar com.zimbra.cert.MyPKCS12Import /opt/zimbra/ssl/zimbra/jetty.pkcs12 /opt/zimbra/conf/imapd.keystore ecMJv6Cn6L ecMJv6Cn6L 2>&1
DEBUG: run(rc=0) results(#=2):
Alias 0: jetty
Adding key for alias jetty
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'
** Copying '/opt/zimbra/ssl/zimbra/server/server.crt' to '/opt/zimbra/conf/slapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/server/server.key' to '/opt/zimbra/conf/slapd.key'
DEBUG: createkeystore(self)
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
DEBUG: run command: /opt/zimbra/common/bin/openssl pkcs12 -inkey /opt/zimbra/ssl/zimbra/server/server.key -in /opt/zimbra/ssl/zimbra/server/server.crt -name jetty -export -out /opt/zimbra/ssl/zimbra/jetty.pkcs12 -passout pass:ecMJv6Cn6L 2>&1
DEBUG: run(rc=0) results(#=0)
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
DEBUG: run command: /opt/zimbra/common/bin/java -classpath /opt/zimbra/lib/ext/com_zimbra_cert_manager/com_zimbra_cert_manager.jar com.zimbra.cert.MyPKCS12Import /opt/zimbra/ssl/zimbra/jetty.pkcs12 /opt/zimbra/mailboxd/etc/keystore ecMJv6Cn6L ecMJv6Cn6L 2>&1
DEBUG: run(rc=0) results(#=2):
Alias 0: jetty
Adding key for alias jetty
** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'
** Copying '/opt/zimbra/ssl/zimbra/server/server.crt' to '/opt/zimbra/conf/smtpd.crt'
** Copying '/opt/zimbra/ssl/zimbra/server/server.key' to '/opt/zimbra/conf/smtpd.key'
** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'
** Copying '/opt/zimbra/ssl/zimbra/server/server.crt' to '/opt/zimbra/conf/nginx.crt'
** Copying '/opt/zimbra/ssl/zimbra/server/server.key' to '/opt/zimbra/conf/nginx.key'
** NOTE: restart services to use the new certificates.
DEBUG: installCA
** Cleaning up 9 files from '/opt/zimbra/conf/ca'
** Removing /opt/zimbra/conf/ca/ca.key
** Removing /opt/zimbra/conf/ca/ca.pem
** Removing /opt/zimbra/conf/ca/597f220c.0
** Removing /opt/zimbra/conf/ca/commercial_ca_1.crt
** Removing /opt/zimbra/conf/ca/f9c438b7.0
** Removing /opt/zimbra/conf/ca/commercial_ca_2.crt
** Removing /opt/zimbra/conf/ca/8d33f237.0
** Removing /opt/zimbra/conf/ca/commercial_ca_3.crt
** Removing /opt/zimbra/conf/ca/4042bcee.0
** Copying CA to /opt/zimbra/conf/ca
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'
DEBUG: run command: /opt/zimbra/common/bin/openssl x509 -hash -noout -in /opt/zimbra/conf/ca/ca.pem 2>&1
DEBUG: run(rc=0) results(#=1):
597f220c
** Creating CA hash symlink '597f220c.0' -> 'ca.pem'
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
DEBUG: run command: /opt/zimbra/common/bin/openssl x509 -hash -noout -in /opt/zimbra/conf/ca/commercial_ca_1.crt 2>&1
DEBUG: run(rc=0) results(#=1):
f9c438b7
** Creating CA hash symlink 'f9c438b7.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
DEBUG: run command: /opt/zimbra/common/bin/openssl x509 -hash -noout -in /opt/zimbra/conf/ca/commercial_ca_2.crt 2>&1
DEBUG: run(rc=0) results(#=1):
8d33f237
** Creating CA hash symlink '8d33f237.0' -> 'commercial_ca_2.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_3.crt
DEBUG: run command: /opt/zimbra/common/bin/openssl x509 -hash -noout -in /opt/zimbra/conf/ca/commercial_ca_3.crt 2>&1
DEBUG: run(rc=0) results(#=1):
4042bcee
** Creating CA hash symlink '4042bcee.0' -> 'commercial_ca_3.crt'
[zimbra@mail conf]$ ls -l imapd.keystore
-rw-r----- 1 zimbra zimbra 2188 Jan 13 12:19 imapd.keystore
[zimbra@mail conf]$
Code: Select all
[zimbra@mail conf]$ cd /tmp/
[zimbra@mail tmp]$ /opt/zimbra/bin/zmcertmgr deploycrt comm mail.XXX.com.cer fullchain.cer
** Verifying 'mail.XXX.com.cer' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate 'mail.XXX.com.cer' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying 'mail.XXX.com.cer' against 'fullchain.cer'
Valid certificate chain: mail.XXX.com.cer: OK
** Copying 'mail.XXX.com.cer' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Copying 'fullchain.cer' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
** Appending ca chain 'fullchain.cer' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.XXX.com...ok
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer mail.XXX.com...ok
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/conf/imapd.keystore'
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key'
** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key'
** NOTE: restart services to use the new certificates.
** Cleaning up 9 files from '/opt/zimbra/conf/ca'
** Removing /opt/zimbra/conf/ca/ca.key
** Removing /opt/zimbra/conf/ca/ca.pem
** Removing /opt/zimbra/conf/ca/597f220c.0
** Removing /opt/zimbra/conf/ca/commercial_ca_1.crt
** Removing /opt/zimbra/conf/ca/f9c438b7.0
** Removing /opt/zimbra/conf/ca/commercial_ca_2.crt
** Removing /opt/zimbra/conf/ca/8d33f237.0
** Removing /opt/zimbra/conf/ca/commercial_ca_3.crt
** Removing /opt/zimbra/conf/ca/4042bcee.0
** Copying CA to /opt/zimbra/conf/ca
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'
** Creating CA hash symlink '597f220c.0' -> 'ca.pem'
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink 'f9c438b7.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
** Creating CA hash symlink '8d33f237.0' -> 'commercial_ca_2.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_3.crt
** Creating CA hash symlink '4042bcee.0' -> 'commercial_ca_3.crt'
[zimbra@mail tmp]$ zmcontrol start
Host mail.XXX.com
Starting zmconfigd...Done.
Starting logger...Done.
Starting mailbox...Done.
Starting memcached...Done.
Starting proxy...Done.
Starting amavis...Done.
Starting antispam...Done.
Starting antivirus...Done.
Starting opendkim...Done.
Starting snmp...Done.
Starting spell...Done.
Starting mta...Done.
Starting stats...Done.
Starting service webapp...Done.
Starting zimbra webapp...Done.
Starting zimbraAdmin webapp...Done.
Starting zimlet webapp...Done.
[zimbra@mail tmp]$
Code: Select all
[root@mail ~]# cd /root/zcs-8.8.15_GA_3953.RHEL8_64.20200629025823
[root@mail zcs-8.8.15_GA_3953.RHEL8_64.20200629025823]# clear
[root@mail zcs-8.8.15_GA_3953.RHEL8_64.20200629025823]# ./install.sh
Operations logged to /tmp/install.log.oc3Kg5yb
Checking for existing installation...
zimbra-drive...FOUND zimbra-drive-1.0.13.1576152256-1
zimbra-imapd...FOUND zimbra-imapd-8.8.15_GA_3953
zimbra-patch...FOUND zimbra-patch-8.8.15.1639579168
zimbra-mta-patch...FOUND zimbra-mta-patch-8.8.15.1638533801
zimbra-proxy-patch...FOUND zimbra-proxy-patch-8.8.15.1634196512
zimbra-license-tools...NOT FOUND
zimbra-license-extension...NOT FOUND
zimbra-network-store...NOT FOUND
zimbra-network-modules-ng...NOT FOUND
zimbra-chat...FOUND zimbra-chat-3.0.1.1594306000-1
zimbra-talk...NOT FOUND
zimbra-ldap...FOUND zimbra-ldap-8.8.15_GA_3953
zimbra-logger...FOUND zimbra-logger-8.8.15_GA_3953
zimbra-mta...FOUND zimbra-mta-8.8.15_GA_3953
zimbra-dnscache...NOT FOUND
zimbra-snmp...FOUND zimbra-snmp-8.8.15_GA_3953
zimbra-store...FOUND zimbra-store-8.8.15_GA_3953
zimbra-apache...FOUND zimbra-apache-8.8.15_GA_3953
zimbra-spell...FOUND zimbra-spell-8.8.15_GA_3953
zimbra-convertd...NOT FOUND
zimbra-memcached...FOUND zimbra-memcached-1.6.5-1zimbra8.7b1
zimbra-proxy...FOUND zimbra-proxy-8.8.15_GA_3953
zimbra-archiving...NOT FOUND
zimbra-core...FOUND zimbra-core-8.8.15_GA_3953
ZCS upgrade from 8.8.15 to 8.8.15 will be performed.
