[Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
dwfallin
Posts: 34
Joined: Sat Sep 13, 2014 12:10 am

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Post by dwfallin »

sounds like regenerating certs should fix it? still looking...
User avatar
maxxer
Outstanding Member
Outstanding Member
Posts: 224
Joined: Fri Oct 04, 2013 2:12 am
Contact:

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Post by maxxer »

dwfallin wrote:sounds like regenerating certs should fix it? still looking...
probably regenerating the certs using the new intermediate will work
Slava
Posts: 3
Joined: Fri Aug 23, 2019 9:42 am

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Post by Slava »

Good afternoon!
Yes, everything works if you reinstall the certificate and remove it from the chain when installing the AddTrust External CA Root certificate
Here is a quote from Sectigo (Comodo):
"Customers who have embedded AddTrust External CA Root into their applications or custom legacy devices may need to embed the new USERTrust RSA CA Root replacement before the May 2020 expiry date"
atakacs
Posts: 14
Joined: Sat Sep 13, 2014 2:30 am

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Post by atakacs »

Yes, everything works if you reinstall the certificate and remove it from the chain when installing the AddTrust External CA Root certificate
Sorry to ask but could you give some (broad) instructions as of how to do this ? Having that issue too
User avatar
porokh
Posts: 17
Joined: Tue May 14, 2019 10:02 am
Location: Ukraine
ZCS/ZD Version: 8.8.15 RHEL7 FOSS

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Post by porokh »

This morning I'd found one of my ZCS (8.7.11_GA_3865 FOSS) offline, due to failed startup after cold backup:

Code: Select all

$ zmcontrol start
 <...>
        Starting ldap...Done.
Unable to start TLS: SSL connect attempt failed error:14090086:SSL routines:ssl3

$ echo QUIT | openssl s_client -connect my.host.name:389 | openssl x509 -noout -text
139777170790216:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:
unable to load certificate
140658100463432:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
As a workaround I disabled TLS for LDAP (zmlocalconfig -e ldap_starttls_required=false ; zmlocalconfig -e ldap_starttls_supported=0), and start ZCS without a problem.

Further investigation shows a local verification problem for my commercial certificate (Comodo Positive SSL, Not After 2020-10-12T23:59:59Z):

Code: Select all

$ cd ssl/zimbra
$ zmcertmgr verifycrt comm commercial/commercial.key commercial/commercial.crt commercial/commercial_ca.crt
** Verifying 'commercial/commercial.crt' against 'commercial/commercial.key'
Certificate 'commercial/commercial.crt' and private key 'commercial/commercial.key' match.
** Verifying 'commercial/commercial.crt' against 'commercial/commercial_ca.crt'
ERROR: Unable to validate certificate chain: commercial/commercial.crt: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
error 10 at 3 depth lookup:certificate has expired
C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
error 10 at 2 depth lookup:certificate has expired
OK
The root of my problem was in the commercial_ca.crt file, which is 2 years old and consists of 3 parts: ComodoRSACertificationAuthority.crt + ComodoRSAAddTrustCA.crt + ComodoRSADomainValidationSecureServerCA.crt. I'd replace first certificate in bundle by fresh one (obtained from https://crt.sh/?d=1720081), formed new CA file comodo-new.ca, and then verifycrt works:

Code: Select all

$ zmcertmgr verifycrt comm commercial/commercial.key commercial/commercial.crt comodo-new.ca
** Verifying 'commercial/commercial.crt' against 'commercial/commercial.key'
Certificate 'commercial/commercial.crt' and private key 'commercial/commercial.key' match.
** Verifying 'commercial/commercial.crt' against 'comodo-new.ca'
Valid certificate chain: commercial/commercial.crt: OK
I'm waiting for evening to perform zmcertmgr deploycrt ; zmlocalconfig -e ldap_starttls_required=true ; zmlocalconfig -e ldap_starttls_supported=1 and zmcontrol restart, hope there will be no more surprises.
Slava
Posts: 3
Joined: Fri Aug 23, 2019 9:42 am

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Post by Slava »

atakacs wrote:
Yes, everything works if you reinstall the certificate and remove it from the chain when installing the AddTrust External CA Root certificate
Sorry to ask but could you give some (broad) instructions as of how to do this ? Having that issue too

