Slava wrote:atakacs wrote:Sorry to ask but could you give some (broad) instructions as of how to do this ? Having that issue tooYes, everything works if you reinstall the certificate and remove it from the chain when installing the AddTrust External CA Root certificate
Follow the instructions from Zimbra: https://wiki.zimbra.com/wiki/Installing ... laboration
Start Using the CLI
In paragraph 3 - do not add root certificate AddTrustExternalCARoot.crt
Only USERTrustRSA CA - SectigoRSADomainValidationSecureServerCA - my_domain_com.crt files (in this sequence)
Next, follow the steps
P.S. "This applies to Sectigo certificates (Comodo)
After installation and reboot, check the settings:
zmlocalconfig ldap_starttls_required
ldap_starttls_required = true
zmlocalconfig ldap_starttls_supported
ldap_starttls_supported = 1
[Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086
Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086
I'm solved the problem. I followed steps. Thank you
Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086
I'm running ZCS 8.8 (open source) with a Comodo (Sectigo) wildcard positive SSL. If, like me, you are running only a Comodo / Sectigo cert chain, the piece that's missing in this thread is the updated DomainValidationSecureServerCA cert, which is relatively difficult to find.
Per https://support.comodoca.com/Com_Knowle ... 000000rgSZ , you may directly download:
root: https://crt.sh/?id=1199354 ( https://crt.sh/?d=1199354 )
intermediate: https://crt.sh/?id=1720081 ( https://crt.sh/?d=1720081 )
The Domain Validation cert can be downloaded from SalesForce at https://support.sectigo.com/Com_Knowled ... 000000rfBO ( https://comodoca.my.salesforce.com/sfc/ ... xjSo7katcM ) Because it's behind SalesForce, getting that with curl or wget is too difficult for me to struggle through this morning, so I downloaded it to my local workstation, got its finger print, and then found that on crt.sh. E.g.,
(Obviously, I then also verified that the file from crt.sh matched the file from SalesForce. If you go down this path, you should, too.)
These are the steps I took as user 'zimbra' to lick this:
Hope this helps.
-j
Per https://support.comodoca.com/Com_Knowle ... 000000rgSZ , you may directly download:
root: https://crt.sh/?id=1199354 ( https://crt.sh/?d=1199354 )
intermediate: https://crt.sh/?id=1720081 ( https://crt.sh/?d=1720081 )
The Domain Validation cert can be downloaded from SalesForce at https://support.sectigo.com/Com_Knowled ... 000000rfBO ( https://comodoca.my.salesforce.com/sfc/ ... xjSo7katcM ) Because it's behind SalesForce, getting that with curl or wget is too difficult for me to struggle through this morning, so I downloaded it to my local workstation, got its finger print, and then found that on crt.sh. E.g.,
Code: Select all
openssl x509 -noout -fingerprint -sha256 -inform pem -in SectigoRSADomainValidationSecureServerCA.crt
These are the steps I took as user 'zimbra' to lick this:
Code: Select all
zmlocalconfig -e ldap_starttls_required=false
zmlocalconfig -e ldap_starttls_supported=0
zmcontrol start && zcontrol status
mkdir /var/tmp/certs
cp /opt/zimbra/ssl/zimbra/commercial/* /var/tmp/certs/
cd /var/tmp/certs
wget https://crt.sh/?d=1199354 -O root.crt
wget https://crt.sh/?d=1720081 -O intermediate.crt
wget https://crt.sh/?d=924467861 -O domainvalidation.crt
sed '/-----END CERTIFICATE-----/q' commercial.crt > server.crt
cat root.crt intermediate.crt domainvalidation.crt > commercial_ca-new.crt
zmcertmgr verifycrt comm commercial.key server.crt commercial_ca-new.crt
zmcertmgr deploycrt comm server.crt commercial_ca-new.crt
zmlocalconfig -e ldap_starttls_required=true
zmlocalconfig -e ldap_starttls_supported=1
zmcontrol stop && sleep 30 && zmcontrol start && zmcontrol status
-j
-
- Posts: 1
- Joined: Wed Jan 27, 2021 11:18 pm
Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086
Good evening.
