Synopsis: about the zimbraCertAuthorityCertSelfSigned error. For me, it's because '/opt/zimbra/conf/ca/ca.pem' expired last month. Probably the difference in LDAP schema has solved itself in 10.0.8 from the last time I installed from the dev branch, but not sure.
Details:
And the CA indeed expired:
I always use my own commercial certificate, so I'm unsure what this certificate authority (CA) is used for? I went into my records, and Apr 21 2019 was the day I scrambled for the famous remote code execution hack. So, in other words, I updated Zimbra (among others). Is that when these CAs are supposed to update?
This is related log stuff from the zmsetup log file:
And about the LDAP schema differences, my post here shows the log excerpt, but there doesn't seem to be any actual invalid attributes? So, I'm not sure if that is also hitting me or not. Perhaps the development build of 10.0.6 is behind 10.0.8 enough that that is no longer a problem for me.
Details:
For me, deployca seems to be the problem. The install log doesn't show the error, but the stdout on console did and mentioned ca.pem had expired:Here is what I believe it wanted to do and from my upgrade of 10.0.5 FOSS to 10.0.7 FOSSHello,
Using your build to upgrade from 10.0.6 I always get "Saving config key 'zimbraCertAuthorityCertSelfSigned' via zmprov modifyConfig...failed (rc=2)" error (seen this before with other builds).
I suspect this has to do with different ldap schema as said on viewtopic.php?p=313162#p313162
ThanksFollowing the code is a little bit of a chore... zmsetup.pl -> zmupgrade.pm -> zmcertmgr if I understood what I was reading. No guarantee with perlCode:
Mon Mar 18 17:48:12 2024 Saving CA in ldap...Mon Mar 18 17:48:12 2024 *** Running as zimbra user: /opt/zimbra/bin/zmcertmgr deployca** Saving config key 'zimbraCertAuthorityCertSelfSigned' via zmprov modifyConfig...ok** Saving config key 'zimbraCertAuthorityKeySelfSigned' via zmprov modifyConfig...ok** Importing cert '/opt/zimbra/ssl/zimbra/ca/ca.pem' as 'my_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'** NOTE: restart mailboxd to use the imported certificate.** Cleaning up 9 files from '/opt/zimbra/conf/ca'...![:-)]( "Smile")
... but I believe it was the zmcertmgr deployca that caused your failure.
I build the same way so I should be looking at the correct code base for 10.0.7 FOSS. Maybe Adrian or others have some ideas.
Jim
... but I believe it was the zmcertmgr deployca that caused your failure.Code:
*** CONFIGURATION COMPLETE - press 'a' to applySelect from menu, or press 'a' to apply config (? - help) aSaving config in /opt/zimbra/config.23394...done.Operations logged to /tmp/zmsetup.20240509-010113.logSetting local config values...done.Initializing core config...Setting up CA...O = CA, OU = Zimbra Collaboration Server, CN = meel.halfgaar.neterror 10 at 0 depth lookup: certificate has expirederror /opt/zimbra/conf/ca/ca.pem: verification faileddone.Deploying CA to /opt/zimbra/conf/ca ...done.Setting replication password...done.Setting Postfix password...done.Setting amavis password...done.Setting nginx password...done.Creating server entry for meel.halfgaar.net...already exists.Setting Zimbra IP Mode...done.Saving CA in ldap...failed.-> it threw me back to bash thenCode:
# openssl x509 -text -in /opt/zimbra/conf/ca/ca.pem | grep -A 3 Valid Validity Not Before: Apr 21 21:21:44 2019 GMT Not After : Apr 19 21:21:44 2024 GMTThis is related log stuff from the zmsetup log file:
Code:
Thu May 9 01:01:14 2024 Adding /opt/zimbra/conf/ca/ca.pem to cacertsThu May 9 01:01:14 2024 *** Running as zimbra user: /opt/zimbra/bin/zmcertmgr addcacert /opt/zimbra/conf/ca/ca.pem** Importing cert '/opt/zimbra/conf/ca/ca.pem' as 'zcs-user-ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'** NOTE: restart mailboxd to use the imported certificate.Thu May 9 01:01:16 2024 Upgrading from 10.0.6_GA_0124 to 10.0.8_GA_4200000Statistics: Posted by halfgaar — Thu May 09, 2024 1:09 am