Unable to start TLS: hostname verification failed when connecting to ldap master.

[kbish]

Hi,
Zimbra 8.7.1, new installation. After install commercial wildcard certificate (*.domain.com) got error :
zimbra@zimbra1:~$ zmcontrol restart
Host zimbra1.corp.domain.com
Stopping vmware-ha...Done.
Stopping zmconfigd...Done.
Stopping zimlet webapp...Done.
Stopping zimbraAdmin webapp...Done.
Stopping zimbra webapp...Done.
Stopping service webapp...Done.
Stopping stats...Done.
Stopping mta...Done.
Stopping spell...Done.
Stopping snmp...Done.
Stopping cbpolicyd...Done.
Stopping archiving...Done.
Stopping opendkim...Done.
Stopping amavis...Done.
Stopping antivirus...Done.
Stopping antispam...Done.
Stopping proxy...Done.
Stopping memcached...Done.
Stopping mailbox...Done.
Stopping convertd...Done.
Stopping logger...Done.
Stopping dnscache...Done.
Stopping ldap...Done.
Host zimbra1.corp.domain.com
Starting ldap...Done.
Unable to start TLS: hostname verification failed when connecting to ldap master.


Command : /opt/zimbra/bin/zmcertmgr viewdeployedcrt show valid certificate installation. Any suggestion ?

[king0770]

If this is a single server setup, try stopping all ZCS services...

zmcontrol stop

Make sure nothing is listening on port 389

lsof -i :389 <<==may need to run lsof as root

If there is a service listening on port 389, kill the pid.

While ZCS services are stopped, try running the zimbra-ldap service in debug...(run as zimbra)

sudo /opt/zimbra/libexec/zmslapd -l LOCAL0 -u zimbra -h 'ldap://zimbra1.corp.domain.com ldapi:///' -F /opt/zimbra/data/ldap/config -d4

There will be a lot of output; however, if there's an issue with the ldap service, there might be an error at the bottom portion of the output.

[kbish]

After changing from LDAP to LDAPS(https://wiki.zimbra.com/wiki/How_to_enable_ldaps) all services working now. But i can't install zimbra-talk Installation reports error
LDAP to LDPAS:
78 161202 16:57:23 "/opt/zimbra/bin/zmlocalconfig" | grep ldap | grep url
79 161202 16:58:05 zmlocalconfig -e ldap_master_url=ldaps://zimbra1.corp.domain.com:636
80 161202 16:58:38 zmlocalconfig -e ldap_url=ldaps://zimbra1.corp.domain.com:636
81 161202 16:58:46 zmlocalconfig -e ldap_starttls_supported=0
82 161202 16:58:50 zmlocalconfig -e ldap_port=636
83 161202 16:58:56 zmcontrol stop
84 161202 16:59:08 zmcontrol start
Zimbra-talk installation:
Connection to LDAP failed. Please verify your input or press [ESC] to abort the installation.
P.S.
Seems installation try connect to port 389 but ldap now listening on 636
zimbra@zimbra1:~$ netstat -an | grep 389
zimbra@zimbra1:~$
zimbra@zimbra1:~$ netstat -an | grep 636
tcp 0 0 192.168.1.23:636 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.23:636 192.168.1.23:39264 ESTABLISHED

Any suggestion ?

[TitusI]

Exactly the same problem here.
Release 8.7.11_GA_1854.RHEL7_64_20170531151956 RHEL7_64 FOSS edition.
I've installed a commerciale certificate via this guide:
section Single-Node Commercial Certificate
https://wiki.zimbra.com/wiki/Administra ... cate_Tools

after the deployment of the commercial cert at zmcontrol restart I get:

Re: Unable to start TLS: hostname verification failed when connecting to ldap master.

OK
So I decided to make a new self signed certificate using the same guide in the specific section.
than zmcontro start:
Re: Unable to start TLS: hostname verification failed when connecting to ldap master.
Exactly the same error!