I have zimbra 8.8.15 but I don't have any commercial certificates installed.
I have the same error when starting zimbra
zmcontrol start
Unable to start TLS: SSL connect attempt failed error: 14090086: SSL routines: ssl3_get_server_certificate: certificate verify failed when connecting to ldap master.
I need to first create a commercial certificate or I can do without it.
Certificate validation error
cat root.crt intermediate.crt domainvalidation.crt> commercial_ca-new.crt
** Verifying '/tmp/ssl-2020/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
ERROR: Can't read file '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
ERROR: Can't read file '/tmp/ssl-2020/commercial.crt'
can you help me,
I have zimbra 8.8.15 but I don't have any commercial certificates installed.
I have the same error when starting zimbra
zmcontrol start
Unable to start TLS: SSL connect attempt failed error: 14090086: SSL routines: ssl3_get_server_certificate: certificate verify failed when connecting to ldap master.
I need to first create a commercial certificate or I can do without it.
Certificate validation error
cat root.crt intermediate.crt domainvalidation.crt> commercial_ca-new.crt
** Verifying '/tmp/ssl-2020/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
ERROR: Can't read file '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
ERROR: Can't read file '/tmp/ssl-2020/commercial.crt'
can you help me,
Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086
Can you check that those file actually exists (in particular the one in /tmp)ERROR: Can't read file '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
ERROR: Can't read file '/tmp/ssl-2020/commercial.crt'
Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086
I think I have the same problem.
Code: Select all
$ /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt
** Verifying 'commercial.crt' against 'commercial.key'
ERROR: Can't read file 'commercial.key'
ERROR: Can't read file 'commercial.crt'
Last edited by zim_mike on Tue Oct 17, 2023 8:58 pm, edited 2 times in total.
Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086
Can anyone share a link or lead on how to fix this?
Almost everything I've found online does not work.
Almost everything I've found online does not work.
Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086
This is nuts, I've been at this for days. Does anyone know if I can buy support, just for an hour or two this would take to fix?
I'm sure it's something simple but I cannot find a solution no matter how many posts or blogs or zimbra articles I read.
I'm sure it's something simple but I cannot find a solution no matter how many posts or blogs or zimbra articles I read.
- L. Mark Stone
- Ambassador
- Posts: 2802
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.7 Network Edition
- Contact:
Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086
This is the definitive SSL Certificate wiki: https://wiki.zimbra.com/wiki/Administra ... cate_Tools
If you are running Zimbra OSE, Zimbra Partners are prohibited from providing paid support to OSE users, unless they have already purchased Network Edition licenses as part of an upgrade to Network Edition, or, if they are running Zimbra 8.8.15 installed from Zimbra-provided installation binaries AND they have a paid Zimbra OSE Support contract in place.
The OSE Support contracts are priced annually, per-mailbox, but. really makes no sense to buy one with 8.8.15 ~10 weeks from End of General Support.
The wiki will help!
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086
Thanks. I'm running a FOSS version. I don't know what OSE is.
I contacted support but no word from them.
The link you shares is a amazing amount of information. Not sure I'll be able to follow all of that.
As a small, individual user with a handful of accounts, my main reason for keeping my own mail server running is for privacy.
I would absolutely hate to have to put my emails on any big company that are well known to scrape everything they can in their profiling.
Why didn't this project keep something going that is open source for smaller users? And if there's a fork, can anyone tell me about it?
Is there an alternative? It's important that people be able to keep their own servers going, we cannot all let only big corporations handle all our data.
I contacted support but no word from them.
The link you shares is a amazing amount of information. Not sure I'll be able to follow all of that.
As a small, individual user with a handful of accounts, my main reason for keeping my own mail server running is for privacy.
I would absolutely hate to have to put my emails on any big company that are well known to scrape everything they can in their profiling.
Why didn't this project keep something going that is open source for smaller users? And if there's a fork, can anyone tell me about it?
Is there an alternative? It's important that people be able to keep their own servers going, we cannot all let only big corporations handle all our data.