Validating ldap configuration
LDAP validation succeeded. Continuing.
----------------------------------------------------------------------
PLEASE READ THIS AGREEMENT CAREFULLY BEFORE USING THE SOFTWARE.
SYNACOR, INC. ("SYNACOR") WILL ONLY LICENSE THIS SOFTWARE TO YOU IF YOU
FIRST ACCEPT THE TERMS OF THIS AGREEMENT. BY DOWNLOADING OR INSTALLING
THE SOFTWARE, OR USING THE PRODUCT, YOU ARE CONSENTING TO BE BOUND BY
THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS
AGREEMENT, THEN DO NOT DOWNLOAD, INSTALL OR USE THE PRODUCT.
License Terms for this Zimbra Collaboration Suite Software:
https://www.zimbra.com/license/zimbra-public-eula-2-6.html
----------------------------------------------------------------------
Do you agree with the terms of the software license agreement? [N] y
Checking current number of databases...
Do you want to verify message store database integrity? [Y] n
Use Zimbra's package repository [Y] y
Configuring package repository
Checking for installable packages
Found zimbra-core (local)
Found zimbra-ldap (local)
Found zimbra-logger (local)
Found zimbra-mta (local)
Found zimbra-dnscache (local)
Found zimbra-snmp (local)
Found zimbra-store (local)
Found zimbra-apache (local)
Found zimbra-spell (local)
Found zimbra-memcached (repo)
Found zimbra-proxy (local)
Found zimbra-drive (repo)
Found zimbra-imapd (local)
Found zimbra-patch (repo)
Found zimbra-mta-patch (repo)
Found zimbra-proxy-patch (repo)
The Zimbra Collaboration Server appears to already be installed.
It can be upgraded with no effect on existing accounts,
or the current installation can be completely removed prior
to installation for a clean install.
Do you wish to upgrade? [Y] y
Scanning for any new or additional packages available for installation
Existing packages will be upgraded
Upgrading zimbra-core
Upgrading zimbra-ldap
Upgrading zimbra-logger
Upgrading zimbra-mta
Install zimbra-dnscache [N] n
Upgrading zimbra-snmp
Upgrading zimbra-store
Upgrading zimbra-apache
Upgrading zimbra-spell
Upgrading zimbra-memcached
Upgrading zimbra-proxy
Upgrading zimbra-drive
Upgrading zimbra-imapd
Upgrading zimbra-patch
Upgrading zimbra-mta-patch
Upgrading zimbra-proxy-patch
Upgrading zimbra-chat
Checking required space for zimbra-core
Checking space for zimbra-store
Checking required packages for zimbra-store
zimbra-store package check complete.
Installing:
zimbra-core
zimbra-ldap
zimbra-logger
zimbra-mta
zimbra-snmp
zimbra-store
zimbra-apache
zimbra-spell
zimbra-memcached
zimbra-proxy
zimbra-drive
zimbra-imapd
zimbra-patch
zimbra-mta-patch
zimbra-proxy-patch
zimbra-chat
The system will be modified. Continue? [N] y
Beginning Installation - see /tmp/install.log.oc3Kg5yb for details...
zimbra-core-components will be downloaded and installed.
zimbra-common-core-jar will be installed.
zimbra-common-core-libs will be installed.
zimbra-common-mbox-conf will be installed.
zimbra-common-mbox-conf-attrs will be installed.
zimbra-common-mbox-conf-msgs will be installed.
zimbra-common-mbox-conf-rights will be installed.
zimbra-common-mbox-db will be installed.
zimbra-common-mbox-docs will be installed.
zimbra-common-mbox-native-lib will be installed.
zimbra-timezone-data will be installed.
zimbra-core will be installed.
zimbra-ldap-components will be downloaded and installed.
zimbra-ldap will be installed.
zimbra-logger will be installed.
zimbra-mta-components will be downloaded and installed.
zimbra-mta will be installed.
zimbra-snmp-components will be downloaded and installed.
zimbra-snmp will be installed.
