Error on deploying SSL certificates

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
octet
Posts: 23
Joined: Thu Jan 06, 2022 2:35 pm

Re: Error on deploying SSL certificates

Post by octet »

Anyone else has any idea what else I could try? :?
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Error on deploying SSL certificates

Post by JDunphy »

zmcertmgr has a debug option... add it at the end and it will tell you the commands that are being executed.

Here is what I did for my zimbra.sh that I use for the deploy method with acme.sh

/opt/zimbra/bin/zmcertmgr deploycrt comm "$_ccert" "${_cca}.real" --debug 3|| return 1

Can you add that and see if around the error what it thinks is happening. We can then compare with a working example that I have here.

Here is what you can expect to see:

Code: Select all

/opt/zimbra/common/bin/keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass Yourpassword 2>&1
DEBUG: run(rc=0) results(#=0)
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
DEBUG: run command: /opt/zimbra/common/bin/openssl pkcs12 -inkey /opt/zimbra/ssl/zimbra/commercial/commercial.key -in /opt/zimbra/ssl/zimbra/commercial/commercial.crt -name jetty -export -out /opt/zimbra/ssl/zimbra/jetty.pkcs12 -passout pass:Yourpassword 2>&1
DEBUG: run(rc=0) results(#=0)
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
DEBUG: run command: /opt/zimbra/common/bin/java -classpath /opt/zimbra/lib/ext/com_zimbra_cert_manager/com_zimbra_cert_manager.jar com.zimbra.cert.MyPKCS12Import /opt/zimbra/ssl/zimbra/jetty.pkcs12 /opt/zimbra/mailboxd/etc/keystore Yourpassword Yourpassword 2>&1
DEBUG: run(rc=0) results(#=2):
Alias 0: jetty
 Adding key for alias jetty
...
Jim
octet
Posts: 23
Joined: Thu Jan 06, 2022 2:35 pm

Re: Error on deploying SSL certificates

Post by octet »

Code: Select all

[root@mail ~]# free -m
              total        used        free      shared  buff/cache   available
Mem:           7808        7219          99         425         489           1
Swap:             0           0           0
[root@mail ~]# df -h
Filesystem      Size  Used Avail Use% Mounted on
devtmpfs        3.8G     0  3.8G   0% /dev
tmpfs           3.9G     0  3.9G   0% /dev/shm
tmpfs           3.9G  425M  3.4G  11% /run
tmpfs           3.9G     0  3.9G   0% /sys/fs/cgroup
/dev/vda2        75G   38G   37G  51% /
/dev/vda1       110M  6.8M  104M   7% /boot/efi
tmpfs           781M     0  781M   0% /run/user/0
tmpfs           781M     0  781M   0% /run/user/988
[root@mail ~]# su - zimbra
Last login: Wed Jan 12 11:59:09 UTC 2022 on pts/1
[zimbra@mail ~]$ /opt/zimbra/bin/zmcertmgr deploycrt comm "$_ccert" "${_cca}.real" --debug 3|| return 1
DEBUG: CertMgr->Command(deploycrt)
DEBUG: CertMgr->Debug(3)
DEBUG: CertMgr->Type(comm)
OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory(0x0000000085e00000, 130023424, 0) failed; error='Not enough space' (errno=12)
Use of uninitialized value $val in substitution (s///) at /opt/zimbra/bin/zmcertmgr line 2626, <$fh> line 1.
Use of uninitialized value $val in substitution (s///) at /opt/zimbra/bin/zmcertmgr line 2627, <$fh> line 1.
Use of uninitialized value $val in substitution (s///) at /opt/zimbra/bin/zmcertmgr line 2626, <$fh> line 2.
Use of uninitialized value $val in substitution (s///) at /opt/zimbra/bin/zmcertmgr line 2627, <$fh> line 2.
Use of uninitialized value $val in substitution (s///) at /opt/zimbra/bin/zmcertmgr line 2626, <$fh> line 3.
Use of uninitialized value $val in substitution (s///) at /opt/zimbra/bin/zmcertmgr line 2627, <$fh> line 3.
Use of uninitialized value $val in substitution (s///) at /opt/zimbra/bin/zmcertmgr line 2626, <$fh> line 4.
Use of uninitialized value $val in substitution (s///) at /opt/zimbra/bin/zmcertmgr line 2627, <$fh> line 4.
Use of uninitialized value $val in substitution (s///) at /opt/zimbra/bin/zmcertmgr line 2626, <$fh> line 5.
Use of uninitialized value $val in substitution (s///) at /opt/zimbra/bin/zmcertmgr line 2627, <$fh> line 5.
DEBUG: deploycrt(comm  .real)
DEBUG: initSSLDirs
zmcertmgr: ERROR deploycrt(comm  .real) failed:
 sslFiles: no match for key 'cacerts'
 at /opt/zimbra/bin/zmcertmgr line 2238.
	CertMgr::sslFiles(CertMgr=HASH(0x5650ff0497a0), "cacerts") called at /opt/zimbra/bin/zmcertmgr line 2133
	CertMgr::initSSLDirs(CertMgr=HASH(0x5650ff0497a0)) called at /opt/zimbra/bin/zmcertmgr line 1065
	CertMgr::deploycrt(CertMgr=HASH(0x5650ff0497a0), "comm", "", ".real") called at /opt/zimbra/bin/zmcertmgr line 419
	eval {...} called at /opt/zimbra/bin/zmcertmgr line 419
-bash: return: can only `return' from a function or sourced script
[zimbra@mail ~]$ 

mgarbin
Posts: 35
Joined: Wed Jun 26, 2019 11:00 am

Re: Error on deploying SSL certificates

Post by mgarbin »

octet wrote:

Code: Select all

[root@mail ~]# free -m
              total        used        free      shared  buff/cache   available
Mem:           7808        7219          99         425         489           1
Swap:             0           0           0
[root@mail ~]# df -h
Filesystem      Size  Used Avail Use% Mounted on
devtmpfs        3.8G     0  3.8G   0% /dev
tmpfs           3.9G     0  3.9G   0% /dev/shm
tmpfs           3.9G  425M  3.4G  11% /run
tmpfs           3.9G     0  3.9G   0% /sys/fs/cgroup
/dev/vda2        75G   38G   37G  51% /
/dev/vda1       110M  6.8M  104M   7% /boot/efi
tmpfs           781M     0  781M   0% /run/user/0
tmpfs           781M     0  781M   0% /run/user/988
[root@mail ~]# su - zimbra
Last login: Wed Jan 12 11:59:09 UTC 2022 on pts/1
[zimbra@mail ~]$ /opt/zimbra/bin/zmcertmgr deploycrt comm "$_ccert" "${_cca}.real" --debug 3|| return 1
DEBUG: CertMgr->Command(deploycrt)
DEBUG: CertMgr->Debug(3)
DEBUG: CertMgr->Type(comm)
OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory(0x0000000085e00000, 130023424, 0) failed; error='Not enough space' (errno=12)
Use of uninitialized value $val in substitution (s///) at /opt/zimbra/bin/zmcertmgr line 2626, <$fh> line 1.
Use of uninitialized value $val in substitution (s///) at /opt/zimbra/bin/zmcertmgr line 2627, <$fh> line 1.
Use of uninitialized value $val in substitution (s///) at /opt/zimbra/bin/zmcertmgr line 2626, <$fh> line 2.
Use of uninitialized value $val in substitution (s///) at /opt/zimbra/bin/zmcertmgr line 2627, <$fh> line 2.
Use of uninitialized value $val in substitution (s///) at /opt/zimbra/bin/zmcertmgr line 2626, <$fh> line 3.
Use of uninitialized value $val in substitution (s///) at /opt/zimbra/bin/zmcertmgr line 2627, <$fh> line 3.
Use of uninitialized value $val in substitution (s///) at /opt/zimbra/bin/zmcertmgr line 2626, <$fh> line 4.
Use of uninitialized value $val in substitution (s///) at /opt/zimbra/bin/zmcertmgr line 2627, <$fh> line 4.
Use of uninitialized value $val in substitution (s///) at /opt/zimbra/bin/zmcertmgr line 2626, <$fh> line 5.
Use of uninitialized value $val in substitution (s///) at /opt/zimbra/bin/zmcertmgr line 2627, <$fh> line 5.
DEBUG: deploycrt(comm  .real)
DEBUG: initSSLDirs
zmcertmgr: ERROR deploycrt(comm  .real) failed:
 sslFiles: no match for key 'cacerts'
 at /opt/zimbra/bin/zmcertmgr line 2238.
	CertMgr::sslFiles(CertMgr=HASH(0x5650ff0497a0), "cacerts") called at /opt/zimbra/bin/zmcertmgr line 2133
	CertMgr::initSSLDirs(CertMgr=HASH(0x5650ff0497a0)) called at /opt/zimbra/bin/zmcertmgr line 1065
	CertMgr::deploycrt(CertMgr=HASH(0x5650ff0497a0), "comm", "", ".real") called at /opt/zimbra/bin/zmcertmgr line 419
	eval {...} called at /opt/zimbra/bin/zmcertmgr line 419
-bash: return: can only `return' from a function or sourced script
[zimbra@mail ~]$ 

The problem is clear... add swap or upgrade your ram.
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Error on deploying SSL certificates

Post by JDunphy »

I showed an example of how I did it with debug. You are not running my deploy script according to an earlier post so your usage would be something like this.

