8.7.9 to 8.7.11 on Ubuntu 16.04 /etc/hosts error

Ask questions about your setup or get help installing ZCS server (ZD section below).
Post Reply
apiening
Posts: 30
Joined: Tue Aug 30, 2016 9:57 pm

8.7.9 to 8.7.11 on Ubuntu 16.04 /etc/hosts error

Post by apiening »

Hi there,
I want to upgrade my ZCS 8.7.9 to the latest version, but since I red somewhere that it is safer to upgrade to the latest 8.7 release first, I'll take this route and update to 8.8. in another step.

However, the installer exits with an error that my /etc/hosts file contains a line like:

Code: Select all

127.0.0.1     myhost.mydomain.com myhost localhost.localdomain localhost
And that's true.
However, if I remove the myhost.mydomain.com and myhost parts, I get another error instead:

Code: Select all

Error: Unable to create a successful TLS connection to the ldap masters.
       Fix cert configuration prior to upgrading.
How can I proceed from here?

Thank you in advance!
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: 8.7.9 to 8.7.11 on Ubuntu 16.04 /etc/hosts error

Post by phoenix »

Your hosts file is incorrect. Go to the wiki and read the Split DNS article, it tells you what the format of your hosts file should be. You can also find the details in lots of forum threads if you search.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: 8.7.9 to 8.7.11 on Ubuntu 16.04 /etc/hosts error

Post by JDunphy »

apiening wrote:Hi there,
I want to upgrade my ZCS 8.7.9 to the latest version, but since I red somewhere that it is safer to upgrade to the latest 8.7 release first, I'll take this route and update to 8.8. in another step.

However, the installer exits with an error that my /etc/hosts file contains a line like:

Code: Select all

127.0.0.1     myhost.mydomain.com myhost localhost.localdomain localhost
And that's true.
However, if I remove the myhost.mydomain.com and myhost parts, I get another error instead:

Code: Select all

Error: Unable to create a successful TLS connection to the ldap masters.
       Fix cert configuration prior to upgrading.
How can I proceed from here?

Thank you in advance!
Observe that ldap is tied to your lan ip address and not the loopback. netstat will show you that the listen socket for port 389 is tied to your lan ip address. The entries look like this where zmhostname is defined in /etc/hosts
lan ipaddress mail mail.example.com

... In your case, the ldap connection failed because there is nothing listening at: 127.0.0.1:389 so you had an incorrect /etc/hosts entry.

Here is what I do on centos to see what should be in /etc/hosts

Code: Select all

% netstat -l | grep tcp | grep ldap
tcp        0      0 mail.example.com:ldap *:*                         LISTEN      
To protect yourself, It is a good idea to make sure that the local resolver can not get a different ip value from what you have listed in your hosts file. I don't think that applies here but if you were testing the update process on a different machine and cloning an existing server, I would setup an authoritative dns server on the testing box with the test servers ip address and point this test server's local resolver to it. I would also make sure a fw blocked incoming packets for this test server on the real server. Probably extra information for your case... Fix that /etc/hosts entries for your zmhostname and you should be ok.
apiening
Posts: 30
Joined: Tue Aug 30, 2016 9:57 pm

Re: 8.7.9 to 8.7.11 on Ubuntu 16.04 /etc/hosts error

Post by apiening »

phoenix wrote:Your hosts file is incorrect. Go to the wiki and read the Split DNS article, it tells you what the format of your hosts file should be. You can also find the details in lots of forum threads if you search.
The DNS for the public IP is configured correctly, including mx etc. Can't see the need of an additional local DNS server.
My problem is, that if i "fix" my /etc/hosts by removing "myhost.mydomain.com myhost" as it is stated in the manual, the TLS connection isn't working anymore (see initial post).

From my understanding, the integrated cert of the LDAP mismatches if myhost.mydomain.com does not resolve to 127.0.0.1 anymore.
This is probably because the /etc/hosts was already faulty while the initial install has been done.

Any ideas how I can fix this?
User avatar
pup_seba
Outstanding Member
Outstanding Member
Posts: 687
Joined: Sat Sep 13, 2014 2:43 am
Location: Tarragona - Spain
Contact:

Re: 8.7.9 to 8.7.11 on Ubuntu 16.04 /etc/hosts error

Post by pup_seba »

At least from my phone, that hosts file looks bad...if phoenix also says it is bad, then maybe you should try to fix that.

I believe nobody is telling to deploy an additional dns server, the split dns article was referenced as it contains instructions on how the hosts file is formatted.

I'm guessing now that you may be facing two problems:
1. Bad /etc/hosts file content and/or formatting (it looks horrible...but maybe it looks this bad because I'm on my phone and the code snippet is not showing it well).
2. Your ldap hostname and the certificate it has, do mismatch.

1. Fix your hosts file.
2. If 1 does not fix your problem, relax tls security and interprocess communication. (There are wikis on how to do both and i remember a bug explaining how during uogrades tls is challenged showing an error similar to yours)
apiening
Posts: 30
Joined: Tue Aug 30, 2016 9:57 pm

Re: 8.7.9 to 8.7.11 on Ubuntu 16.04 /etc/hosts error

Post by apiening »

Even though this thread is old, I want to close this with some feedback on how the issue was solved. Just for reference.
As JDunphy said, the LDAP server was listening on my external name like it should (mail.example.com) verified with netstat as suggested.

So all I needed to do is to stop zimbra, then update my /etc/hosts file (by removing mail.example.com from the loopback ip) and start zimbra again.
This time it binds again to the external hostname, but it was resolved to the correct WAN IP.

The upgrade worked without issues after this change.

Thanks to all you commenters for your hints and help.
Post Reply