Last metadata expiration check: 0:01:15 ago on Thu 13 Jan 2022 12:28:42 PM UTC.
zimbra-jetty-distribution will be downloaded and installed.
zimbra-store-components will be downloaded and installed.
zimbra-mbox-admin-console-war will be installed.
zimbra-mbox-conf will be installed.
zimbra-mbox-war will be installed.
zimbra-mbox-service will be installed.
zimbra-mbox-store-libs will be installed.
zimbra-mbox-webclient-war will be installed.
zimbra-store will be installed.
zimbra-apache-components will be downloaded and installed.
zimbra-apache will be installed.
zimbra-spell-components will be downloaded and installed.
zimbra-spell will be installed.
Last metadata expiration check: 0:01:23 ago on Thu 13 Jan 2022 12:28:42 PM UTC.
zimbra-memcached will be downloaded and installed.
zimbra-proxy-components will be downloaded and installed.
zimbra-proxy will be installed.
Last metadata expiration check: 0:01:30 ago on Thu 13 Jan 2022 12:28:42 PM UTC.
zimbra-drive will be downloaded and installed (later).
zimbra-imapd will be installed.
Last metadata expiration check: 0:01:32 ago on Thu 13 Jan 2022 12:28:42 PM UTC.
zimbra-patch will be downloaded and installed (later).
Last metadata expiration check: 0:01:33 ago on Thu 13 Jan 2022 12:28:42 PM UTC.
zimbra-mta-patch will be downloaded and installed (later).
Last metadata expiration check: 0:01:35 ago on Thu 13 Jan 2022 12:28:42 PM UTC.
zimbra-proxy-patch will be downloaded and installed (later).
Last metadata expiration check: 0:01:38 ago on Thu 13 Jan 2022 12:28:42 PM UTC.
zimbra-chat will be downloaded and installed (later).
Downloading packages (10):
zimbra-core-components
zimbra-ldap-components
zimbra-mta-components
zimbra-snmp-components
zimbra-jetty-distribution
zimbra-store-components
zimbra-apache-components
zimbra-spell-components
zimbra-memcached
zimbra-proxy-components
...done
Saving existing configuration file to /opt/zimbra/.saveconfig
Shutting down zimbra mail
Backing up the ldap database...done.
Removing existing packages
zimbra-drive...done
zimbra-imapd...done
zimbra-patch...done
zimbra-mta-patch...done
zimbra-proxy-patch...done
zimbra-chat...done
zimbra-ldap...done
zimbra-logger...done
zimbra-mta...done
zimbra-snmp...done
zimbra-store...done
zimbra-spell...done
zimbra-memcached...done
zimbra-core...done
Removing deployed webapp directories
Installing repo packages (10):
zimbra-core-components
zimbra-ldap-components
zimbra-mta-components
zimbra-snmp-components
zimbra-jetty-distribution
zimbra-store-components
zimbra-apache-components
zimbra-spell-components
zimbra-memcached
zimbra-proxy-components
...done
Installing local packages (26):
zimbra-common-core-jar
zimbra-common-core-libs
zimbra-common-mbox-conf
zimbra-common-mbox-conf-attrs
zimbra-common-mbox-conf-msgs
zimbra-common-mbox-conf-rights
zimbra-common-mbox-db
zimbra-common-mbox-docs
zimbra-common-mbox-native-lib
zimbra-timezone-data
zimbra-core
zimbra-ldap
zimbra-logger
zimbra-mta
zimbra-snmp
zimbra-mbox-admin-console-war
zimbra-mbox-conf
zimbra-mbox-war
zimbra-mbox-service
zimbra-mbox-store-libs
zimbra-mbox-webclient-war
zimbra-store
zimbra-apache
zimbra-spell
zimbra-proxy
zimbra-imapd
...done
Installing extra packages (5):
zimbra-drive
zimbra-patch
zimbra-mta-patch
zimbra-proxy-patch
zimbra-chat
...done
Running Post Installation Configuration:
Setting defaults from saved config in /opt/zimbra/.saveconfig/config.save
HOSTNAME=mail.XXX.com
LDAPHOST=mail.XXX.com
LDAPPORT=389
SNMPTRAPHOST=mail.XXX.com
SMTPSOURCE=admin@XXX.com
SMTPDEST=admin@XXX.com
SNMPNOTIFY=yes
SMTPNOTIFY=yes
LDAPROOTPW=*
LDAPZIMBRAPW=*
LDAPPOSTPW=*
LDAPREPPW=*
LDAPAMAVISPW=*
LDAPNGINXPW=*
Restoring existing configuration file from /opt/zimbra/.saveconfig/localconfig.xml...done
Operations logged to /tmp/zmsetup.20220113-123615.log
Adding /opt/zimbra/conf/ca/ca.pem to cacerts
Checking ldap status....not running.