So I exited from zimbra and as root I give a /etc/init.t/zimbra stop
(I don't remember the exact sequence and I suppose the "zimbra service" was down).
Then a restart and now the server is still running using a self signed certificate instead of the commercial.


Now I've two question:
There is a difference starting zimbra from root using /etc/init.d/zimbra start? It seem just a wrapper, but this stop and start changed something.

My server hostname is serverX.companydomain.com
I make a csr for the serverX.companydomain.com (the only available option)
using as Common name mail.clientdomain.com via web interface, than I go ahead using the cli.

in hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
XX.XX:XX.XX serverX.companydomain.com serverX
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

in hostname:
localhost.localdomain

[KarthickJ]

Exactly the same problem here.
Release 8.7.11_GA_1854.RHEL7_64_20170531151956 RHEL7_64 FOSS edition.
I've installed a commerciale certificate via this guide:
section Single-Node Commercial Certificate
https://wiki.zimbra.com/wiki/Administra ... cate_Tools

after the deployment of the commercial cert at zmcontrol restart I get:

Re: Unable to start TLS: hostname verification failed when connecting to ldap master.

OK
So I decided to make a new self signed certificate using the same guide in the specific section.
than zmcontro start:
Re: Unable to start TLS: hostname verification failed when connecting to ldap master.
Exactly the same error!

So I exited from zimbra and as root I give a /etc/init.t/zimbra stop
(I don't remember the exact sequence and I suppose the "zimbra service" was down).
Then a restart and now the server is still running using a self signed certificate instead of the commercial.


Now I've two question:
There is a difference starting zimbra from root using /etc/init.d/zimbra start? It seem just a wrapper, but this stop and start changed something.

My server hostname is serverX.companydomain.com
I make a csr for the serverX.companydomain.com (the only available option)
using as Common name mail.clientdomain.com via web interface, than I go ahead using the cli.

in hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
XX.XX:XX.XX serverX.companydomain.com serverX
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

in hostname:
localhost.localdomain

You should never start or stop / restart zimbra service from root user. Use zimbra user to start/stop/restart zimbra service.

zmcontrol start/stop/restart.

Starting service from root will sometimes start local postfix and create conflicts with zimbra postfix.

Sent from my SM-G550FY using Tapatalk

[TitusI]

Exactly the same problem here.
Release 8.7.11_GA_1854.RHEL7_64_20170531151956 RHEL7_64 FOSS edition.
I've installed a commerciale certificate via this guide:
section Single-Node Commercial Certificate
https://wiki.zimbra.com/wiki/Administra ... cate_Tools

after the deployment of the commercial cert at zmcontrol restart I get:

Re: Unable to start TLS: hostname verification failed when connecting to ldap master.

OK
So I decided to make a new self signed certificate using the same guide in the specific section.
than zmcontro start:
Re: Unable to start TLS: hostname verification failed when connecting to ldap master.
Exactly the same error!

So I exited from zimbra and as root I give a /etc/init.t/zimbra stop
(I don't remember the exact sequence and I suppose the "zimbra service" was down).
Then a restart and now the server is still running using a self signed certificate instead of the commercial.


Now I've two question:
There is a difference starting zimbra from root using /etc/init.d/zimbra start? It seem just a wrapper, but this stop and start changed something.

My server hostname is serverX.companydomain.com
I make a csr for the serverX.companydomain.com (the only available option)
using as Common name mail.clientdomain.com via web interface, than I go ahead using the cli.

in hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
XX.XX:XX.XX serverX.companydomain.com serverX
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

in hostname:
localhost.localdomain

You should never start or stop / restart zimbra service from root user. Use zimbra user to start/stop/restart zimbra service.

zmcontrol start/stop/restart.

Starting service from root will sometimes start local postfix and create conflicts with zimbra postfix.

