[Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
spusat
Posts: 2
Joined: Mon Jun 08, 2020 2:45 pm

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Post by spusat »

I'm solved the problem. I followed steps. Thank you
Slava wrote:
atakacs wrote:
Yes, everything works if you reinstall the certificate and remove it from the chain when installing the AddTrust External CA Root certificate
Sorry to ask but could you give some (broad) instructions as of how to do this ? Having that issue too

Follow the instructions from Zimbra: https://wiki.zimbra.com/wiki/Installing ... laboration

Start Using the CLI
 In paragraph 3 - do not add root certificate AddTrustExternalCARoot.crt
Only USERTrustRSA CA - SectigoRSADomainValidationSecureServerCA - my_domain_com.crt files (in this sequence)

Next, follow the steps

P.S. "This applies to Sectigo certificates (Comodo)

After installation and reboot, check the settings:

zmlocalconfig ldap_starttls_required
ldap_starttls_required = true

zmlocalconfig ldap_starttls_supported
ldap_starttls_supported = 1
Jeffro77
Posts: 28
Joined: Fri Sep 12, 2014 10:04 pm

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Post by Jeffro77 »

I'm running ZCS 8.8 (open source) with a Comodo (Sectigo) wildcard positive SSL. If, like me, you are running only a Comodo / Sectigo cert chain, the piece that's missing in this thread is the updated DomainValidationSecureServerCA cert, which is relatively difficult to find.

Per https://support.comodoca.com/Com_Knowle ... 000000rgSZ , you may directly download:

root: https://crt.sh/?id=1199354 ( https://crt.sh/?d=1199354 )
intermediate: https://crt.sh/?id=1720081 ( https://crt.sh/?d=1720081 )

The Domain Validation cert can be downloaded from SalesForce at https://support.sectigo.com/Com_Knowled ... 000000rfBO ( https://comodoca.my.salesforce.com/sfc/ ... xjSo7katcM ) Because it's behind SalesForce, getting that with curl or wget is too difficult for me to struggle through this morning, so I downloaded it to my local workstation, got its finger print, and then found that on crt.sh. E.g.,

Code: Select all

openssl x509 -noout -fingerprint -sha256 -inform pem -in SectigoRSADomainValidationSecureServerCA.crt
(Obviously, I then also verified that the file from crt.sh matched the file from SalesForce. If you go down this path, you should, too.)

These are the steps I took as user 'zimbra' to lick this:

Code: Select all

zmlocalconfig -e ldap_starttls_required=false
zmlocalconfig -e ldap_starttls_supported=0
zmcontrol start && zcontrol status
mkdir /var/tmp/certs
cp /opt/zimbra/ssl/zimbra/commercial/* /var/tmp/certs/
cd /var/tmp/certs
wget https://crt.sh/?d=1199354 -O root.crt
wget https://crt.sh/?d=1720081 -O intermediate.crt
wget https://crt.sh/?d=924467861 -O domainvalidation.crt
sed '/-----END CERTIFICATE-----/q' commercial.crt > server.crt
cat root.crt intermediate.crt domainvalidation.crt > commercial_ca-new.crt
zmcertmgr verifycrt comm commercial.key server.crt commercial_ca-new.crt
zmcertmgr deploycrt comm server.crt commercial_ca-new.crt
zmlocalconfig -e ldap_starttls_required=true
zmlocalconfig -e ldap_starttls_supported=1
zmcontrol stop && sleep 30 && zmcontrol start && zmcontrol status
Hope this helps.

-j
alexandrehrs
Posts: 1
Joined: Wed Jan 27, 2021 11:18 pm

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Post by alexandrehrs »

Good evening.
I have zimbra 8.8.15 but I don't have any commercial certificates installed.
I have the same error when starting zimbra
zmcontrol start

Unable to start TLS: SSL connect attempt failed error: 14090086: SSL routines: ssl3_get_server_certificate: certificate verify failed when connecting to ldap master.

I need to first create a commercial certificate or I can do without it.

Certificate validation error
cat root.crt intermediate.crt domainvalidation.crt> commercial_ca-new.crt
** Verifying '/tmp/ssl-2020/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
ERROR: Can't read file '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
ERROR: Can't read file '/tmp/ssl-2020/commercial.crt'

can you help me,
atakacs
Posts: 14
Joined: Sat Sep 13, 2014 2:30 am

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Post by atakacs »

ERROR: Can't read file '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
ERROR: Can't read file '/tmp/ssl-2020/commercial.crt'
Can you check that those file actually exists (in particular the one in /tmp)
zim_mike
Outstanding Member
Outstanding Member
Posts: 330
Joined: Sat Sep 13, 2014 3:26 am

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Post by zim_mike »

I think I have the same problem.

Code: Select all

$ /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt
** Verifying 'commercial.crt' against 'commercial.key'
ERROR: Can't read file 'commercial.key'
ERROR: Can't read file 'commercial.crt'

Last edited by zim_mike on Tue Oct 17, 2023 8:58 pm, edited 2 times in total.
zim_mike
Outstanding Member
Outstanding Member
Posts: 330
Joined: Sat Sep 13, 2014 3:26 am

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Post by zim_mike »

Can anyone share a link or lead on how to fix this?
Almost everything I've found online does not work.
zim_mike
Outstanding Member
Outstanding Member
Posts: 330
Joined: Sat Sep 13, 2014 3:26 am

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Post by zim_mike »

zim_mike
Outstanding Member
Outstanding Member
Posts: 330
Joined: Sat Sep 13, 2014 3:26 am

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Post by zim_mike »

This is nuts, I've been at this for days. Does anyone know if I can buy support, just for an hour or two this would take to fix?
I'm sure it's something simple but I cannot find a solution no matter how many posts or blogs or zimbra articles I read.
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Post by L. Mark Stone »

zim_mike wrote: Wed Oct 18, 2023 5:01 pm This is nuts, I've been at this for days. Does anyone know if I can buy support, just for an hour or two this would take to fix?
I'm sure it's something simple but I cannot find a solution no matter how many posts or blogs or zimbra articles I read.
This is the definitive SSL Certificate wiki: https://wiki.zimbra.com/wiki/Administra ... cate_Tools

If you are running Zimbra OSE, Zimbra Partners are prohibited from providing paid support to OSE users, unless they have already purchased Network Edition licenses as part of an upgrade to Network Edition, or, if they are running Zimbra 8.8.15 installed from Zimbra-provided installation binaries AND they have a paid Zimbra OSE Support contract in place.

The OSE Support contracts are priced annually, per-mailbox, but. really makes no sense to buy one with 8.8.15 ~10 weeks from End of General Support.

The wiki will help!
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
zim_mike
Outstanding Member
Outstanding Member
Posts: 330
Joined: Sat Sep 13, 2014 3:26 am

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Post by zim_mike »

Thanks. I'm running a FOSS version. I don't know what OSE is.
I contacted support but no word from them.

The link you shares is a amazing amount of information. Not sure I'll be able to follow all of that.

As a small, individual user with a handful of accounts, my main reason for keeping my own mail server running is for privacy.
I would absolutely hate to have to put my emails on any big company that are well known to scrape everything they can in their profiling.

Why didn't this project keep something going that is open source for smaller users? And if there's a fork, can anyone tell me about it?
Is there an alternative? It's important that people be able to keep their own servers going, we cannot all let only big corporations handle all our data.
Post Reply