Starting ldap...done.
Setting defaults...done.
Setting defaults from existing config...done.
Checking for port conflicts
Setting defaults from ldap...done.
Saving config in /opt/zimbra/config.4033384...done.
Operations logged to /tmp/zmsetup.20220113-123615.log
Setting local config values...done.
Initializing core config...Setting up CA...done.
Deploying CA to /opt/zimbra/conf/ca ...done.
Setting replication password...done.
Setting Postfix password...done.
Setting amavis password...done.
Setting nginx password...done.
Creating server entry for mail.XXX.com...already exists.
Setting Zimbra IP Mode...done.
Saving CA in ldap...done.
Saving SSL Certificate in ldap...done.
Setting spell check URL...done.
Setting service ports on mail.XXX.com...done.
Setting Keyboard Shortcut Preferences...done.
Setting zimbraFeatureTasksEnabled=TRUE...done.
Setting zimbraFeatureBriefcasesEnabled=TRUE...done.
Updating zimbraLDAPSchemaVersion to version '1571057268'
Setting TimeZone Preference...done.
Initializing mta config...done.
Setting services on mail.XXX.com...done.
Adding mail.XXX.com to zimbraMailHostPool in default COS...done.
Creating user spam.hgmqtrazk@XXX.com...already exists.
Creating user ham.sdzndrvv@XXX.com...already exists.
Creating user virus-quarantine.s1fizgnofz@XXX.com...already exists.
Setting spam training and Anti-virus quarantine accounts...done.
Configuring SNMP...done.
Setting up syslog.conf...done.
Enabling IMAP protocol for zimbra-imapd service...done.
Enabling IMAPS protocol for zimbra-imapd service...done.
Starting servers...done.
Checking for deprecated zimlets...done.
Checking for network zimlets in LDAP...done.
Removing network zimlets...
Finished removing network zimlets.
Installing common zimlets...
com_zimbra_adminversioncheck...done.
com_zimbra_attachcontacts...done.
com_zimbra_attachmail...done.
com_zimbra_bulkprovision...done.
com_zimbra_cert_manager...done.
com_zimbra_clientuploader...done.
com_zimbra_date...done.
com_zimbra_email...done.
com_zimbra_mailarchive...done.
com_zimbra_phone...done.
com_zimbra_proxy_config...done.
com_zimbra_srchhighlighter...done.
com_zimbra_tooltip...done.
com_zimbra_url...done.
com_zimbra_viewmail...done.
com_zimbra_webex...done.
com_zimbra_ymemoticons...done.
com_zextras_drive_open...done.
com_zextras_chat_open...done.
Finished installing common zimlets.
Getting list of all zimlets...done.
Updating non-standard zimlets...
Finished updating non-standard zimlets.
Restarting mailboxd...done.
Skipping creation of default domain GAL sync account - existing install detected.
You have the option of notifying Zimbra of your installation.
This helps us to track the uptake of the Zimbra Collaboration Server.
The only information that will be transmitted is:
The VERSION of zcs installed (8.8.15_GA_3953_RHEL8_64)
The ADMIN EMAIL ADDRESS created (admin@XXX.com)
Notify Zimbra of your installation? [Yes] N
Notification skipped
Checking if the NG started running...done.
Setting up zimbra crontab...done.
Moving /tmp/zmsetup.20220113-123615.log to /opt/zimbra/log
Configuration complete - press return to exit
No errors, result! Thanks, Jim!
Web interface still doesn work, I get this:
HTTP ERROR 502
Problem accessing ZCS upstream server. Cannot connect to the ZCS upstream server. Connection is refused.
Possible reasons:
upstream server is unreachable
upstream server is currently being upgraded
upstream server is down
Please contact your ZCS administrator to fix the problem.