Code: Select all

[zimbra@mail tmp]$ /opt/zimbra/bin/zmcertmgr deploycrt comm mail.XXX.com.cer fullchain.cer --debug 3
If you are running my deploy script then you modify the deploy script and don't run it from the command line with the shell variables. Those would be undefined which zmcertmgr is telling you in addition to swap.

Jim
octet
Posts: 23
Joined: Thu Jan 06, 2022 2:35 pm

Re: Error on deploying SSL certificates

Post by octet »

JDunphy wrote:I showed an example of how I did it with debug. You are not running my deploy script according to an earlier post so your usage would be something like this.

Code: Select all

[zimbra@mail tmp]$ /opt/zimbra/bin/zmcertmgr deploycrt comm mail.XXX.com.cer fullchain.cer --debug 3
If you are running my deploy script then you modify the deploy script and don't run it from the command line with the shell variables. Those would be undefined which zmcertmgr is telling you in addition to swap.

Jim

Code: Select all

[zimbra@mail tmp]$ /opt/zimbra/bin/zmcertmgr deploycrt comm mail.XXX.com.cer fullchain.cer --debug 3
DEBUG: CertMgr->Type(comm)
DEBUG: CertMgr->Debug(3)
DEBUG: CertMgr->Command(deploycrt)
DEBUG: deploycrt(comm mail.XXX.com.cer fullchain.cer)
DEBUG: initSSLDirs
DEBUG: Checking line endings: mail.XXX.com.cer fullchain.cer
DEBUG: verifycrt(comm /opt/zimbra/ssl/zimbra/commercial/commercial.key mail.XXX.com.cer fullchain.cer)
DEBUG: verifycrtkey(/opt/zimbra/ssl/zimbra/commercial/commercial.key mail.XXX.com.cer)
** Verifying 'mail.XXX.com.cer' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
DEBUG: run command: /opt/zimbra/common/bin/openssl rsa -noout -modulus -in '/opt/zimbra/ssl/zimbra/commercial/commercial.key' | /opt/zimbra/common/bin/openssl sha256
DEBUG: run(rc=0) results(#=1):
(stdin)= c5c5251d38d41aeb4aaf322ff46b3e91b15fcf73f836f9d151ec574b5dc811a3

DEBUG: run command: /opt/zimbra/common/bin/openssl x509 -noout -modulus -in 'mail.XXX.com.cer' | /opt/zimbra/common/bin/openssl sha256
DEBUG: run(rc=0) results(#=1):
(stdin)= c5c5251d38d41aeb4aaf322ff46b3e91b15fcf73f836f9d151ec574b5dc811a3

Certificate 'mail.XXX.com.cer' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
DEBUG: verifycrtchain(fullchain.cer mail.XXX.com.cer)
** Verifying 'mail.XXX.com.cer' against 'fullchain.cer'
DEBUG: run command: /opt/zimbra/common/bin/openssl verify -purpose sslserver -CAfile fullchain.cer mail.XXX.com.cer 2>&1
DEBUG: run(rc=0) results(#=1):
mail.XXX.com.cer: OK

Valid certificate chain: mail.XXX.com.cer: OK
** Copying 'mail.XXX.com.cer' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Copying 'fullchain.cer' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
** Appending ca chain 'fullchain.cer' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
DEBUG: addcacert(/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt)
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'
DEBUG: run command: /opt/zimbra/common/bin/keytool -delete -alias zcs-user-commercial_ca -keystore /opt/zimbra/common/lib/jvm/java/lib/security/cacerts -storepass changeit 2>&1
DEBUG: run(rc=0) results(#=1):
Warning: use -cacerts option to access cacerts keystore

DEBUG: run command: /opt/zimbra/common/bin/keytool -import -alias zcs-user-commercial_ca -noprompt -file /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt -keystore /opt/zimbra/common/lib/jvm/java/lib/security/cacerts -storepass changeit 2>&1
DEBUG: run(rc=0) results(#=2):
Warning: use -cacerts option to access cacerts keystore
 Certificate was added to keystore

** NOTE: restart mailboxd to use the imported certificate.
DEBUG: savecrt(comm)
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.XXX.com...DEBUG: run command: /opt/zimbra/bin/zmprov -m -l modifyServer mail.XXX.com zimbraSSLCertificate '-----BEGIN CERTIFICATE-----
MIIFIjCCBAqgAwIBAgISBDS2BIYoS4G3MCGIM4PbaqOIMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD

....

-----END RSA PRIVATE KEY-----


'
DEBUG: run(rc=0) results(#=0)
ok
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'
DEBUG: createimapdkeystore(comm)
DEBUG: run command: /opt/zimbra/common/bin/keytool -delete -alias jetty -keystore /opt/zimbra/conf/imapd.keystore -storepass ecMJv6Cn6L 2>&1
DEBUG: run(rc=256) results(#=1):
keytool error: java.security.cert.CertificateParsingException: signed overrun, bytes = 88

ERROR: imapd keytool(-delete -alias jetty) returned non-zero(1):
keytool error: java.security.cert.CertificateParsingException: signed overrun, bytes = 88
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
DEBUG: run command: /opt/zimbra/common/bin/openssl pkcs12 -inkey /opt/zimbra/conf/imapd.key -in /opt/zimbra/conf/imapd.crt -name jetty -export -out /opt/zimbra/ssl/zimbra/jetty.pkcs12 -passout pass:ecMJv6Cn6L 2>&1
DEBUG: run(rc=0) results(#=0)
** Creating keystore '/opt/zimbra/conf/imapd.keystore'
DEBUG: run command: /opt/zimbra/common/bin/java -classpath /opt/zimbra/lib/ext/com_zimbra_cert_manager/com_zimbra_cert_manager.jar com.zimbra.cert.MyPKCS12Import /opt/zimbra/ssl/zimbra/jetty.pkcs12 /opt/zimbra/conf/imapd.keystore ecMJv6Cn6L ecMJv6Cn6L 2>&1
DEBUG: run(rc=256) results(#=9):
Exception in thread "main" java.security.cert.CertificateParsingException: signed overrun, bytes = 88
 	at java.base/sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1820)
 	at java.base/sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:188)
 	at java.base/sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:105)
 	at java.base/java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:355)
 	at java.base/sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:725)
 	at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:222)
 	at java.base/java.security.KeyStore.load(KeyStore.java:1472)
 	at com.zimbra.cert.MyPKCS12Import.main(MyPKCS12Import.java:104)

ERROR: com.zimbra.cert.MyPKCS12Import to '/opt/zimbra/ssl/zimbra/jetty.pkcs12' returned non-zero(1):
Exception in thread "main" java.security.cert.CertificateParsingException: signed overrun, bytes = 88
	at java.base/sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1820)
	at java.base/sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:188)
	at java.base/sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:105)
	at java.base/java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:355)
	at java.base/sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:725)
	at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:222)
	at java.base/java.security.KeyStore.load(KeyStore.java:1472)
	at com.zimbra.cert.MyPKCS12Import.main(MyPKCS12Import.java:104)
[zimbra@mail tmp]$ 
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Error on deploying SSL certificates

Post by JDunphy »

octet wrote: DEBUG: run(rc=0) results(#=0)
ok
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'
DEBUG: createimapdkeystore(comm)
DEBUG: run command: /opt/zimbra/common/bin/keytool -delete -alias jetty -keystore /opt/zimbra/conf/imapd.keystore -storepass ecMJv6Cn6L 2>&1
DEBUG: run(rc=256) results(#=1):
keytool error: java.security.cert.CertificateParsingException: signed overrun, bytes = 88
Here is what I did on my end. I removed /opt/zimbra/conf/imapd.keystore and then ran this keytool command above. It exited with this:

Code: Select all

# su - zimbra
% cd /opt/zimbra/conf; mv imapd.keystore imapd.keystore-
% /opt/zimbra/common/bin/keytool -delete -alias jetty -keystore /opt/zimbra/conf/imapd.keystore -storepass ecMJv6Cn6L
keytool error: java.lang.Exception: Keystore file does not exist: /opt/zimbra/conf/imapd.keystore
% > /opt/zimbra/conf/imapd.keystore
% /opt/zimbra/common/bin/keytool -delete -alias jetty -keystore /opt/zimbra/conf/imapd.keystore -storepass ecMJv6Cn6L
keytool error: java.lang.Exception: Keystore file exists, but is empty: /opt/zimbra/conf/imapd.keystore
It seems that the goal of running this keytool command is to delete an entry from the keystore. That means that keystore exists previously. How? Most likely because on initial install of the software they generated a self-signed certificate. The other question is how did it get removed in the first place? Who deleted it? I have determined that the command below can generate it under certain circumstances.