Follow the instructions from Zimbra: https://wiki.zimbra.com/wiki/Installing ... laboration

Start Using the CLI
 In paragraph 3 - do not add root certificate AddTrustExternalCARoot.crt
Only USERTrustRSA CA - SectigoRSADomainValidationSecureServerCA - my_domain_com.crt files (in this sequence)

Next, follow the steps

P.S. "This applies to Sectigo certificates (Comodo)

After installation and reboot, check the settings:

zmlocalconfig ldap_starttls_required
ldap_starttls_required = true

zmlocalconfig ldap_starttls_supported
ldap_starttls_supported = 1
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Post by L. Mark Stone »

6125amartin wrote:This is likely due to the Sectigo root CA expiring yesterday:
https://www.reddit.com/r/sysadmin/comme ... y_morning/

Removing the following line from /etc/ca-certificates.conf does NOT appear to resolve the problem for Zimbra (tested on Ubuntu 18.04):
<pre>sed -i '/mozilla\/AddTrust_External_Root.crt/d' /etc/ca-certificates.conf</pre>

Please advise on how Zimbra can be updated to handle expiration of this Sectigo root CA. Thanks!
Just did a blog post on this:

https://www.missioncriticalemail.com/20 ... tallation/

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
User avatar
cyber7
Advanced member
Advanced member
Posts: 192
Joined: Sat Sep 13, 2014 1:14 am
Location: Cape Town
ZCS/ZD Version: Release 9.0.0_GA_3924.RHEL7_64_2020
Contact:

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Post by cyber7 »

Once again a company who failed to notify me of a huge change in operations. Just like that they have lost another customer!
User avatar
maumar
Outstanding Member
Outstanding Member
Posts: 390
Joined: Fri Sep 12, 2014 10:28 pm

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Post by maumar »

L. Mark Stone wrote:
6125amartin wrote:This is likely due to the Sectigo root CA expiring yesterday:
https://www.reddit.com/r/sysadmin/comme ... y_morning/

Removing the following line from /etc/ca-certificates.conf does NOT appear to resolve the problem for Zimbra (tested on Ubuntu 18.04):
<pre>sed -i '/mozilla\/AddTrust_External_Root.crt/d' /etc/ca-certificates.conf</pre>

Please advise on how Zimbra can be updated to handle expiration of this Sectigo root CA. Thanks!
Just did a blog post on this:

https://www.missioncriticalemail.com/20 ... tallation/

Hope that helps,
Mark
Hello Mark



I am with a GogetSsl certificate and you instruction do not works, I dunno what use instead of
GandiStandardSSLCA2-1.crt i

There is something for GoGetssl, for sure, but I dunno which one
I will ask them
Maurizio
User avatar
maumar
Outstanding Member
Outstanding Member
Posts: 390
Joined: Fri Sep 12, 2014 10:28 pm

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Post by maumar »

You can use this bundle if you have a GOGETSSL certificte:

-----BEGIN CERTIFICATE-----
MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx
MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBjzELMAkGA1UEBhMCR0IxGzAZBgNV
BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE
ChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQDEy5TZWN0aWdvIFJTQSBEb21haW4g
VmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEA1nMz1tc8INAA0hdFuNY+B6I/x0HuMjDJsGz99J/LEpgPLT+N
TQEMgg8Xf2Iu6bhIefsWg06t1zIlk7cHv7lQP6lMw0Aq6Tn/2YHKHxYyQdqAJrkj
eocgHuP/IJo8lURvh3UGkEC0MpMWCRAIIz7S3YcPb11RFGoKacVPAXJpz9OTTG0E
oKMbgn6xmrntxZ7FN3ifmgg0+1YuWMQJDgZkW7w33PGfKGioVrCSo1yfu4iYCBsk
Haswha6vsC6eep3BwEIc4gLw6uBK0u+QDrTBQBbwb4VCSmT3pDCg/r8uoydajotY
uK3DGReEY+1vVv2Dy2A0xHS+5p3b4eTlygxfFQIDAQABo4IBbjCCAWowHwYDVR0j
BBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFI2MXsRUrYrhd+mb
+ZsF4bgBjWHhMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYGBFUdIAAw
CAYGZ4EMAQIBMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNlcnRydXN0
LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB2Bggr
BgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNv
bS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZaHR0cDov
L29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAMr9hvQ5Iw0/H
ukdN+Jx4GQHcEx2Ab/zDcLRSmjEzmldS+zGea6TvVKqJjUAXaPgREHzSyrHxVYbH
7rM2kYb2OVG/Rr8PoLq0935JxCo2F57kaDl6r5ROVm+yezu/Coa9zcV3HAO4OLGi
H19+24rcRki2aArPsrW04jTkZ6k4Zgle0rj8nSg6F0AnwnJOKf0hPHzPE/uWLMUx
RP0T7dWbqWlod3zu4f+k+TY4CFM5ooQ0nBnzvg6s1SQ36yOoeNDT5++SR2RiOSLv
xvcRviKFxmZEJCaOEDKNyJOuB56DPi/Z+fVGjmO+wea03KbNIaiGCpXZLoUmGv38
sbZXQm2V0TP2ORQGgkE49Y9Y3IBbpNV9lXj9p5v//cWoaasm56ekBYdbqbe4oyAL
l6lFhd2zi+WJN44pDfwGF/Y4QA5C5BIG+3vzxhFoYt/jmPQT2BVPi7Fp2RBgvGQq
6jG35LWjOhSbJuMLe/0CjraZwTiXWTb2qHSihrZe68Zk6s+go/lunrotEbaGmAhY
LcmsJWTyXnW0OMGuf1pGg+pRyrbxmRE1a6Vqe8YAsOf4vmSyrcjC8azjUeqkk+B5
yOGBQMkKW+ESPMFgKuOXwIlCypTPRpgSabuY0MLTDXJLR27lk8QyKGOHQ+SwMj4K
00u/I5sUKUErmgQfky3xxzlIPK1aEn8=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFgTCCBGmgAwIBAgIQOXJEOvkit1HX02wQ3TE1lTANBgkqhkiG9w0BAQwFADB7
MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE
AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4
MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5
MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO
ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0
aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sI
s9CsVw127c0n00ytUINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnG
vDoZtF+mvX2do2NCtnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQ
Ijy8/hPwhxR79uQfjtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfb
IWax1Jt4A8BQOujM8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0
tyA9yn8iNK5+O2hmAUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97E
xwzf4TKuzJM7UXiVZ4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNV
icQNwZNUMBkTrNN9N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5
D9kCnusSTJV882sFqV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJ
WBp/kjbmUZIO8yZ9HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ
5lhCLkMaTLTwJUdZ+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzG
KAgEJTm4Diup8kyXHAc/DVL17e8vgg8CAwEAAaOB8jCB7zAfBgNVHSMEGDAWgBSg
EQojPpbxB+zirynvgqV/0DCktDAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rID
ZsswDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAG
BgRVHSAAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvY2EuY29t
L0FBQUNlcnRpZmljYXRlU2VydmljZXMuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggr
BgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUA
A4IBAQAYh1HcdCE9nIrgJ7cz0C7M7PDmy14R3iJvm3WOnnL+5Nb+qh+cli3vA0p+
rvSNb3I8QzvAP+u431yqqcau8vzY7qN7Q/aGNnwU4M309z/+3ri0ivCRlv79Q2R+
/czSAaF9ffgZGclCKxO/WIu6pKJmBHaIkU4MiRTOok3JMrO66BQavHHxW/BBC5gA
CiIDEOUMsfnNkjcZ7Tvx5Dq2+UUTJnWvu6rvP3t3O9LEApE9GQDTF1w52z97GA1F
zZOFli9d31kWTz9RvdVFGD/tSo7oBmF0Ixa1DVBzJ0RHfxBdiSprhTEUxOipakyA
vGp4z7h/jnZymQyd/teRCBaho1+V
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb
MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow
GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj
YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezEL
MAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
BwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMM
GEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQua
BtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe
3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5YZ92IFCokcdmtet4
YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4qMsXeDZR
rOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cm
ez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQU
oBEKIz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF
MAMBAf8wewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20v
QUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29t
b2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDANBgkqhkiG9w0BAQUF
AAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm7l3sAg9g1o1Q
GE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz
Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2
G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsi
l2D4kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3
smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg==
-----END CERTIFICATE-----
Post Reply