Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
sub1
Posts: 5
Joined: Mon Dec 22, 2014 4:37 am

Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters

Post by sub1 »

Hello,

I'm trying to upgrade Zimbra 8.5.0 to latest 8.6.0 on CentOS 6.5. System is up to date. I'm using a commercial cert for mailbox and it is valid.
[root@ZIMBRA zcs-8.6.0_GA_1153.RHEL6_64.20141215151155]# ./install.sh

Operations logged to /tmp/install.log.22738
Checking for existing installation...
    zimbra-ldap...FOUND zimbra-ldap-8.5.0_GA_3042
    zimbra-logger...FOUND zimbra-logger-8.5.0_GA_3042
    zimbra-mta...FOUND zimbra-mta-8.5.0_GA_3042
    zimbra-dnscache...FOUND zimbra-dnscache-8.5.0_GA_3042
    zimbra-snmp...FOUND zimbra-snmp-8.5.0_GA_3042
    zimbra-store...FOUND zimbra-store-8.5.0_GA_3042
    zimbra-apache...FOUND zimbra-apache-8.5.0_GA_3042
    zimbra-spell...FOUND zimbra-spell-8.5.0_GA_3042
    zimbra-convertd...NOT FOUND
    zimbra-memcached...FOUND zimbra-memcached-8.5.0_GA_3042
    zimbra-proxy...NOT FOUND
    zimbra-archiving...NOT FOUND
    zimbra-core...FOUND zimbra-core-8.5.0_GA_3042
ZCS upgrade from 8.5.0 to 8.6.0 will be performed.
Validating ldap configuration
Error: Unable to create a successful TLS connection to the ldap masters.
       Fix cert configuration prior to upgrading.
I tried to debug a little :
[root@ZIMBRA zcs-8.6.0_GA_1153.RHEL6_64.20141215151155]# bin/zmValidateLdap.pl -l --vmajor 8 --vminor 5
ERROR: Unable to connect via startTLS to master: ldap://zimbra.domain.intra:389


[root@ZIMBRA zcs-8.6.0_GA_1153.RHEL6_64.20141215151155]# /opt/zimbra/bin/zmlocalconfig | grep ldap | grep tls
ldap_common_require_tls = 0
ldap_starttls_required = true
ldap_starttls_supported = 1
[root@ZIMBRA zcs-8.6.0_GA_1153.RHEL6_64.20141215151155]# /opt/zimbra/bin/zmlocalconfig | grep ldap_master
ldap_master_url = ldap://zimbra.domain.intra:389
If anyone can help me to solve this problem ?
Regards
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters

Post by jorgedlcruz »

Hi sub1,

I saw this error before, let me take a look into my notes and chat with the rest of the team.



Best regards
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
dslauter
Posts: 6
Joined: Sat Sep 13, 2014 3:36 am

Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters

Post by dslauter »

I also have the same issue on Ubuntu 14.04, let me know if you need anything.
dlbewley
Advanced member
Advanced member
Posts: 82
Joined: Fri Sep 12, 2014 10:15 pm

Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters

Post by dlbewley »

Is this a multi-server install? What's the CN on the cert? Is your zmlocalconfig `ldap_url` different from `ldap_master_url`?



See if this is relevant https://bugzilla.zimbra.com/show_bug.cgi?id=95420
sub1
Posts: 5
Joined: Mon Dec 22, 2014 4:37 am

Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters

Post by sub1 »

Hi,



In my case, it's a mono-server installation.



[root@ZIMBRA zcs-8.6.0_GA_1153.RHEL6_64.20141215151155]# "/opt/zimbra/bin/zmlocalconfig" | grep ldap | grep url

ldap_bind_url =

ldap_master_url = ldap://zimbra.domain.intra:389

ldap_url = ldap://zimbra.domain.intra:389



CN on cert is "*.domain.com" and my server is named "zimbra.domain.intra"





Concerning bug id 95420, if i replace in "bin/zmValidateLdap.pl"



$mesgp = $ldapp->start_tls(

verify => 'require',

capath => "/opt/zimbra/conf/ca",

);

by

$mesgp = $ldapp->start_tls(

verify => 'none',

capath => "/opt/zimbra/conf/ca",

);



Validation is OK.



It seems that I can't anymore have a commercial cert with a DN not matching hostname. This configuration was valid before 8.6.

Any ideas on the best way to solve this issue ?



Regards.
adilm
Posts: 4
Joined: Tue Dec 23, 2014 9:28 am

Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters

Post by adilm »

I have a same issue upgrading from 8.5.1 to 8.6.0. Mono server install. Exactly same output in validation commands.
t.goetten
Posts: 19
Joined: Fri Sep 12, 2014 11:22 pm

Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters

Post by t.goetten »

I have (supposingly) the same issue too.

- commercial certificate (not expired!)

- Zimbra 8.5.1_GA_3056 (build 20141103151510)

- single server



Validating ldap configuration

Error: Unable to create a successful TLS connection to the ldap masters.

Fix cert configuration prior to upgrading.



Any suggestions?
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters

Post by jorgedlcruz »

Hi guys,
I'm taking a look deeper with the rest of the Zimbra Team. Please could you launch this command like root:
root@zimbra-sn-u14-01:/home/oper# /opt/zimbra/bin/zmcertmgr viewdeployedcrt

And tell us if the hostname of your Single Server, is included in the CN (I guess not because in the CN you have the FQDN) or if your hostname of your Single Server is included at least in the SubjectAltName?
Best regards
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
t.goetten
Posts: 19
Joined: Fri Sep 12, 2014 11:22 pm

Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters

Post by t.goetten »

Hi Jorge,



thanks for looking into our issue. Your assumption is right. Running zmcertmgr reveals that the hostname is NOT included. Both CN and SubjectAltName carry the official FQDN and are identical.



Do you need the output?



Best regards

Thomas
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters

Post by jorgedlcruz »

Hi  t.goetten,
No, no, is enough.
Some SSL Certificates can be updated if is still valid. Could you please try to regenerate again the SSL with the next command, with your country, etc, please pay pecial attention to the CN and the subjectaltnames:
/opt/zimbra/bin/zmcertmgr createcsr comm -new -subject "/C=GB/ST=London/L=London/O=Zimbra/OU=Zimbra IT/CN=FQDN" -subjectAltNames "FQDN,HOSTNAME"
And then reissue the SSL, apply to Zimbra, launch the viewdeployedcrt command again, and if you have the hostname in the subjectaltnames correctly, then try to upgrade again.
We are looking into this problem.
Best regards
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
Post Reply