Code: Select all

/opt/zimbra/common/bin/java -classpath /opt/zimbra/lib/ext/com_zimbra_cert_manager/com_zimbra_cert_manager.jar com.zimbra.cert.MyPKCS12Import /opt/zimbra/ssl/zimbra/jetty.pkcs12 /opt/zimbra/conf/imapd.keystore ecMJv6Cn6L ecMJv6Cn6L
So what does one do since it appears to be a chicken and egg problem?

You have stated and shown that you can not generate a self-signed certificate which is how this would be created so this could be a challenge.

Option 1: normally this would create that file for you.

Code: Select all

# su - zimbra
% cd /opt/zimbra/conf
% /opt/zimbra/common/bin/java -classpath /opt/zimbra/lib/ext/com_zimbra_cert_manager/com_zimbra_cert_manager.jar com.zimbra.cert.MyPKCS12Import /opt/zimbra/ssl/zimbra/jetty.pkcs12 /opt/zimbra/conf/imapd.keystore ecMJv6Cn6L ecMJv6Cn6L
I suspect after running this by itself, it will error out but if you see an imapd.keystore than you can do this

Code: Select all

# su - zimbra
% ldap start  # you need ldap running so do this if it isn't
% /opt/zimbra/bin/zmcertmgr deploycrt comm mail.XXX.com.cer fullchain.cer  # assumes you are in same directory as these .cer files
% zmcontrol restart
Option 2: If that didn't work, I played around in my test environment and came up with something I think might work for you with self signed to get you back.

Code: Select all

# su - zimbra
% cd /opt/zimbra/conf
% mv imapd.keystore imapd.keystore-
% zmcontrol stop
% ldap start
% zmmailboxdctl start
% /opt/zimbra/bin/zmcertmgr createca -new --debug 3
% /opt/zimbra/bin/zmcertmgr deployca -debug 3
% /opt/zimbra/bin/zmcertmgr createcrt -new -days 365 --debug 3
% /opt/zimbra/bin/zmcertmgr deploycrt self --debug 3
% ls -l imapd.keystore
At this point you should be able to deploy your letsencrypt certificates.

Here is the missing piece that you have not seen before after the last deploycrt step above.

Code: Select all

DEBUG: createimapdkeystore(self)
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
DEBUG: run command: /opt/zimbra/common/bin/openssl pkcs12 -inkey /opt/zimbra/conf/imapd.key -in /opt/zimbra/conf/imapd.crt -name jetty -export -out /opt/zimbra/ssl/zimbra/jetty.pkcs12 -passout pass:ecMJv6Cn6L 2>&1
DEBUG: run(rc=0) results(#=0)
** Creating keystore '/opt/zimbra/conf/imapd.keystore'
DEBUG: run command: /opt/zimbra/common/bin/java -classpath /opt/zimbra/lib/ext/com_zimbra_cert_manager/com_zimbra_cert_manager.jar com.zimbra.cert.MyPKCS12Import /opt/zimbra/ssl/zimbra/jetty.pkcs12 /opt/zimbra/conf/imapd.keystore  ecMJv6Cn6L ecMJv6Cn6L 2>&1
DEBUG: run(rc=0) results(#=2):
Alias 0: jetty
 Adding key for alias jetty
 
Jim
octet
Posts: 23
Joined: Thu Jan 06, 2022 2:35 pm

Re: Error on deploying SSL certificates

Post by octet »

That's awesome, it seems it worked:

Code: Select all

[zimbra@mail tmp]$ cd /opt/zimbra/conf
[zimbra@mail conf]$ /opt/zimbra/common/bin/java -classpath /opt/zimbra/lib/ext/com_zimbra_cert_manager/com_zimbra_cert_manager.jar com.zimbra.cert.MyPKCS12Import /opt/zimbra/ssl/zimbra/jetty.pkcs12 /opt/zimbra/conf/imapd.keystore ecMJv6Cn6L ecMJv6Cn6L
Exception in thread "main" java.security.cert.CertificateParsingException: signed overrun, bytes = 88
	at java.base/sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1820)
	at java.base/sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:188)
	at java.base/sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:105)
	at java.base/java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:355)
	at java.base/sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:725)
	at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:222)
	at java.base/java.security.KeyStore.load(KeyStore.java:1472)
	at com.zimbra.cert.MyPKCS12Import.main(MyPKCS12Import.java:104)
[zimbra@mail conf]$ mv imapd.keystore imapd.keystore-
[zimbra@mail conf]$ zmcontrol stop
Host mail.XXX.com
	Stopping zmconfigd...Done.
	Stopping imapd...Done.
	Stopping zimlet webapp...Done.
	Stopping zimbraAdmin webapp...Done.
	Stopping zimbra webapp...Done.
	Stopping service webapp...Done.
	Stopping stats...Done.
	Stopping mta...Done.
	Stopping spell...Done.
	Stopping snmp...Done.
	Stopping cbpolicyd...Done.
	Stopping archiving...Done.
	Stopping opendkim...Done.
	Stopping amavis...Done.
	Stopping antivirus...Done.
	Stopping antispam...Done.
	Stopping proxy...Done.
	Stopping memcached...Done.
	Stopping mailbox...Done.
	Stopping logger...Done.
	Stopping dnscache...Done.
	Stopping ldap...Done.
[zimbra@mail conf]$ ldap start
Started slapd: pid 3998674
[zimbra@mail conf]$  zmmailboxdctl start
Starting mailboxd...done.
[zimbra@mail conf]$  /opt/zimbra/bin/zmcertmgr createca -new --debug 3
DEBUG: CertMgr->Debug(3)
DEBUG: CertMgr->New(1)
DEBUG: CertMgr->Command(createca)
DEBUG: createca
DEBUG: initSSLDirs
DEBUG: createConf '/opt/zimbra/ssl/zimbra/ca/zmssl.cnf' altnames: mail.XXX.com
** Recreating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf
DEBUG: createca skipping CA cert
** Using CA private key in '/opt/zimbra/ssl/zimbra/ca/ca.key'
DEBUG: createca skipping Commercial CA cert
DEBUG: docreateca
DEBUG: createCASerial
DEBUG: skipping initSSLDirs
** Creating CA with existing private key /opt/zimbra/ssl/zimbra/ca/ca.key
DEBUG: run command: /opt/zimbra/common/bin/openssl req -batch -nodes -new -sha256 -subj '/O=CA/OU=Zimbra Collaboration Server/CN=mail.XXX.com' -days 1825 -config /opt/zimbra/ssl/zimbra/ca/zmssl.cnf -out /opt/zimbra/ssl/zimbra/ca/ca.pem -key /opt/zimbra/ssl/zimbra/ca/ca.key -extensions v3_ca -x509
DEBUG: run(rc=0) results(#=0)
[zimbra@mail conf]$ /opt/zimbra/bin/zmcertmgr deployca -debug 3
DEBUG: CertMgr->Command(deployca)
DEBUG: CertMgr->Debug(3)
DEBUG: deployca
DEBUG: initSSLDirs
** Saving config key 'zimbraCertAuthorityCertSelfSigned' via zmprov modifyConfig...DEBUG: run command: /opt/zimbra/bin/zmprov -m -l modifyConfig zimbraCertAuthorityCertSelfSigned '-----BEGIN CERTIFICATE-----
......
......
-----END CERTIFICATE-----
'
DEBUG: run(rc=0) results(#=0)
ok
** Saving config key 'zimbraCertAuthorityKeySelfSigned' via zmprov modifyConfig...DEBUG: run command: /opt/zimbra/bin/zmprov -m -l modifyConfig zimbraCertAuthorityKeySelfSigned '-----BEGIN PRIVATE KEY-----
......
......
-----END PRIVATE KEY-----
'
DEBUG: run(rc=0) results(#=0)
ok
DEBUG: addcacert(/opt/zimbra/ssl/zimbra/ca/ca.pem my_ca)
** Importing cert '/opt/zimbra/ssl/zimbra/ca/ca.pem' as 'my_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'
DEBUG: run command: /opt/zimbra/common/bin/keytool -delete -alias my_ca -keystore /opt/zimbra/common/lib/jvm/java/lib/security/cacerts -storepass changeit 2>&1
DEBUG: run(rc=0) results(#=1):
Warning: use -cacerts option to access cacerts keystore

