Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters
Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters
Hello,
I'm trying to upgrade Zimbra 8.5.0 to latest 8.6.0 on CentOS 6.5. System is up to date. I'm using a commercial cert for mailbox and it is valid.
[root@ZIMBRA zcs-8.6.0_GA_1153.RHEL6_64.20141215151155]# ./install.sh
Operations logged to /tmp/install.log.22738
Checking for existing installation...
zimbra-ldap...FOUND zimbra-ldap-8.5.0_GA_3042
zimbra-logger...FOUND zimbra-logger-8.5.0_GA_3042
zimbra-mta...FOUND zimbra-mta-8.5.0_GA_3042
zimbra-dnscache...FOUND zimbra-dnscache-8.5.0_GA_3042
zimbra-snmp...FOUND zimbra-snmp-8.5.0_GA_3042
zimbra-store...FOUND zimbra-store-8.5.0_GA_3042
zimbra-apache...FOUND zimbra-apache-8.5.0_GA_3042
zimbra-spell...FOUND zimbra-spell-8.5.0_GA_3042
zimbra-convertd...NOT FOUND
zimbra-memcached...FOUND zimbra-memcached-8.5.0_GA_3042
zimbra-proxy...NOT FOUND
zimbra-archiving...NOT FOUND
zimbra-core...FOUND zimbra-core-8.5.0_GA_3042
ZCS upgrade from 8.5.0 to 8.6.0 will be performed.
Validating ldap configuration
Error: Unable to create a successful TLS connection to the ldap masters.
Fix cert configuration prior to upgrading.
I tried to debug a little :
[root@ZIMBRA zcs-8.6.0_GA_1153.RHEL6_64.20141215151155]# bin/zmValidateLdap.pl -l --vmajor 8 --vminor 5
ERROR: Unable to connect via startTLS to master: ldap://zimbra.domain.intra:389
[root@ZIMBRA zcs-8.6.0_GA_1153.RHEL6_64.20141215151155]# /opt/zimbra/bin/zmlocalconfig | grep ldap | grep tls
ldap_common_require_tls = 0
ldap_starttls_required = true
ldap_starttls_supported = 1
[root@ZIMBRA zcs-8.6.0_GA_1153.RHEL6_64.20141215151155]# /opt/zimbra/bin/zmlocalconfig | grep ldap_master
ldap_master_url = ldap://zimbra.domain.intra:389
If anyone can help me to solve this problem ?
Regards
I'm trying to upgrade Zimbra 8.5.0 to latest 8.6.0 on CentOS 6.5. System is up to date. I'm using a commercial cert for mailbox and it is valid.
[root@ZIMBRA zcs-8.6.0_GA_1153.RHEL6_64.20141215151155]# ./install.sh
Operations logged to /tmp/install.log.22738
Checking for existing installation...
zimbra-ldap...FOUND zimbra-ldap-8.5.0_GA_3042
zimbra-logger...FOUND zimbra-logger-8.5.0_GA_3042
zimbra-mta...FOUND zimbra-mta-8.5.0_GA_3042
zimbra-dnscache...FOUND zimbra-dnscache-8.5.0_GA_3042
zimbra-snmp...FOUND zimbra-snmp-8.5.0_GA_3042
zimbra-store...FOUND zimbra-store-8.5.0_GA_3042
zimbra-apache...FOUND zimbra-apache-8.5.0_GA_3042
zimbra-spell...FOUND zimbra-spell-8.5.0_GA_3042
zimbra-convertd...NOT FOUND
zimbra-memcached...FOUND zimbra-memcached-8.5.0_GA_3042
zimbra-proxy...NOT FOUND
zimbra-archiving...NOT FOUND
zimbra-core...FOUND zimbra-core-8.5.0_GA_3042
ZCS upgrade from 8.5.0 to 8.6.0 will be performed.
Validating ldap configuration
Error: Unable to create a successful TLS connection to the ldap masters.
Fix cert configuration prior to upgrading.
I tried to debug a little :
[root@ZIMBRA zcs-8.6.0_GA_1153.RHEL6_64.20141215151155]# bin/zmValidateLdap.pl -l --vmajor 8 --vminor 5
ERROR: Unable to connect via startTLS to master: ldap://zimbra.domain.intra:389
[root@ZIMBRA zcs-8.6.0_GA_1153.RHEL6_64.20141215151155]# /opt/zimbra/bin/zmlocalconfig | grep ldap | grep tls
ldap_common_require_tls = 0
ldap_starttls_required = true
ldap_starttls_supported = 1
[root@ZIMBRA zcs-8.6.0_GA_1153.RHEL6_64.20141215151155]# /opt/zimbra/bin/zmlocalconfig | grep ldap_master
ldap_master_url = ldap://zimbra.domain.intra:389
If anyone can help me to solve this problem ?
Regards
- jorgedlcruz
- Zimbra Alumni
- Posts: 2782
- Joined: Thu May 22, 2014 4:47 pm
Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters
Hi sub1,
I saw this error before, let me take a look into my notes and chat with the rest of the team.
Best regards
I saw this error before, let me take a look into my notes and chat with the rest of the team.
Best regards
Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters
I also have the same issue on Ubuntu 14.04, let me know if you need anything.
Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters
Is this a multi-server install? What's the CN on the cert? Is your zmlocalconfig `ldap_url` different from `ldap_master_url`?
See if this is relevant https://bugzilla.zimbra.com/show_bug.cgi?id=95420
See if this is relevant https://bugzilla.zimbra.com/show_bug.cgi?id=95420
Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters
Hi,
In my case, it's a mono-server installation.