Powered by Nginx-Zimbra://
Re: Error on deploying SSL certificates
Checking logs:
zimbra.log
nginx.log
mysql-error.log
zimbra.log
Code: Select all
2022-01-13 17:18:12,562 WARN [main] [] misc - Could not establish a connection to the database. Retrying in 5 seconds.
com.zimbra.common.service.ServiceException: system failure: getting database connection
ExceptionId:main:1642094292562:c92db4a2d4cea5cc
Code:service.FAILURE
at com.zimbra.common.service.ServiceException.FAILURE(ServiceException.java:288)
at com.zimbra.cs.db.DbPool.getConnection(DbPool.java:360)
at com.zimbra.cs.db.DbPool.getConnection(DbPool.java:322)
at com.zimbra.cs.db.DbPool.waitForDatabase(DbPool.java:243)
at com.zimbra.cs.db.DbPool.startup(DbPool.java:234)
at com.zimbra.cs.util.Zimbra.startup(Zimbra.java:218)
at com.zimbra.cs.util.Zimbra.startup(Zimbra.java:177)
at com.zimbra.soap.SoapServlet.init(SoapServlet.java:130)
at javax.servlet.GenericServlet.init(GenericServlet.java:244)
at org.eclipse.jetty.servlet.ServletHolder.initServlet(ServletHolder.java:671)
at org.eclipse.jetty.servlet.ServletHolder.initialize(ServletHolder.java:428)
at org.eclipse.jetty.servlet.ServletHandler.lambda$initialize$0(ServletHandler.java:750)
at java.base/java.util.stream.SortedOps$SizedRefSortingSink.end(SortedOps.java:357)
at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
at java.base/java.util.stream.StreamSpliterators$WrappingSpliterator.forEachRemaining(StreamSpliterators.java:312)
at java.base/java.util.stream.Streams$ConcatSpliterator.forEachRemaining(Streams.java:735)
at java.base/java.util.stream.Streams$ConcatSpliterator.forEachRemaining(Streams.java:734)
at java.base/java.util.stream.ReferencePipeline$Head.forEach(ReferencePipeline.java:658)
at org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:744)
at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:369)
at org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1497)
at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1459)
at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:852)
at org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:278)
at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:545)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:167)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:119)
at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:113)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:167)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:119)
at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:113)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:167)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:110)
at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:113)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:167)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:110)
at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:113)
at org.eclipse.jetty.server.handler.gzip.GzipHandler.doStart(GzipHandler.java:406)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:167)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:110)
at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:113)
at org.eclipse.jetty.server.handler.DebugHandler.doStart(DebugHandler.java:142)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:167)
at org.eclipse.jetty.server.Server.start(Server.java:418)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:110)
at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:113)
at org.eclipse.jetty.server.Server.doStart(Server.java:382)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.xml.XmlConfiguration$1.run(XmlConfiguration.java:1572)
at org.eclipse.jetty.xml.XmlConfiguration$1.run(XmlConfiguration.java:1512)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:554)
at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1511)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:567)
at org.eclipse.jetty.start.Main.invokeMain(Main.java:220)
at org.eclipse.jetty.start.Main.start(Main.java:490)
at org.eclipse.jetty.start.Main.main(Main.java:77)
Caused by: java.sql.SQLException: Host 'localhost' is not allowed to connect to this MariaDB server
at org.mariadb.jdbc.internal.com.read.ReadInitialHandShakePacket.<init>(ReadInitialHandShakePacket.java:92)
at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.handleConnectionPhases(AbstractConnectProtocol.java:693)
at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.connect(AbstractConnectProtocol.java:415)
at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.connectWithoutProxy(AbstractConnectProtocol.java:1128)
at org.mariadb.jdbc.internal.util.Utils.retrieveProxy(Utils.java:620)
at org.mariadb.jdbc.MariaDbConnection.newConnection(MariaDbConnection.java:175)
at org.mariadb.jdbc.Driver.connect(Driver.java:92)
at java.sql/java.sql.DriverManager.getConnection(DriverManager.java:677)
at java.sql/java.sql.DriverManager.getConnection(DriverManager.java:189)
at org.apache.commons.dbcp.DriverManagerConnectionFactory.createConnection(DriverManagerConnectionFactory.java:78)
at com.zimbra.cs.db.ZimbraConnectionFactory.createConnection(ZimbraConnectionFactory.java:67)
at org.apache.commons.dbcp.PoolableConnectionFactory.makeObject(PoolableConnectionFactory.java:582)
at org.apache.commons.pool.impl.GenericObjectPool.borrowObject(GenericObjectPool.java:1188)
at org.apache.commons.dbcp.PoolingDataSource.getConnection(PoolingDataSource.java:106)
at com.zimbra.cs.db.DbPool.getConnection(DbPool.java:341)
... 64 more
[zimbra@mail ~]$ mysql
ERROR 1045 (28000): Access denied for user 'zimbra'@'localhost' (using password: YES)
[zimbra@mail ~]$
Code: Select all
[zimbra@mail ~]$ telnet localhost 7306
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
DHost 'localhost' is not allowed to connect to this MariaDB serverConnection closed by foreign host.
