[Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
hoangnguyen
Posts: 9
Joined: Sun Mar 24, 2019 1:52 pm

[Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Postby hoangnguyen » Sun Mar 24, 2019 2:07 pm

Hi all,

Today I run the command "zmcontrol status" on my zimbra server, and I got the error:
Unable to start TLS: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed when connecting to ldap master.
Cannot determine services - exiting

I check my server and everything seems normal: SSL certificate is valid, system date is correct, Mail server still works well.
But I get that error every time I run command check status (attach img).

Can anyone help me please?
Thanks so much!
Attachments
1.png
1.png (175.59 KiB) Viewed 19595 times
Last edited by hoangnguyen on Sun Mar 31, 2019 11:10 am, edited 1 time in total.


User avatar
DualBoot
Elite member
Elite member
Posts: 1308
Joined: Mon Apr 18, 2016 8:18 pm
Location: France - Earth
ZCS/ZD Version: ZCS FLOSS - 8.8.15 Mutli servers
Contact:

Re: ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Postby DualBoot » Tue Mar 26, 2019 3:29 pm

Hello,

disable SSLv3 on your Zimbra server.

Regards,

PS: what is the version of your Zimbra ?
hoangnguyen
Posts: 9
Joined: Sun Mar 24, 2019 1:52 pm

Re: ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Postby hoangnguyen » Wed Mar 27, 2019 8:25 am

Hi DualBoot,

Thanks for respond. I'm using Zimbra version 8.8.9. Is there any risk if I disable SSlv3?
hoangnguyen
Posts: 9
Joined: Sun Mar 24, 2019 1:52 pm

Re: ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Postby hoangnguyen » Sun Mar 31, 2019 11:09 am

Finally, I resolved my issue by two commands:
zmlocalconfig -e ldap_starttls_required=false
zmlocalconfig -e ldap_starttls_supported=0
Zmcontrol start successfully.
User avatar
maxxer
Advanced member
Advanced member
Posts: 190
Joined: Fri Oct 04, 2013 2:12 am
Contact:

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Postby maxxer » Sat May 30, 2020 4:26 pm

I have a freshly installed server, running smooth for one month, that out of the blue started throwing this error today.

Code: Select all

Unable to start TLS: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed when connecting to ldap master.


The certificate expires on Jan 2021 so it's valid.

What's the correct way to disable SSLv3 in LDAP? I found how to do it in nginx and postfix, but not in ldap.
Thanks
bsn9912
Posts: 4
Joined: Thu Jan 25, 2018 9:33 am

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Postby bsn9912 » Sun May 31, 2020 7:03 am

Hi see the exact same error as maxxer this morning on my open source zimbra server, after a regular restart.

Code: Select all

        Starting ldap...Done.
Unable to start TLS: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed when connecting to ldap master.


There was no change and no package installation.

I did the workarounds suggested earlier to disable TLS which works for me.

Code: Select all

zmlocalconfig -e ldap_starttls_required=false
zmlocalconfig -e ldap_starttls_supported=0


Does anyone know the root cause of this?

Thanks
phoenix
Ambassador
Ambassador
Posts: 26699
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Postby phoenix » Sun May 31, 2020 9:03 am

I don't see that error and at a wild guess I'd say there's something wrong with the certificate, have you verified that it's OK? FWIW, I'd suggest you follow the advice of JDUNPHY (Jim) and install a letsencrypt certificate and automatically update it. The script that Jim provides does that flawlessly. :)

BTW, it's never a good idea to solve a security problem by disabling a security feature.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
dwfallin
Posts: 34
Joined: Sat Sep 13, 2014 12:10 am

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Postby dwfallin » Sun May 31, 2020 5:31 pm

i'm running v8.8 and the instructions for disabling v3 are for earlier versions - not sure how significant that is. but i've followed (as closely as i can) and am still getting the error trying to start every thing:

Unable to start TLS: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed when connecting to ldap master.

i'd rather not just disable TLS - sounds kinda dangerous. i have the same question as maxxer above - how do i disable in ldap (the error implies thats where v3 is still being attempted!)
phoenix
Ambassador
Ambassador
Posts: 26699
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Postby phoenix » Sun May 31, 2020 5:36 pm

As this appears to be a certificate error, what have you done to check the certificates or have you even tried regenerating new certificates for your server?
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
6125amartin
Advanced member
Advanced member
Posts: 63
Joined: Sat Sep 13, 2014 1:45 am

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Postby 6125amartin » Sun May 31, 2020 5:41 pm

This is likely due to the Sectigo root CA expiring yesterday:
https://www.reddit.com/r/sysadmin/comme ... y_morning/

Removing the following line from /etc/ca-certificates.conf does NOT appear to resolve the problem for Zimbra (tested on Ubuntu 18.04):
<pre>sed -i '/mozilla\/AddTrust_External_Root.crt/d' /etc/ca-certificates.conf</pre>

Please advise on how Zimbra can be updated to handle expiration of this Sectigo root CA. Thanks!

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 12 guests