DEBUG: run command: /opt/zimbra/common/bin/keytool -import -alias my_ca -noprompt -file /opt/zimbra/ssl/zimbra/ca/ca.pem -keystore /opt/zimbra/common/lib/jvm/java/lib/security/cacerts -storepass changeit 2>&1
DEBUG: run(rc=0) results(#=2):
Warning: use -cacerts option to access cacerts keystore
 Certificate was added to keystore

** NOTE: restart mailboxd to use the imported certificate.
DEBUG: installCA
** Cleaning up 9 files from '/opt/zimbra/conf/ca'
** Removing /opt/zimbra/conf/ca/ca.key
** Removing /opt/zimbra/conf/ca/ca.pem
** Removing /opt/zimbra/conf/ca/597f220c.0
** Removing /opt/zimbra/conf/ca/commercial_ca_1.crt
** Removing /opt/zimbra/conf/ca/f9c438b7.0
** Removing /opt/zimbra/conf/ca/commercial_ca_2.crt
** Removing /opt/zimbra/conf/ca/8d33f237.0
** Removing /opt/zimbra/conf/ca/commercial_ca_3.crt
** Removing /opt/zimbra/conf/ca/4042bcee.0
** Copying CA to /opt/zimbra/conf/ca
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'
DEBUG: run command: /opt/zimbra/common/bin/openssl x509 -hash -noout -in /opt/zimbra/conf/ca/ca.pem 2>&1
DEBUG: run(rc=0) results(#=1):
597f220c

** Creating CA hash symlink '597f220c.0' -> 'ca.pem'
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
DEBUG: run command: /opt/zimbra/common/bin/openssl x509 -hash -noout -in /opt/zimbra/conf/ca/commercial_ca_1.crt 2>&1
DEBUG: run(rc=0) results(#=1):
f9c438b7

** Creating CA hash symlink 'f9c438b7.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
DEBUG: run command: /opt/zimbra/common/bin/openssl x509 -hash -noout -in /opt/zimbra/conf/ca/commercial_ca_2.crt 2>&1
DEBUG: run(rc=0) results(#=1):
8d33f237

** Creating CA hash symlink '8d33f237.0' -> 'commercial_ca_2.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_3.crt
DEBUG: run command: /opt/zimbra/common/bin/openssl x509 -hash -noout -in /opt/zimbra/conf/ca/commercial_ca_3.crt 2>&1
DEBUG: run(rc=0) results(#=1):
4042bcee

** Creating CA hash symlink '4042bcee.0' -> 'commercial_ca_3.crt'
[zimbra@mail conf]$ /opt/zimbra/bin/zmcertmgr createcrt -new -days 365 --debug 3
DEBUG: CertMgr->New(1)
DEBUG: CertMgr->Debug(3)
DEBUG: CertMgr->Command(createcrt)
DEBUG: CertMgr->Days(365)
DEBUG: createcrt
DEBUG: backupSSLDirs(/opt/zimbra/ssl/zimbra)
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20220113121854
DEBUG: initSSLDirs
DEBUG: createCASerial
DEBUG: skipping initSSLDirs
DEBUG: createConf '/opt/zimbra/conf/zmssl.cnf' altnames: mail.XXX.com
** Recreating /opt/zimbra/conf/zmssl.cnf
DEBUG: createcsr(self)
** Generating a server CSR of type 'self' for download
DEBUG: createConf '/opt/zimbra/conf/zmssl.cnf' altnames: mail.XXX.com
DEBUG: skipping backupSSLDirs
DEBUG: skipping initSSLDirs
DEBUG: createca
DEBUG: skipping initSSLDirs
** Using CA cert in '/opt/zimbra/ssl/zimbra/ca/ca.pem'
** Using CA private key in '/opt/zimbra/ssl/zimbra/ca/ca.key'
** Using Commercial CA cert in '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
DEBUG: createServerCertReq(self)
DEBUG: createConf '/opt/zimbra/conf/zmssl.cnf' altnames: mail.XXX.com
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr with keysize=2048 digest=sha256
DEBUG: run command: /opt/zimbra/common/bin/openssl req -batch -nodes -new -sha256 -subj '/OU=Zimbra Collaboration Server/CN=mail.XXX.com' -config /opt/zimbra/conf/zmssl.cnf -out /opt/zimbra/ssl/zimbra/server/server.csr -newkey rsa:2048 -keyout /opt/zimbra/ssl/zimbra/server/server.key 2>&1
DEBUG: run(rc=0) results(#=5):
Generating a RSA private key
 .....+++++
 .........................+++++
 writing new private key to '/opt/zimbra/ssl/zimbra/server/server.key'
 -----

** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer mail.XXX.com...DEBUG: run command: /opt/zimbra/bin/zmprov -m -l modifyServer mail.XXX.com zimbraSSLPrivateKey '-----BEGIN PRIVATE KEY-----
......
......
-----END PRIVATE KEY-----
'
DEBUG: run(rc=0) results(#=0)
ok
DEBUG: removing '/opt/zimbra/ssl/zimbra/ca/index.txt.attr'
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr
DEBUG: run command: /opt/zimbra/common/bin/openssl ca -batch -notext -policy policy_anything -days 365 -md sha256 -config /opt/zimbra/conf/zmssl.cnf -in /opt/zimbra/ssl/zimbra/server/server.csr -out /opt/zimbra/ssl/zimbra/server/server.crt -cert /opt/zimbra/ssl/zimbra/ca/ca.pem -keyfile /opt/zimbra/ssl/zimbra/ca/ca.key -extfile /opt/zimbra/conf/zmssl.cnf -extensions v3_req 2>&1
DEBUG: run(rc=0) results(#=22):
Using configuration from /opt/zimbra/conf/zmssl.cnf
 Check that the request matches the signature
 Signature ok
 Certificate Details:
         Serial Number: 95597060916 (0x1642076334)
         Validity
             Not Before: Jan 13 12:18:57 2022 GMT
             Not After : Jan 13 12:18:57 2023 GMT
         Subject:
             organizationalUnitName    = Zimbra Collaboration Server
             commonName                = mail.XXX.com
         X509v3 extensions:
             X509v3 Basic Constraints: 
                 CA:FALSE
             X509v3 Key Usage: 
                 Digital Signature, Non Repudiation, Key Encipherment
             X509v3 Subject Alternative Name: 
                 DNS:mail.XXX.com
 Certificate is to be certified until Jan 13 12:18:57 2023 GMT (365 days)
 
 Write out database with 1 new entries
 Data Base Updated

[zimbra@mail conf]$ /opt/zimbra/bin/zmcertmgr deploycrt self --debug 3
DEBUG: CertMgr->Command(deploycrt)
DEBUG: CertMgr->Debug(3)
DEBUG: CertMgr->Type(self)
DEBUG: deploycrt(self)
DEBUG: initSSLDirs
DEBUG: savecrt(self)
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.XXX.com...DEBUG: run command: /opt/zimbra/bin/zmprov -m -l modifyServer mail.XXX.com zimbraSSLCertificate '-----BEGIN CERTIFICATE-----
......
......
-----END CERTIFICATE-----
'
DEBUG: run(rc=0) results(#=0)
ok
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer mail.XXX.com...DEBUG: run command: /opt/zimbra/bin/zmprov -m -l modifyServer mail.XXX.com zimbraSSLPrivateKey '-----BEGIN PRIVATE KEY-----
......
......
-----END PRIVATE KEY-----
'
DEBUG: run(rc=0) results(#=0)
ok
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/server/server.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/server/server.key' to '/opt/zimbra/conf/imapd.key'
DEBUG: createimapdkeystore(self)
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
DEBUG: run command: /opt/zimbra/common/bin/openssl pkcs12 -inkey /opt/zimbra/conf/imapd.key -in /opt/zimbra/conf/imapd.crt -name jetty -export -out /opt/zimbra/ssl/zimbra/jetty.pkcs12 -passout pass:ecMJv6Cn6L 2>&1
DEBUG: run(rc=0) results(#=0)
** Creating keystore '/opt/zimbra/conf/imapd.keystore'
DEBUG: run command: /opt/zimbra/common/bin/java -classpath /opt/zimbra/lib/ext/com_zimbra_cert_manager/com_zimbra_cert_manager.jar com.zimbra.cert.MyPKCS12Import /opt/zimbra/ssl/zimbra/jetty.pkcs12 /opt/zimbra/conf/imapd.keystore ecMJv6Cn6L ecMJv6Cn6L 2>&1
DEBUG: run(rc=0) results(#=2):
Alias 0: jetty
 Adding key for alias jetty

** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'
** Copying '/opt/zimbra/ssl/zimbra/server/server.crt' to '/opt/zimbra/conf/slapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/server/server.key' to '/opt/zimbra/conf/slapd.key'
DEBUG: createkeystore(self)
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
DEBUG: run command: /opt/zimbra/common/bin/openssl pkcs12 -inkey /opt/zimbra/ssl/zimbra/server/server.key -in /opt/zimbra/ssl/zimbra/server/server.crt -name jetty -export -out /opt/zimbra/ssl/zimbra/jetty.pkcs12 -passout pass:ecMJv6Cn6L 2>&1
DEBUG: run(rc=0) results(#=0)
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
DEBUG: run command: /opt/zimbra/common/bin/java -classpath /opt/zimbra/lib/ext/com_zimbra_cert_manager/com_zimbra_cert_manager.jar com.zimbra.cert.MyPKCS12Import /opt/zimbra/ssl/zimbra/jetty.pkcs12 /opt/zimbra/mailboxd/etc/keystore ecMJv6Cn6L ecMJv6Cn6L 2>&1
DEBUG: run(rc=0) results(#=2):
Alias 0: jetty
 Adding key for alias jetty

** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'
** Copying '/opt/zimbra/ssl/zimbra/server/server.crt' to '/opt/zimbra/conf/smtpd.crt'
** Copying '/opt/zimbra/ssl/zimbra/server/server.key' to '/opt/zimbra/conf/smtpd.key'
** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'
** Copying '/opt/zimbra/ssl/zimbra/server/server.crt' to '/opt/zimbra/conf/nginx.crt'
** Copying '/opt/zimbra/ssl/zimbra/server/server.key' to '/opt/zimbra/conf/nginx.key'
** NOTE: restart services to use the new certificates.
DEBUG: installCA
** Cleaning up 9 files from '/opt/zimbra/conf/ca'
** Removing /opt/zimbra/conf/ca/ca.key
** Removing /opt/zimbra/conf/ca/ca.pem
** Removing /opt/zimbra/conf/ca/597f220c.0
** Removing /opt/zimbra/conf/ca/commercial_ca_1.crt
** Removing /opt/zimbra/conf/ca/f9c438b7.0
** Removing /opt/zimbra/conf/ca/commercial_ca_2.crt
** Removing /opt/zimbra/conf/ca/8d33f237.0
** Removing /opt/zimbra/conf/ca/commercial_ca_3.crt
** Removing /opt/zimbra/conf/ca/4042bcee.0
** Copying CA to /opt/zimbra/conf/ca
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'
DEBUG: run command: /opt/zimbra/common/bin/openssl x509 -hash -noout -in /opt/zimbra/conf/ca/ca.pem 2>&1
DEBUG: run(rc=0) results(#=1):
597f220c

** Creating CA hash symlink '597f220c.0' -> 'ca.pem'
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
DEBUG: run command: /opt/zimbra/common/bin/openssl x509 -hash -noout -in /opt/zimbra/conf/ca/commercial_ca_1.crt 2>&1
DEBUG: run(rc=0) results(#=1):
f9c438b7

** Creating CA hash symlink 'f9c438b7.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
DEBUG: run command: /opt/zimbra/common/bin/openssl x509 -hash -noout -in /opt/zimbra/conf/ca/commercial_ca_2.crt 2>&1
DEBUG: run(rc=0) results(#=1):
8d33f237

** Creating CA hash symlink '8d33f237.0' -> 'commercial_ca_2.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_3.crt
DEBUG: run command: /opt/zimbra/common/bin/openssl x509 -hash -noout -in /opt/zimbra/conf/ca/commercial_ca_3.crt 2>&1
DEBUG: run(rc=0) results(#=1):
4042bcee

** Creating CA hash symlink '4042bcee.0' -> 'commercial_ca_3.crt'
[zimbra@mail conf]$ ls -l imapd.keystore
-rw-r----- 1 zimbra zimbra 2188 Jan 13 12:19 imapd.keystore
[zimbra@mail conf]$ 

After that I've deployed the LE certificates:

Code: Select all

[zimbra@mail conf]$ cd /tmp/
[zimbra@mail tmp]$ /opt/zimbra/bin/zmcertmgr deploycrt comm mail.XXX.com.cer fullchain.cer
** Verifying 'mail.XXX.com.cer' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate 'mail.XXX.com.cer' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying 'mail.XXX.com.cer' against 'fullchain.cer'
Valid certificate chain: mail.XXX.com.cer: OK
** Copying 'mail.XXX.com.cer' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Copying 'fullchain.cer' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
** Appending ca chain 'fullchain.cer' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.XXX.com...ok
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer mail.XXX.com...ok
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/conf/imapd.keystore'
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key'
** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key'
** NOTE: restart services to use the new certificates.
** Cleaning up 9 files from '/opt/zimbra/conf/ca'
** Removing /opt/zimbra/conf/ca/ca.key
** Removing /opt/zimbra/conf/ca/ca.pem
** Removing /opt/zimbra/conf/ca/597f220c.0
** Removing /opt/zimbra/conf/ca/commercial_ca_1.crt
** Removing /opt/zimbra/conf/ca/f9c438b7.0
** Removing /opt/zimbra/conf/ca/commercial_ca_2.crt
** Removing /opt/zimbra/conf/ca/8d33f237.0
** Removing /opt/zimbra/conf/ca/commercial_ca_3.crt
** Removing /opt/zimbra/conf/ca/4042bcee.0
** Copying CA to /opt/zimbra/conf/ca
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'
** Creating CA hash symlink '597f220c.0' -> 'ca.pem'
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink 'f9c438b7.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
** Creating CA hash symlink '8d33f237.0' -> 'commercial_ca_2.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_3.crt
** Creating CA hash symlink '4042bcee.0' -> 'commercial_ca_3.crt'
[zimbra@mail tmp]$ zmcontrol start
Host mail.XXX.com
	Starting zmconfigd...Done.
	Starting logger...Done.
	Starting mailbox...Done.
	Starting memcached...Done.
	Starting proxy...Done.
	Starting amavis...Done.
	Starting antispam...Done.
	Starting antivirus...Done.
	Starting opendkim...Done.
	Starting snmp...Done.
	Starting spell...Done.
	Starting mta...Done.
	Starting stats...Done.
	Starting service webapp...Done.
	Starting zimbra webapp...Done.
	Starting zimbraAdmin webapp...Done.
	Starting zimlet webapp...Done.
[zimbra@mail tmp]$
Web interface still didn't work, so I've ran the installation again:

Code: Select all

[root@mail ~]# cd /root/zcs-8.8.15_GA_3953.RHEL8_64.20200629025823
[root@mail zcs-8.8.15_GA_3953.RHEL8_64.20200629025823]# clear

[root@mail zcs-8.8.15_GA_3953.RHEL8_64.20200629025823]# ./install.sh 

Operations logged to /tmp/install.log.oc3Kg5yb
Checking for existing installation...
    zimbra-drive...FOUND zimbra-drive-1.0.13.1576152256-1
    zimbra-imapd...FOUND zimbra-imapd-8.8.15_GA_3953
    zimbra-patch...FOUND zimbra-patch-8.8.15.1639579168
    zimbra-mta-patch...FOUND zimbra-mta-patch-8.8.15.1638533801
    zimbra-proxy-patch...FOUND zimbra-proxy-patch-8.8.15.1634196512
    zimbra-license-tools...NOT FOUND
    zimbra-license-extension...NOT FOUND
    zimbra-network-store...NOT FOUND
    zimbra-network-modules-ng...NOT FOUND
    zimbra-chat...FOUND zimbra-chat-3.0.1.1594306000-1
    zimbra-talk...NOT FOUND
    zimbra-ldap...FOUND zimbra-ldap-8.8.15_GA_3953
    zimbra-logger...FOUND zimbra-logger-8.8.15_GA_3953
    zimbra-mta...FOUND zimbra-mta-8.8.15_GA_3953
    zimbra-dnscache...NOT FOUND
    zimbra-snmp...FOUND zimbra-snmp-8.8.15_GA_3953
    zimbra-store...FOUND zimbra-store-8.8.15_GA_3953
    zimbra-apache...FOUND zimbra-apache-8.8.15_GA_3953
    zimbra-spell...FOUND zimbra-spell-8.8.15_GA_3953
    zimbra-convertd...NOT FOUND
    zimbra-memcached...FOUND zimbra-memcached-1.6.5-1zimbra8.7b1
    zimbra-proxy...FOUND zimbra-proxy-8.8.15_GA_3953
    zimbra-archiving...NOT FOUND
    zimbra-core...FOUND zimbra-core-8.8.15_GA_3953
ZCS upgrade from 8.8.15 to 8.8.15 will be performed.
Validating ldap configuration
LDAP validation succeeded.  Continuing.