[zimbra@mail ~]$
Code: Select all
[root@mail ~]# tail -f /opt/zimbra/log/nginx.log
2022/01/13 17:31:56 [error] 4031#0: *1545 upstream timed out (110: Connection timed out) while connecting to upstream, client: 86.121.xxx.x, server: mail.XXX.com, request: "PROPFIND /principals/users/sandu.velea%40XXX.com/ HTTP/1.1", upstream: "https://10.70.150.43:8443/principals/users/sandu.velea%40XXX.com/", host: "mail.XXX.com"
2022/01/13 17:31:56 [error] 4031#0: *1545 no live upstreams while connecting to upstream, client: 86.121.xxx.x, server: mail.XXX.com, request: "PROPFIND /principals/users/sandu.velea%40XXX.com/ HTTP/1.1", upstream: "https://zimbra_ssl/principals/users/sandu.velea%40XXX.com/", host: "mail.XXX.com"
2022/01/13 17:32:21 [error] 4031#0: *1545 upstream timed out (110: Connection timed out) while connecting to upstream, client: 86.121.xxx.x, server: mail.XXX.com, request: "PROPFIND / HTTP/1.1", upstream: "https://192.168.168.168:8443/", host: "mail.XXX.com"
2022/01/13 17:32:46 [error] 4031#0: *1545 upstream timed out (110: Connection timed out) while connecting to upstream, client: 86.121.xxx.x, server: mail.XXX.com, request: "PROPFIND / HTTP/1.1", upstream: "https://10.70.150.43:8443/", host: "mail.XXX.com"
2022/01/13 17:32:46 [error] 4031#0: *1545 no live upstreams while connecting to upstream, client: 86.121.xxx.x, server: mail.XXX.com, request: "PROPFIND / HTTP/1.1", upstream: "https://zimbra_login_ssl/", host: "mail.XXX.com"
2022/01/13 17:33:11 [error] 4031#0: *1545 upstream timed out (110: Connection timed out) while connecting to upstream, client: 86.121.xxx.x, server: mail.XXX.com, request: "PROPFIND /principals/ HTTP/1.1", upstream: "https://192.168.168.168:8443/principals/", host: "mail.XXX.com"
2022/01/13 17:33:36 [error] 4031#0: *1545 upstream timed out (110: Connection timed out) while connecting to upstream, client: 86.121.xxx.x, server: mail.XXX.com, request: "PROPFIND /principals/ HTTP/1.1", upstream: "https://10.70.150.43:8443/principals/", host: "mail.XXX.com"
2022/01/13 17:33:36 [error] 4031#0: *1545 no live upstreams while connecting to upstream, client: 86.121.xxx.x, server: mail.XXX.com, request: "PROPFIND /principals/ HTTP/1.1", upstream: "https://zimbra_ssl/principals/", host: "mail.XXX.com"
2022/01/13 17:34:16 [info] 4031#0: *1545 client 86.121.xxx.x closed keepalive connection
2022/01/13 17:38:44 [info] 4030#0: *1576 epoll_wait() reported that client prematurely closed connection, so upstream connection is closed too while connecting to upstream, client: 45.146.165.37, server: mail.XXX.com, request: "GET / HTTP/1.1", upstream: "https://10.70.150.43:8443/", host: "51.158.xx.xx:443"
Code: Select all
220113 13:04:30 mysqld_safe Starting mysqld daemon with databases from /opt/zimbra/db/data
2022-01-13 13:04:30 140481834846080 [Note] /opt/zimbra/common/sbin/mysqld (mysqld 10.1.25-MariaDB) starting as process 3592 ...