[root@ZIMBRA zcs-8.6.0_GA_1153.RHEL6_64.20141215151155]# "/opt/zimbra/bin/zmlocalconfig" | grep ldap | grep url
ldap_bind_url =
ldap_master_url = ldap://zimbra.domain.intra:389
ldap_url = ldap://zimbra.domain.intra:389
CN on cert is "*.domain.com" and my server is named "zimbra.domain.intra"
Concerning bug id 95420, if i replace in "bin/zmValidateLdap.pl"
$mesgp = $ldapp->start_tls(
verify => 'require',
capath => "/opt/zimbra/conf/ca",
);
by
$mesgp = $ldapp->start_tls(
verify => 'none',
capath => "/opt/zimbra/conf/ca",
);
Validation is OK.
It seems that I can't anymore have a commercial cert with a DN not matching hostname. This configuration was valid before 8.6.
Any ideas on the best way to solve this issue ?
Regards.
In my case, it's a mono-server installation.
[root@ZIMBRA zcs-8.6.0_GA_1153.RHEL6_64.20141215151155]# "/opt/zimbra/bin/zmlocalconfig" | grep ldap | grep url
ldap_bind_url =
ldap_master_url = ldap://zimbra.domain.intra:389
ldap_url = ldap://zimbra.domain.intra:389
CN on cert is "*.domain.com" and my server is named "zimbra.domain.intra"
Concerning bug id 95420, if i replace in "bin/zmValidateLdap.pl"
$mesgp = $ldapp->start_tls(
verify => 'require',
capath => "/opt/zimbra/conf/ca",
);
by
$mesgp = $ldapp->start_tls(
verify => 'none',
capath => "/opt/zimbra/conf/ca",
);
Validation is OK.
It seems that I can't anymore have a commercial cert with a DN not matching hostname. This configuration was valid before 8.6.
Any ideas on the best way to solve this issue ?
Regards.
Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters
I have a same issue upgrading from 8.5.1 to 8.6.0. Mono server install. Exactly same output in validation commands.
Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters
I have (supposingly) the same issue too.
- commercial certificate (not expired!)
- Zimbra 8.5.1_GA_3056 (build 20141103151510)
- single server
Validating ldap configuration
Error: Unable to create a successful TLS connection to the ldap masters.
Fix cert configuration prior to upgrading.
Any suggestions?
- commercial certificate (not expired!)
- Zimbra 8.5.1_GA_3056 (build 20141103151510)
- single server
Validating ldap configuration
Error: Unable to create a successful TLS connection to the ldap masters.
Fix cert configuration prior to upgrading.
Any suggestions?
- jorgedlcruz
- Zimbra Alumni
- Posts: 2782
- Joined: Thu May 22, 2014 4:47 pm
Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters
Hi guys,
I'm taking a look deeper with the rest of the Zimbra Team. Please could you launch this command like root:
root@zimbra-sn-u14-01:/home/oper# /opt/zimbra/bin/zmcertmgr viewdeployedcrt
And tell us if the hostname of your Single Server, is included in the CN (I guess not because in the CN you have the FQDN) or if your hostname of your Single Server is included at least in the SubjectAltName?
Best regards
I'm taking a look deeper with the rest of the Zimbra Team. Please could you launch this command like root:
root@zimbra-sn-u14-01:/home/oper# /opt/zimbra/bin/zmcertmgr viewdeployedcrt
And tell us if the hostname of your Single Server, is included in the CN (I guess not because in the CN you have the FQDN) or if your hostname of your Single Server is included at least in the SubjectAltName?
Best regards
Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters
Hi Jorge,
thanks for looking into our issue. Your assumption is right. Running zmcertmgr reveals that the hostname is NOT included. Both CN and SubjectAltName carry the official FQDN and are identical.
Do you need the output?
Best regards
Thomas
thanks for looking into our issue. Your assumption is right. Running zmcertmgr reveals that the hostname is NOT included. Both CN and SubjectAltName carry the official FQDN and are identical.
Do you need the output?
Best regards
Thomas
- jorgedlcruz
- Zimbra Alumni
- Posts: 2782
- Joined: Thu May 22, 2014 4:47 pm
Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters
Hi t.goetten,
No, no, is enough.
Some SSL Certificates can be updated if is still valid. Could you please try to regenerate again the SSL with the next command, with your country, etc, please pay pecial attention to the CN and the subjectaltnames:
/opt/zimbra/bin/zmcertmgr createcsr comm -new -subject "/C=GB/ST=London/L=London/O=Zimbra/OU=Zimbra IT/CN=FQDN" -subjectAltNames "FQDN,HOSTNAME"
And then reissue the SSL, apply to Zimbra, launch the viewdeployedcrt command again, and if you have the hostname in the subjectaltnames correctly, then try to upgrade again.
We are looking into this problem.
Best regards
No, no, is enough.
Some SSL Certificates can be updated if is still valid. Could you please try to regenerate again the SSL with the next command, with your country, etc, please pay pecial attention to the CN and the subjectaltnames:
/opt/zimbra/bin/zmcertmgr createcsr comm -new -subject "/C=GB/ST=London/L=London/O=Zimbra/OU=Zimbra IT/CN=FQDN" -subjectAltNames "FQDN,HOSTNAME"
And then reissue the SSL, apply to Zimbra, launch the viewdeployedcrt command again, and if you have the hostname in the subjectaltnames correctly, then try to upgrade again.
We are looking into this problem.
Best regards