One of our Zimbra Collaboration Suite deployments stopped working all in a sudden: unable to login with given credentials. My first thought: “oh my, they hacked us!”.

Fortunately, after a fast check on system logs, it turned out to be something related to a service misbehave. Extract from /var/log/zimbra.log:

Jun 11 16:17:55 mail zimbramon[31682]: 31682:info: zmmtaconfig: Skipping getAllMtaAuthURLs ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed)

Trying to restart service didn’t help.

Unable to determine enabled services from ldap.
Unable to determine enabled services. Cache is out of date or doesn't exist.

Further investigations led to the real problem (and its resolution):

/opt/zimbra/bin/zmcertmgr viewdeployedcrt
  ::service mta::
  notBefore=Jun 11 14:48:23 2011 GMT
  notAfter=Jun 11 14:48:23 2012 GMT
  [...]

Server certificate is expired! Let’s renew our self signed certificate for Zimbra deployment!

First of all, let’s stop all Zimbra related services (if not already done):

su - zimbra
zmcontrol stop

then, create a new Certification Authority: (Note that from now on, following commands must be run as root)

/opt/zimbra/bin/zmcertmgr createca -new

Now, create a new certificate. We want to chill out, so expiration time is set to 3650 days (10 years):

/opt/zimbra/bin/zmcertmgr createcrt -new -days 3650

Now deploy the cert and the CA:

/opt/zimbra/bin/zmcertmgr deploycrt self
/opt/zimbra/bin/zmcertmgr deployca

Finally, let’s check the deployed cert:

/opt/zimbra/bin/zmcertmgr viewdeployedcrt
  ::service mta::
  notBefore=Jun 11 15:08:23 2012 GMT
  notAfter=Jun 11 15:08:23 2022 GMT
  [...]

Great! We may now start Zimbra service with no hassles:

su - zimbra
zmcontrol start