2022-01-13 13:04:30 140481834846080 [Note] InnoDB: Using mutexes to ref count buffer pool pages
2022-01-13 13:04:30 140481834846080 [Note] InnoDB: The InnoDB memory heap is disabled
2022-01-13 13:04:30 140481834846080 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
2022-01-13 13:04:30 140481834846080 [Note] InnoDB: GCC builtin __atomic_thread_fence() is used for memory barrier
2022-01-13 13:04:30 140481834846080 [Note] InnoDB: Compressed tables use zlib 1.2.3
2022-01-13 13:04:30 140481834846080 [Note] InnoDB: Using Linux native AIO
2022-01-13 13:04:30 140481834846080 [Note] InnoDB: Using SSE crc32 instructions
2022-01-13 13:04:30 140481834846080 [Note] InnoDB: Initializing buffer pool, size = 2.3G
2022-01-13 13:04:30 140481834846080 [Note] InnoDB: Completed initialization of buffer pool
2022-01-13 13:04:30 140481834846080 [Note] InnoDB: Highest supported file format is Barracuda.
2022-01-13 13:04:31 140481834846080 [Note] InnoDB: 128 rollback segment(s) are active.
2022-01-13 13:04:31 140481834846080 [Note] InnoDB: Waiting for purge to start
2022-01-13 13:04:31 140481834846080 [Note] InnoDB: Percona XtraDB (http://www.percona.com) 5.6.36-82.0 started; log sequence number 1600766
2022-01-13 13:04:31 140479046227712 [Note] InnoDB: Dumping buffer pool(s) not yet started
2022-01-13 13:04:31 140481834846080 [Note] Plugin 'FEEDBACK' is disabled.
2022-01-13 13:04:31 140481834846080 [Note] Server socket created on IP: '127.0.0.1'.
2022-01-13 13:04:31 140481834302208 [Warning] InnoDB: Cannot open table mysql/gtid_slave_pos from the internal data dictionary of InnoDB though the .frm file for the table exists. See http://dev.mysql.com/doc/refman/5.6/en/innodb-troubleshooting.html for how you can resolve the problem.
2022-01-13 13:04:31 140481834302208 [Warning] Failed to load slave replication state from table mysql.gtid_slave_pos: 1932: Table 'mysql.gtid_slave_pos' doesn't exist in engine
2022-01-13 13:04:31 140481834846080 [Note] /opt/zimbra/common/sbin/mysqld: ready for connections.
Version: '10.1.25-MariaDB' socket: '/opt/zimbra/data/tmp/mysql/mysql.sock' port: 7306 Zimbra MariaDB binary distribution
- JDunphy
- Outstanding Member
- Posts: 889
- Joined: Fri Sep 12, 2014 11:18 pm
- Location: Victoria, BC
- ZCS/ZD Version: 9.0.0_P39 NETWORK Edition
Re: Error on deploying SSL certificates
Glad you are past the SSL certs now. I think I learned quite a bit myself so who doesn't like a good puzzle eh?
That 502... Background. You have an nginx reverse proxy that is listening on ports 80, 443, 993, etc, etc. There is a backend server which is that mailboxd (java) instance and it is listening on a lot of ports (pop3, imap, web, etc). There needs to be some sort of connection so that nginx knows that if you hit port 443 that corresponds to 8443 to mailboxd, etc. They do that with a tool to map the ports and configures the nginx conf files.
Generally you can do it with this if the mapping is messed up. I would hold off on that however until you know more.
Ref: https://wiki.zimbra.com/wiki/Zimbra_Pro ... mbra_Proxy (see section on manual configuration)
It makes more sense to look at what ports you have and what the logs are telling you.
Some starting points given there are a few places that should be telling you why nginx can't connect to mailboxd. First I would establish if mailboxd is running. Note: if you run a zmmailboxdctl start; zmcontrol status you might be deceived that mailboxd started when it actually aborted a bit later after that zmcontrol status told you it was running. That is why I generally do a quick look with netstat because it is really obvious when it is running given how many ports it is listening on.
Jim
That 502... Background. You have an nginx reverse proxy that is listening on ports 80, 443, 993, etc, etc. There is a backend server which is that mailboxd (java) instance and it is listening on a lot of ports (pop3, imap, web, etc). There needs to be some sort of connection so that nginx knows that if you hit port 443 that corresponds to 8443 to mailboxd, etc. They do that with a tool to map the ports and configures the nginx conf files.
Generally you can do it with this if the mapping is messed up. I would hold off on that however until you know more.
Code: Select all
# su -
% /opt/zimbra/libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x <http/both> -H `zmhostname`
It makes more sense to look at what ports you have and what the logs are telling you.
Code: Select all
% su -
# grep FATAL /opt/zimbra/log/mailbox.log
# netstat -nalp | grep LISTEN
Jim