Atualização do certificado auto-assinado do Zimbra para correção do erro Unable to determine enabled services from ldap

De Wiki Hackstore

Problema

Esta solução se aplica a um problema comum que ocorre no zimbra caso o certificado anual expire:

Nunca deixe o certificado do seu servidor zimbra vencer (a melhor maneira é manter o servidor sempre atualizado) e para ver se está vencendo, sempre execute o seguinte comando:

/opt/zimbra/bin/zmcertmgr viewdeployedcrt

Que retornará coisas do tipo:

::service mta::
notBefore=Apr 22 23:04:27 2010 GMT
notAfter=Apr 22 23:04:27 2011 GMT

Falando desde quando e até quando vale o seu certificado. Se o certificado vencer, seus usuários vão começar a reclamar que a interface Web apresenta erros de rede e o servidor simplesmente vai começar a emitir erros de start e stop como:

[zimbra@correio ~]$ zmcontrol start
Host correio.meudominio.com.br
Starting ldap...Done.
Unable to determine enabled services from ldap.
Enabled services read from cache. Service list may be inaccurate.
Starting logger...Failed.
Starting logswatch...ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed)
zimbra logger service is not enabled! failed.


Solução

Pra resolver o problema faça o seguinte (as linhas a serem digitadas estão em vermelho e tem que ser como root). Pare o Zimbra:

[zimbra@correio ~]$ zmcontrol stop


Após o Zimbra estar completamente parado, faça um backup do script zmcertmgr:

cp /opt/zimbra/bin/zmcertmgr /opt/zimbra/bin/zmcertmgr-bkp


Edite o script e altere a variável validation_days para o valor 3660:

validation_days=3660

OBS: Isso fará com que o certificado dure 10 anos ao invés de apenas 365 dias :D


/opt/zimbra/bin/zmcertmgr createca -new
** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf…done
** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key…done.
** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem…done.
/opt/zimbra/bin/zmcertmgr createcrt -new -days 3660
Validation days: 3660
** Creating /opt/zimbra/conf/zmssl.cnf…done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20110423104040
** Generating a server csr for download self -new -keysize 1024
** Creating /opt/zimbra/conf/zmssl.cnf…done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20110423104040
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr…done.
** Saving server config key zimbraSSLPrivateKey…failed.
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr…done.
/opt/zimbra/bin/zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate…failed.
** Saving server config key zimbraSSLPrivateKey…failed.
** Installing mta certificate and key…done.
** Installing slapd certificate and key…done.
** Installing proxy certificate and key…done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12…done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore…done.
** Installing CA to /opt/zimbra/conf/ca…done.
/opt/zimbra/bin/zmcertmgr deployca
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS…done.
** Saving global config key zimbraCertAuthorityCertSelfSigned…failed.
** Saving global config key zimbraCertAuthorityKeySelfSigned…failed.
** Copying CA to /opt/zimbra/conf/ca…done.
/opt/zimbra/bin/zmcertmgr viewdeployedcrt
::service mta::
notBefore=Apr 23 13:40:45 2011 GMT
notAfter=Apr 22 13:40:45 2022 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=correio.meudominio.org.br
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=correio.meudominio.org.br
SubjectAltName=
::service proxy::
notBefore=Apr 23 13:40:45 2011 GMT
notAfter=Apr 22 13:40:45 2022 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=correio.meudominio.org.br
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=correio.meudominio.org.br
SubjectAltName=
::service mailboxd::
notBefore=Apr 23 13:40:45 2011 GMT
notAfter=Apr 22 13:40:45 2022 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=correio.meudominio.org.br
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=correio.meudominio.org.br
SubjectAltName=
::service ldap::
notBefore=Apr 23 13:40:45 2011 GMT
notAfter=Apr 22 13:40:45 2022 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=correio.meudominio.org.br
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=correio.meudominio.org.br
SubjectAltName=

Inicie o Zimbra:

[zimbra@correio ~]$ zmcontrol start