----------------------------------------------------------------------
PLEASE READ THIS AGREEMENT CAREFULLY BEFORE USING THE SOFTWARE.
SYNACOR, INC. ("SYNACOR") WILL ONLY LICENSE THIS SOFTWARE TO YOU IF YOU
FIRST ACCEPT THE TERMS OF THIS AGREEMENT. BY DOWNLOADING OR INSTALLING
THE SOFTWARE, OR USING THE PRODUCT, YOU ARE CONSENTING TO BE BOUND BY
THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS
AGREEMENT, THEN DO NOT DOWNLOAD, INSTALL OR USE THE PRODUCT.

License Terms for this Zimbra Collaboration Suite Software:
https://www.zimbra.com/license/zimbra-public-eula-2-6.html
----------------------------------------------------------------------



Do you agree with the terms of the software license agreement? [N] y



Checking current number of databases...

Do you want to verify message store database integrity? [Y] n


Use Zimbra's package repository [Y] y


Configuring package repository

Checking for installable packages

Found zimbra-core (local)
Found zimbra-ldap (local)
Found zimbra-logger (local)
Found zimbra-mta (local)
Found zimbra-dnscache (local)
Found zimbra-snmp (local)
Found zimbra-store (local)
Found zimbra-apache (local)
Found zimbra-spell (local)
Found zimbra-memcached (repo)
Found zimbra-proxy (local)
Found zimbra-drive (repo)
Found zimbra-imapd (local)
Found zimbra-patch (repo)
Found zimbra-mta-patch (repo)
Found zimbra-proxy-patch (repo)


The Zimbra Collaboration Server appears to already be installed.
It can be upgraded with no effect on existing accounts,
or the current installation can be completely removed prior
to installation for a clean install.

Do you wish to upgrade? [Y] y

Scanning for any new or additional packages available for installation
Existing packages will be upgraded
    Upgrading zimbra-core
    Upgrading zimbra-ldap
    Upgrading zimbra-logger
    Upgrading zimbra-mta

Install zimbra-dnscache [N] n
    Upgrading zimbra-snmp
    Upgrading zimbra-store
    Upgrading zimbra-apache
    Upgrading zimbra-spell
    Upgrading zimbra-memcached
    Upgrading zimbra-proxy
    Upgrading zimbra-drive
    Upgrading zimbra-imapd
    Upgrading zimbra-patch
    Upgrading zimbra-mta-patch
    Upgrading zimbra-proxy-patch
    Upgrading zimbra-chat
Checking required space for zimbra-core
Checking space for zimbra-store
Checking required packages for zimbra-store
zimbra-store package check complete.

Installing:
    zimbra-core
    zimbra-ldap
    zimbra-logger
    zimbra-mta
    zimbra-snmp
    zimbra-store
    zimbra-apache
    zimbra-spell
    zimbra-memcached
    zimbra-proxy
    zimbra-drive
    zimbra-imapd
    zimbra-patch
    zimbra-mta-patch
    zimbra-proxy-patch
    zimbra-chat

The system will be modified.  Continue? [N] y
Beginning Installation - see /tmp/install.log.oc3Kg5yb for details...

                          zimbra-core-components will be downloaded and installed.
                          zimbra-common-core-jar will be installed.
                         zimbra-common-core-libs will be installed.
                         zimbra-common-mbox-conf will be installed.
                   zimbra-common-mbox-conf-attrs will be installed.
                    zimbra-common-mbox-conf-msgs will be installed.
                  zimbra-common-mbox-conf-rights will be installed.
                           zimbra-common-mbox-db will be installed.
                         zimbra-common-mbox-docs will be installed.
                   zimbra-common-mbox-native-lib will be installed.
                            zimbra-timezone-data will be installed.
                                     zimbra-core will be installed.
                          zimbra-ldap-components will be downloaded and installed.
                                     zimbra-ldap will be installed.
                                   zimbra-logger will be installed.
                           zimbra-mta-components will be downloaded and installed.
                                      zimbra-mta will be installed.
                          zimbra-snmp-components will be downloaded and installed.
                                     zimbra-snmp will be installed.
Last metadata expiration check: 0:01:15 ago on Thu 13 Jan 2022 12:28:42 PM UTC.
                       zimbra-jetty-distribution will be downloaded and installed.
                         zimbra-store-components will be downloaded and installed.
                   zimbra-mbox-admin-console-war will be installed.
                                zimbra-mbox-conf will be installed.
                                 zimbra-mbox-war will be installed.
                             zimbra-mbox-service will be installed.
                          zimbra-mbox-store-libs will be installed.
                       zimbra-mbox-webclient-war will be installed.
                                    zimbra-store will be installed.
                        zimbra-apache-components will be downloaded and installed.
                                   zimbra-apache will be installed.
                         zimbra-spell-components will be downloaded and installed.
                                    zimbra-spell will be installed.
Last metadata expiration check: 0:01:23 ago on Thu 13 Jan 2022 12:28:42 PM UTC.
                                zimbra-memcached will be downloaded and installed.
                         zimbra-proxy-components will be downloaded and installed.
                                    zimbra-proxy will be installed.
Last metadata expiration check: 0:01:30 ago on Thu 13 Jan 2022 12:28:42 PM UTC.
                                    zimbra-drive will be downloaded and installed (later).
                                    zimbra-imapd will be installed.
Last metadata expiration check: 0:01:32 ago on Thu 13 Jan 2022 12:28:42 PM UTC.
                                    zimbra-patch will be downloaded and installed (later).
Last metadata expiration check: 0:01:33 ago on Thu 13 Jan 2022 12:28:42 PM UTC.
                                zimbra-mta-patch will be downloaded and installed (later).
Last metadata expiration check: 0:01:35 ago on Thu 13 Jan 2022 12:28:42 PM UTC.
                              zimbra-proxy-patch will be downloaded and installed (later).
Last metadata expiration check: 0:01:38 ago on Thu 13 Jan 2022 12:28:42 PM UTC.
                                     zimbra-chat will be downloaded and installed (later).

Downloading packages (10):
   zimbra-core-components
   zimbra-ldap-components
   zimbra-mta-components
   zimbra-snmp-components
   zimbra-jetty-distribution
   zimbra-store-components
   zimbra-apache-components
   zimbra-spell-components
   zimbra-memcached
   zimbra-proxy-components
      ...done

Saving existing configuration file to /opt/zimbra/.saveconfig

Shutting down zimbra mail
Backing up the ldap database...done.

Removing existing packages

   zimbra-drive...done
   zimbra-imapd...done
   zimbra-patch...done
   zimbra-mta-patch...done
   zimbra-proxy-patch...done
   zimbra-chat...done
   zimbra-ldap...done
   zimbra-logger...done
   zimbra-mta...done
   zimbra-snmp...done
   zimbra-store...done
   zimbra-spell...done
   zimbra-memcached...done
   zimbra-core...done

Removing deployed webapp directories

Installing repo packages (10):
   zimbra-core-components
   zimbra-ldap-components
   zimbra-mta-components
   zimbra-snmp-components
   zimbra-jetty-distribution
   zimbra-store-components
   zimbra-apache-components
   zimbra-spell-components
   zimbra-memcached
   zimbra-proxy-components
      ...done

Installing local packages (26):
   zimbra-common-core-jar
   zimbra-common-core-libs
   zimbra-common-mbox-conf
   zimbra-common-mbox-conf-attrs
   zimbra-common-mbox-conf-msgs
   zimbra-common-mbox-conf-rights
   zimbra-common-mbox-db
   zimbra-common-mbox-docs
   zimbra-common-mbox-native-lib
   zimbra-timezone-data
   zimbra-core
   zimbra-ldap
   zimbra-logger
   zimbra-mta
   zimbra-snmp
   zimbra-mbox-admin-console-war
   zimbra-mbox-conf
   zimbra-mbox-war
   zimbra-mbox-service
   zimbra-mbox-store-libs
   zimbra-mbox-webclient-war
   zimbra-store
   zimbra-apache
   zimbra-spell
   zimbra-proxy
   zimbra-imapd
      ...done

Installing extra packages (5):
   zimbra-drive
   zimbra-patch
   zimbra-mta-patch
   zimbra-proxy-patch
   zimbra-chat
      ...done

Running Post Installation Configuration:

Setting defaults from saved config in /opt/zimbra/.saveconfig/config.save
   HOSTNAME=mail.XXX.com
   LDAPHOST=mail.XXX.com
   LDAPPORT=389
   SNMPTRAPHOST=mail.XXX.com
   SMTPSOURCE=admin@XXX.com
   SMTPDEST=admin@XXX.com
   SNMPNOTIFY=yes
   SMTPNOTIFY=yes
   LDAPROOTPW=*
   LDAPZIMBRAPW=*
   LDAPPOSTPW=*
   LDAPREPPW=*
   LDAPAMAVISPW=*
   LDAPNGINXPW=*
Restoring existing configuration file from /opt/zimbra/.saveconfig/localconfig.xml...done
Operations logged to /tmp/zmsetup.20220113-123615.log
Adding /opt/zimbra/conf/ca/ca.pem to cacerts
Checking ldap status....not running.
Starting ldap...done.
Setting defaults...done.
Setting defaults from existing config...done.
Checking for port conflicts
Setting defaults from ldap...done.
Saving config in /opt/zimbra/config.4033384...done.
Operations logged to /tmp/zmsetup.20220113-123615.log
Setting local config values...done.
Initializing core config...Setting up CA...done.
Deploying CA to /opt/zimbra/conf/ca ...done.
Setting replication password...done.
Setting Postfix password...done.
Setting amavis password...done.
Setting nginx password...done.
Creating server entry for mail.XXX.com...already exists.
Setting Zimbra IP Mode...done.
Saving CA in ldap...done.
Saving SSL Certificate in ldap...done.
Setting spell check URL...done.
Setting service ports on mail.XXX.com...done.
Setting Keyboard Shortcut Preferences...done.
Setting zimbraFeatureTasksEnabled=TRUE...done.
Setting zimbraFeatureBriefcasesEnabled=TRUE...done.
Updating zimbraLDAPSchemaVersion to version '1571057268'
Setting TimeZone Preference...done.
Initializing mta config...done.
Setting services on mail.XXX.com...done.
Adding mail.XXX.com to zimbraMailHostPool in default COS...done.
Creating user spam.hgmqtrazk@XXX.com...already exists.
Creating user ham.sdzndrvv@XXX.com...already exists.
Creating user virus-quarantine.s1fizgnofz@XXX.com...already exists.
Setting spam training and Anti-virus quarantine accounts...done.
Configuring SNMP...done.
Setting up syslog.conf...done.
Enabling IMAP protocol for zimbra-imapd service...done.
Enabling IMAPS protocol for zimbra-imapd service...done.
Starting servers...done.
Checking for deprecated zimlets...done.
Checking for network zimlets in LDAP...done.
Removing network zimlets...
Finished removing network zimlets.
Installing common zimlets...
    com_zimbra_adminversioncheck...done.
    com_zimbra_attachcontacts...done.
    com_zimbra_attachmail...done.
    com_zimbra_bulkprovision...done.
    com_zimbra_cert_manager...done.
    com_zimbra_clientuploader...done.
    com_zimbra_date...done.
    com_zimbra_email...done.
    com_zimbra_mailarchive...done.
    com_zimbra_phone...done.
    com_zimbra_proxy_config...done.
    com_zimbra_srchhighlighter...done.
    com_zimbra_tooltip...done.
    com_zimbra_url...done.
    com_zimbra_viewmail...done.
    com_zimbra_webex...done.
    com_zimbra_ymemoticons...done.
    com_zextras_drive_open...done.
    com_zextras_chat_open...done.
Finished installing common zimlets.
Getting list of all zimlets...done.
Updating non-standard zimlets...
Finished updating non-standard zimlets.
Restarting mailboxd...done.
Skipping creation of default domain GAL sync account - existing install detected.

You have the option of notifying Zimbra of your installation.
This helps us to track the uptake of the Zimbra Collaboration Server.
The only information that will be transmitted is:
    The VERSION of zcs installed (8.8.15_GA_3953_RHEL8_64)
    The ADMIN EMAIL ADDRESS created (admin@XXX.com)

Notify Zimbra of your installation? [Yes] N
Notification skipped
Checking if the NG started running...done. 
Setting up zimbra crontab...done.


Moving /tmp/zmsetup.20220113-123615.log to /opt/zimbra/log


Configuration complete - press return to exit 

No errors, result! 8-) Thanks, Jim!


Web interface still doesn work, I get this:
HTTP ERROR 502

Problem accessing ZCS upstream server. Cannot connect to the ZCS upstream server. Connection is refused.
Possible reasons:

upstream server is unreachable
upstream server is currently being upgraded
upstream server is down
Please contact your ZCS administrator to fix the problem.

Powered by Nginx-Zimbra://
octet
Posts: 23
Joined: Thu Jan 06, 2022 2:35 pm

Re: Error on deploying SSL certificates

Post by octet »

Checking logs:

zimbra.log

Code: Select all

2022-01-13 17:18:12,562 WARN  [main] [] misc - Could not establish a connection to the database.  Retrying in 5 seconds.
com.zimbra.common.service.ServiceException: system failure: getting database connection
ExceptionId:main:1642094292562:c92db4a2d4cea5cc
Code:service.FAILURE
	at com.zimbra.common.service.ServiceException.FAILURE(ServiceException.java:288)
	at com.zimbra.cs.db.DbPool.getConnection(DbPool.java:360)
	at com.zimbra.cs.db.DbPool.getConnection(DbPool.java:322)
	at com.zimbra.cs.db.DbPool.waitForDatabase(DbPool.java:243)
	at com.zimbra.cs.db.DbPool.startup(DbPool.java:234)
	at com.zimbra.cs.util.Zimbra.startup(Zimbra.java:218)
	at com.zimbra.cs.util.Zimbra.startup(Zimbra.java:177)
	at com.zimbra.soap.SoapServlet.init(SoapServlet.java:130)
	at javax.servlet.GenericServlet.init(GenericServlet.java:244)
	at org.eclipse.jetty.servlet.ServletHolder.initServlet(ServletHolder.java:671)
	at org.eclipse.jetty.servlet.ServletHolder.initialize(ServletHolder.java:428)
	at org.eclipse.jetty.servlet.ServletHandler.lambda$initialize$0(ServletHandler.java:750)
	at java.base/java.util.stream.SortedOps$SizedRefSortingSink.end(SortedOps.java:357)
	at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
	at java.base/java.util.stream.StreamSpliterators$WrappingSpliterator.forEachRemaining(StreamSpliterators.java:312)
	at java.base/java.util.stream.Streams$ConcatSpliterator.forEachRemaining(Streams.java:735)
	at java.base/java.util.stream.Streams$ConcatSpliterator.forEachRemaining(Streams.java:734)
	at java.base/java.util.stream.ReferencePipeline$Head.forEach(ReferencePipeline.java:658)
	at org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:744)
	at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:369)
	at org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1497)
	at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1459)
	at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:852)
	at org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:278)
	at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:545)
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:167)
	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:119)
	at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:113)
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:167)
	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:119)
	at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:113)
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:167)
	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:110)
	at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:113)
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:167)
	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:110)
	at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:113)
	at org.eclipse.jetty.server.handler.gzip.GzipHandler.doStart(GzipHandler.java:406)
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:167)
	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:110)
	at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:113)
	at org.eclipse.jetty.server.handler.DebugHandler.doStart(DebugHandler.java:142)
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:167)
	at org.eclipse.jetty.server.Server.start(Server.java:418)
	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:110)
	at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:113)
	at org.eclipse.jetty.server.Server.doStart(Server.java:382)
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
	at org.eclipse.jetty.xml.XmlConfiguration$1.run(XmlConfiguration.java:1572)
	at org.eclipse.jetty.xml.XmlConfiguration$1.run(XmlConfiguration.java:1512)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:554)
	at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1511)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:567)
	at org.eclipse.jetty.start.Main.invokeMain(Main.java:220)
	at org.eclipse.jetty.start.Main.start(Main.java:490)
	at org.eclipse.jetty.start.Main.main(Main.java:77)
Caused by: java.sql.SQLException: Host 'localhost' is not allowed to connect to this MariaDB server
	at org.mariadb.jdbc.internal.com.read.ReadInitialHandShakePacket.<init>(ReadInitialHandShakePacket.java:92)
	at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.handleConnectionPhases(AbstractConnectProtocol.java:693)
	at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.connect(AbstractConnectProtocol.java:415)
	at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.connectWithoutProxy(AbstractConnectProtocol.java:1128)
	at org.mariadb.jdbc.internal.util.Utils.retrieveProxy(Utils.java:620)
	at org.mariadb.jdbc.MariaDbConnection.newConnection(MariaDbConnection.java:175)
	at org.mariadb.jdbc.Driver.connect(Driver.java:92)
	at java.sql/java.sql.DriverManager.getConnection(DriverManager.java:677)
	at java.sql/java.sql.DriverManager.getConnection(DriverManager.java:189)
	at org.apache.commons.dbcp.DriverManagerConnectionFactory.createConnection(DriverManagerConnectionFactory.java:78)
	at com.zimbra.cs.db.ZimbraConnectionFactory.createConnection(ZimbraConnectionFactory.java:67)
	at org.apache.commons.dbcp.PoolableConnectionFactory.makeObject(PoolableConnectionFactory.java:582)
	at org.apache.commons.pool.impl.GenericObjectPool.borrowObject(GenericObjectPool.java:1188)
	at org.apache.commons.dbcp.PoolingDataSource.getConnection(PoolingDataSource.java:106)
	at com.zimbra.cs.db.DbPool.getConnection(DbPool.java:341)
	... 64 more
[zimbra@mail ~]$ mysql
ERROR 1045 (28000): Access denied for user 'zimbra'@'localhost' (using password: YES)
[zimbra@mail ~]$ 

