Zimbra 7->8.5 upgrade ssl failure

Looking to migrate to ZCS? Ask here. Got a great tip or script that helped you migrate? Post it here.
abatie
Advanced member
Advanced member
Posts: 61
Joined: Thu Aug 07, 2014 12:02 pm

Zimbra 7->8.5 upgrade ssl failure

Post by abatie »

I'm trying to upgrade a test 7.2.7 cluster to 8.5.  I ran /opt/zimbra/bin/zmcertmgr deploycrt self as described in the upgrade instructions, however, I still get an ssl failure that aborts the install process:
This appears to be 7.2.7_GA
Unable to start TLS: SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed when connecting to ldap master.
UPGRADE FAILED - exiting.
Any insights?  Thanks!
User avatar
vavai
Advanced member
Advanced member
Posts: 174
Joined: Thu Nov 14, 2013 2:41 pm
Location: Indonesia
ZCS/ZD Version: 0
Contact:

Zimbra 7->8.5 upgrade ssl failure

Post by vavai »

Hi Abatie,
Did you check the certificate before trying to upgrade system?
/opt/zimbra/bin/zmcertmgr viewdeployedcrt

Also, why don't use cheap SSL commercial certificate just like PositiveSSL or RapidSSL, single domain with about $10 for 1 year ;-)
ss
abatie
Advanced member
Advanced member
Posts: 61
Joined: Thu Aug 07, 2014 12:02 pm

Zimbra 7->8.5 upgrade ssl failure

Post by abatie »

What would I check? In fact rsyncing /opt/zimbra/conf/ca directory from the master ldap server solves the problem, rather than what the upgrade instructions say to do. And I don't bother getting a real certificate because it's unnecessary extra work since the cert is not used externally.
Laragio
Posts: 16
Joined: Fri Oct 17, 2014 2:43 am

Zimbra 7->8.5 upgrade ssl failure

Post by Laragio »

Hi abatie,

what step you follow to solve the problem?

I tried to copy the /opt/zimbra/conf/ca on the mta server but the upgrade fail with the error



Unable to start TLS: SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed when connecting to ldap master.



Thanks for the help

--

Laragio
abatie
Advanced member
Advanced member
Posts: 61
Joined: Thu Aug 07, 2014 12:02 pm

Zimbra 7->8.5 upgrade ssl failure

Post by abatie »

I don't remember exactly where I ran into more problems, but in fact I ended up caving and installing a real certificate across the cluster.
Laragio
Posts: 16
Joined: Fri Oct 17, 2014 2:43 am

Zimbra 7->8.5 upgrade ssl failure

Post by Laragio »

Hi,

now i have a commercial certificate on the cluster but the error in the upgrade is the same



Unable to start TLS: SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed when connecting to ldap master.



Any help?
bartekx
Posts: 10
Joined: Thu Oct 30, 2014 5:35 am

Zimbra 7->8.5 upgrade ssl failure

Post by bartekx »

I have similar problem. I was upgrading from 8.0.7 to 8.5.0 on Multi-Server Environment. First LDAP master and then LDAP replica updated well. Because my installation is not older than one year I decided to not regenerate certs as described in Upgrade Instructions on page 9. Next I was trying to upgrade first MTA server and got this:



Unable to start TLS: SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed when connecting to ldap master.

UPGRADE FAILED - exiting.



Then I tried to regenerate certs on LDAP master with:

sudo /opt/zimbra/bin/zmcertmgr createca -new

sudo /opt/zimbra/bin/zmcertmgr deployca

sudo /opt/zimbra/bin/zmcertmgr deploycrt self -new



Last one was not working with -new attribute. After that I run :



sudo /opt/zimbra/bin/zmcertmgr deploycrt self



on all Zimbra Servers and restarted Zimbra upgrade on MTA but with no luck. Still the same problem.



Any help? Thanks!
Laragio
Posts: 16
Joined: Fri Oct 17, 2014 2:43 am

Zimbra 7->8.5 upgrade ssl failure

Post by Laragio »

Hi,

i solved it by changing the ldap master url from IP to the hostname of the ldap server.



What master url do you have configured?



--

Laragio
bartekx
Posts: 10
Joined: Thu Oct 30, 2014 5:35 am

Zimbra 7->8.5 upgrade ssl failure

Post by bartekx »

Thanks for reply Laragio,

$ zmlocalconfig -s ldap_master_url
ldap_master_url = ldap://alfa-ldap01.my.domain:389 ldap://alfa-ldap02.my.domain:389
Laragio
Posts: 16
Joined: Fri Oct 17, 2014 2:43 am

Zimbra 7->8.5 upgrade ssl failure

Post by Laragio »

Hi,

and the ldap_host?



You have a multi master ldap environment?

--

Laragio
Post Reply