今天晚上突然发现公司的zimbra邮件服务器页面无法打开,进入系统查看下zimbra启动的服务项,发现ldap启动失败,于是网上找了下资料,现在分享一下心得(复制过来的)。实测,有效!
ZCS默认的证书只能使用一年,到期后需要重新签发,如果不签发,可以会使ZCS的服务无法启动,表现的情况为:
Starting ldap...Done.
Unable to determine enabled services from ldap.
Enabled services read from cache. Service list may be inaccurate.
ldap Stopped
logger Stopped
分为两种情况:
一 ZCS服务正常,但想延长证书使用的时间;
用root执行里下命令,签发一个可以使用20年的证书。
#/opt/zimbra/bin/zmcertmgr createca -new
#/opt/zimbra/bin/zmcertmgr deployca
#/opt/zimbra/bin/zmcertmgr createcrt -new -days 7300
#/opt/zimbra/bin/zmcertmgr deploycrt self
#/opt/zimbra/bin/zmcertmgr viewdeployedcrt
二 如果ZCS服务已经无法全部启动,那么先停止ZCS服务,执行以上命令后,再启动ZCS服务即可。
经测试,签发20年的证书全部成功,签发50年的证书可能会失败。
下面为签发的过程(此过程中有部分failed,仅供参考,实际成功签发时代码不同):
[root@mail ~]# /opt/zimbra/bin/zmcertmgr createca -new
** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.
** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.
[root@mail ~]# /opt/zimbra/bin/zmcertmgr deployca
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
** Saving global config key zimbraCertAuthorityCertSelfSigned...failed.
** Saving global config key zimbraCertAuthorityKeySelfSigned...failed.
** Copying CA to /opt/zimbra/conf/ca...done.
[root@mail ~]# /opt/zimbra/bin/zmcertmgr createcrt -new -days 7300
Validation days: 7300
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20110415115810
** Generating a server csr for download self -new -keysize 1024
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20110415115810
** Retrieving Commercial CA cert from ldap...failed.
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
** Saving server config key zimbraSSLPrivateKey...failed.
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
[root@mail ~]# /opt/zimbra/bin/zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate...failed.
** Saving server config key zimbraSSLPrivateKey...failed.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
[root@mail ~]# /opt/zimbra/bin/zmcertmgr viewdeployedcrt
::service mta::
notBefore=Apr 15 03:58:20 2011 GMT
notAfter=Dec 31 03:58:20 2030 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.test.com.cn
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.test.com.cn
SubjectAltName=
::service proxy::
notBefore=Apr 15 03:58:20 2011 GMT
notAfter=Dec 31 03:58:20 2030 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.test.com.cn
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.test.com.cn
SubjectAltName=
::service mailboxd::
notBefore=Apr 15 03:58:20 2011 GMT
notAfter=Dec 31 03:58:20 2030 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.test.com.cn
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.test.com.cn
SubjectAltName=
::service ldap::
成功,哈哈。