Code: Select all

[zimbra@mail ~]$ telnet localhost 7306
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
DHost 'localhost' is not allowed to connect to this MariaDB serverConnection closed by foreign host.
[zimbra@mail ~]$ 
nginx.log

Code: Select all

[root@mail ~]# tail -f /opt/zimbra/log/nginx.log
2022/01/13 17:31:56 [error] 4031#0: *1545 upstream timed out (110: Connection timed out) while connecting to upstream, client: 86.121.xxx.x, server: mail.XXX.com, request: "PROPFIND /principals/users/sandu.velea%40XXX.com/ HTTP/1.1", upstream: "https://10.70.150.43:8443/principals/users/sandu.velea%40XXX.com/", host: "mail.XXX.com"
2022/01/13 17:31:56 [error] 4031#0: *1545 no live upstreams while connecting to upstream, client: 86.121.xxx.x, server: mail.XXX.com, request: "PROPFIND /principals/users/sandu.velea%40XXX.com/ HTTP/1.1", upstream: "https://zimbra_ssl/principals/users/sandu.velea%40XXX.com/", host: "mail.XXX.com"
2022/01/13 17:32:21 [error] 4031#0: *1545 upstream timed out (110: Connection timed out) while connecting to upstream, client: 86.121.xxx.x, server: mail.XXX.com, request: "PROPFIND / HTTP/1.1", upstream: "https://192.168.168.168:8443/", host: "mail.XXX.com"
2022/01/13 17:32:46 [error] 4031#0: *1545 upstream timed out (110: Connection timed out) while connecting to upstream, client: 86.121.xxx.x, server: mail.XXX.com, request: "PROPFIND / HTTP/1.1", upstream: "https://10.70.150.43:8443/", host: "mail.XXX.com"
2022/01/13 17:32:46 [error] 4031#0: *1545 no live upstreams while connecting to upstream, client: 86.121.xxx.x, server: mail.XXX.com, request: "PROPFIND / HTTP/1.1", upstream: "https://zimbra_login_ssl/", host: "mail.XXX.com"
2022/01/13 17:33:11 [error] 4031#0: *1545 upstream timed out (110: Connection timed out) while connecting to upstream, client: 86.121.xxx.x, server: mail.XXX.com, request: "PROPFIND /principals/ HTTP/1.1", upstream: "https://192.168.168.168:8443/principals/", host: "mail.XXX.com"
2022/01/13 17:33:36 [error] 4031#0: *1545 upstream timed out (110: Connection timed out) while connecting to upstream, client: 86.121.xxx.x, server: mail.XXX.com, request: "PROPFIND /principals/ HTTP/1.1", upstream: "https://10.70.150.43:8443/principals/", host: "mail.XXX.com"
2022/01/13 17:33:36 [error] 4031#0: *1545 no live upstreams while connecting to upstream, client: 86.121.xxx.x, server: mail.XXX.com, request: "PROPFIND /principals/ HTTP/1.1", upstream: "https://zimbra_ssl/principals/", host: "mail.XXX.com"
2022/01/13 17:34:16 [info] 4031#0: *1545 client 86.121.xxx.x closed keepalive connection
2022/01/13 17:38:44 [info] 4030#0: *1576 epoll_wait() reported that client prematurely closed connection, so upstream connection is closed too while connecting to upstream, client: 45.146.165.37, server: mail.XXX.com, request: "GET / HTTP/1.1", upstream: "https://10.70.150.43:8443/", host: "51.158.xx.xx:443"
mysql-error.log

Code: Select all

220113 13:04:30 mysqld_safe Starting mysqld daemon with databases from /opt/zimbra/db/data
2022-01-13 13:04:30 140481834846080 [Note] /opt/zimbra/common/sbin/mysqld (mysqld 10.1.25-MariaDB) starting as process 3592 ...
2022-01-13 13:04:30 140481834846080 [Note] InnoDB: Using mutexes to ref count buffer pool pages
2022-01-13 13:04:30 140481834846080 [Note] InnoDB: The InnoDB memory heap is disabled
2022-01-13 13:04:30 140481834846080 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
2022-01-13 13:04:30 140481834846080 [Note] InnoDB: GCC builtin __atomic_thread_fence() is used for memory barrier
2022-01-13 13:04:30 140481834846080 [Note] InnoDB: Compressed tables use zlib 1.2.3
2022-01-13 13:04:30 140481834846080 [Note] InnoDB: Using Linux native AIO
2022-01-13 13:04:30 140481834846080 [Note] InnoDB: Using SSE crc32 instructions
2022-01-13 13:04:30 140481834846080 [Note] InnoDB: Initializing buffer pool, size = 2.3G
2022-01-13 13:04:30 140481834846080 [Note] InnoDB: Completed initialization of buffer pool
2022-01-13 13:04:30 140481834846080 [Note] InnoDB: Highest supported file format is Barracuda.
2022-01-13 13:04:31 140481834846080 [Note] InnoDB: 128 rollback segment(s) are active.
2022-01-13 13:04:31 140481834846080 [Note] InnoDB: Waiting for purge to start
2022-01-13 13:04:31 140481834846080 [Note] InnoDB:  Percona XtraDB (http://www.percona.com) 5.6.36-82.0 started; log sequence number 1600766
2022-01-13 13:04:31 140479046227712 [Note] InnoDB: Dumping buffer pool(s) not yet started
2022-01-13 13:04:31 140481834846080 [Note] Plugin 'FEEDBACK' is disabled.
2022-01-13 13:04:31 140481834846080 [Note] Server socket created on IP: '127.0.0.1'.
2022-01-13 13:04:31 140481834302208 [Warning] InnoDB: Cannot open table mysql/gtid_slave_pos from the internal data dictionary of InnoDB though the .frm file for the table exists. See http://dev.mysql.com/doc/refman/5.6/en/innodb-troubleshooting.html for how you can resolve the problem.
2022-01-13 13:04:31 140481834302208 [Warning] Failed to load slave replication state from table mysql.gtid_slave_pos: 1932: Table 'mysql.gtid_slave_pos' doesn't exist in engine
2022-01-13 13:04:31 140481834846080 [Note] /opt/zimbra/common/sbin/mysqld: ready for connections.
Version: '10.1.25-MariaDB'  socket: '/opt/zimbra/data/tmp/mysql/mysql.sock'  port: 7306  Zimbra MariaDB binary distribution
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Error on deploying SSL certificates

Post by JDunphy »

Glad you are past the SSL certs now. I think I learned quite a bit myself so who doesn't like a good puzzle eh? ;-)

That 502... Background. You have an nginx reverse proxy that is listening on ports 80, 443, 993, etc, etc. There is a backend server which is that mailboxd (java) instance and it is listening on a lot of ports (pop3, imap, web, etc). There needs to be some sort of connection so that nginx knows that if you hit port 443 that corresponds to 8443 to mailboxd, etc. They do that with a tool to map the ports and configures the nginx conf files.

Generally you can do it with this if the mapping is messed up. I would hold off on that however until you know more.

Code: Select all

# su - 
% /opt/zimbra/libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x <http/both>  -H `zmhostname`
Ref: https://wiki.zimbra.com/wiki/Zimbra_Pro ... mbra_Proxy (see section on manual configuration)

It makes more sense to look at what ports you have and what the logs are telling you.

Code: Select all

% su -
# grep FATAL /opt/zimbra/log/mailbox.log
# netstat -nalp | grep LISTEN
Some starting points given there are a few places that should be telling you why nginx can't connect to mailboxd. First I would establish if mailboxd is running. Note: if you run a zmmailboxdctl start; zmcontrol status you might be deceived that mailboxd started when it actually aborted a bit later after that zmcontrol status told you it was running. That is why I generally do a quick look with netstat because it is really obvious when it is running given how many ports it is listening on.

Jim
Post Reply