Sent from my SM-G550FY using Tapatalk

I really apologise for the late posting.
After this operation sometime the server stopped working.
into the mailbox.log i see at the time of the problem:

Dec 11 14:56:53 server13 zmconfigd[14990]: Service status change: server.domain.com mailbox changed from running to stopped
Dec 11 14:56:53 server13 zmmailboxdmgr[1561]: stale pid 1994 found in /opt/zimbra/log/zmmailboxd_manager.pid: No such process
Dec 11 14:56:53 server13 zmmailboxdmgr[1561]: assuming no other instance is running
Dec 11 14:56:53 server13 zmmailboxdmgr[1561]: file /opt/zimbra/log/zmmailboxd.pid does not exist
Dec 11 14:56:53 server13 zmmailboxdmgr[1561]: assuming no other instance is running
Dec 11 14:56:53 server13 zmmailboxdmgr[1561]: no manager process is running
Dec 11 14:56:53 server13 zmconfigd[14990]: Service status change: server.domain.com mailboxd changed from running to stopped
Dec 11 14:56:53 server13 zmmailboxdmgr[1576]: stale pid 1994 found in /opt/zimbra/log/zmmailboxd_manager.pid: No such process
Dec 11 14:56:53 server13 zmmailboxdmgr[1576]: assuming no other instance is running
Dec 11 14:56:53 server13 zmmailboxdmgr[1576]: file /opt/zimbra/log/zmmailboxd.pid does not exist
Dec 11 14:56:53 server13 zmmailboxdmgr[1576]: assuming no other instance is running
Dec 11 14:56:53 server13 zmmailboxdmgr[1576]: no manager process is running

now looking at the pid I notice two pids owned by root that are not changed for a week

-rw-r--r-- 1 root root 5 12 dic 08.38 /opt/zimbra/log/zmmailboxd_java.pid
-rw-r--r-- 1 root root 5 12 dic 08.38 /opt/zimbra/log/zmmailboxd_manager.pid

could it be couse of some problem due to my bad behavior you described in your post?

ll /opt/zimbra/log/*.pid
-rw-r----- 1 zimbra zimbra 5 12 dic 08.39 /opt/zimbra/log/amavisd.pid
-rw-r----- 1 zimbra zimbra 5 12 dic 08.39 /opt/zimbra/log/amavis-mc.pid
-rw-rw-r-- 1 zimbra zimbra 5 12 dic 08.39 /opt/zimbra/log/clamd.pid
-rw-rw---- 1 zimbra zimbra 5 12 dic 08.39 /opt/zimbra/log/freshclam.pid
-rw-r----- 1 zimbra zimbra 5 12 dic 08.39 /opt/zimbra/log/httpd.pid
-rw-r----- 1 zimbra zimbra 5 12 dic 08.38 /opt/zimbra/log/logswatch.pid
-rw-r----- 1 zimbra zimbra 5 12 dic 08.39 /opt/zimbra/log/memcached.pid
-rw-rw---- 1 zimbra zimbra 5 12 dic 08.38 /opt/zimbra/log/mysql.pid
-rw-r--r-- 1 root root 5 12 dic 08.39 /opt/zimbra/log/nginx.pid
-rw-r----- 1 zimbra zimbra 5 12 dic 08.39 /opt/zimbra/log/opendkim.pid
-rw-r----- 1 zimbra zimbra 5 12 dic 08.39 /opt/zimbra/log/swatch.pid
-rw-r----- 1 zimbra zimbra 5 12 dic 08.38 /opt/zimbra/log/unbound.pid
-rw-r----- 1 zimbra zimbra 5 12 dic 08.38 /opt/zimbra/log/zmconfigd.pid
-rw-r--r-- 1 zimbra zimbra 5 5 dic 23.10 /opt/zimbra/log/zmlogprocess.pid
-rw-r--r-- 1 root root 5 12 dic 08.38 /opt/zimbra/log/zmmailboxd_java.pid
-rw-r--r-- 1 root root 5 12 dic 08.38 /opt/zimbra/log/zmmailboxd_manager.pid
-rw-r----- 1 zimbra zimbra 5 12 dic 08.38 /opt/zimbra/log/zmrrdfetch-server.pid


Thank you.