[Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Post by L. Mark Stone »

Bittone wrote:Hello everyone,
I have the very same problem of the expired cert.
After activating the workaround I have a problem deploying the new ca_bundle.
After downloading from my issuer website the new bundle I tested it with zmcertmgr verifycrt and everything seems fine.

Code: Select all

[zimbra@postino commercial]$ ls -la
total 28
drwxr-x---. 2 zimbra zimbra    72 Jun  3 11:53 .
drwxr-x---. 5 zimbra zimbra    64 Jul 11  2016 ..
-rw-r-----. 1 zimbra zimbra 12078 Jun  3 11:53 commercial.crt
-rw-r-----. 1 zimbra zimbra  1734 Jun  3 11:53 commercial.key
-rw-r-----. 1 zimbra zimbra  9831 Jun  3 11:56 commercial_ca.crt
[zimbra@postino commercial]$ zmcertmgr verifycrt comm ./commercial.key ./commercial.crt ./commercial_ca.crt 
** Verifying './commercial.crt' against './commercial.key'
Certificate './commercial.crt' and private key './commercial.key' match.
** Verifying './commercial.crt' against './commercial_ca.crt'
Valid certificate chain: ./commercial.crt: OK
But when I try to install them I get:

Code: Select all

[zimbra@postino commercial]$ zmcertmgr deploycrt  comm                                                       
** Creating /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Creating /opt/zimbra/ssl/zimbra/commercial/commercial.key
** Creating /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
** Verifying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
ERROR: Unable to validate certificate chain: /opt/zimbra/ssl/zimbra/commercial/commercial.crt: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
error 10 at 3 depth lookup:certificate has expired
C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
error 10 at 2 depth lookup:certificate has expired
OK
[zimbra@postino commercial]$ ls -la
total 28
drwxr-x---. 2 zimbra zimbra    72 Jun  3 11:58 .
drwxr-x---. 5 zimbra zimbra    64 Jul 11  2016 ..
-rw-r-----. 1 zimbra zimbra 12078 Jun  3 11:58 commercial.crt
-rw-r-----. 1 zimbra zimbra  1734 Jun  3 11:58 commercial.key
-rw-r-----. 1 zimbra zimbra  9747 Jun  3 11:58 commercial_ca.crt
As you can see the commercial_ca.crt has been replaced by the old one and I cannot complete the installation of the new ca_bundle.
Any ideas why I get this ? According to the manual the certs must be placed in /opt/zimbra/ssl/zimbra/commercial dir and that's exactly what I did but the bundle gets overwritten.

Zimbra version is 8.7.11 community

Thank you all for your attention


Alberto
The process is to put your commercial and intermediate-root bundle certs in a temporary directory, and when you run zmcertmgr deploycrt comm, you need to point to those files, like so:

Code: Select all

/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/sectigo/commercial.crt /tmp/sectigo/intermediate-root-bundle.crt
zmcertmgr then copies the new certs to the ssl directory (among other housekeeping tasks).

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
Bittone
Posts: 21
Joined: Mon Sep 05, 2016 4:30 pm

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Post by Bittone »

Hello Mark,
thanks for your attention and time, unfortunately that doesn't work:

Code: Select all

[zimbra@postino tmp]$ zmcertmgr deploycrt comm /tmp/commercial.key /tmp/commercial.key /tmp/commercial_ca.crt 
zmcertmgr: deploycrt <<self>|<comm [certfile ca_chain_file]>> [-localonly] [-allservers] [[-deploy [all|ldap|mailboxd|mta|proxy]] ...]
zmcertmgr: unexpected argument(s): /tmp/commercial.key /tmp/commercial.key /tmp/commercial_ca.crt
If I'm not mistaken you can test the certs wherever you want but for deployment they must be in the /opt/zimbra/ssl/zimbra/commercial directory.
Thank you again

Alberto
User avatar
maxxer
Outstanding Member
Outstanding Member
Posts: 224
Joined: Fri Oct 04, 2013 2:12 am
Contact:

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Post by maxxer »

Bittone wrote: If I'm not mistaken you can test the certs wherever you want but for deployment they must be in the /opt/zimbra/ssl/zimbra/commercial directory.
Not that I know, they get copied by the tool. IIRC you only have to place the key there.

Your error is because you're passing too many params, the deploy should be done with the certs only
Bittone
Posts: 21
Joined: Mon Sep 05, 2016 4:30 pm

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Post by Bittone »

Hello Maxxer,
thank you for the tip, I left only the key in the commercial dir and deployment went well.
Thank you all for your time and attention, everything is ok now.
Bye

Alberto
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Post by L. Mark Stone »

Bittone wrote:Hello Mark,
thanks for your attention and time, unfortunately that doesn't work:

Code: Select all

[zimbra@postino tmp]$ zmcertmgr deploycrt comm /tmp/commercial.key /tmp/commercial.key /tmp/commercial_ca.crt 
zmcertmgr: deploycrt <<self>|<comm [certfile ca_chain_file]>> [-localonly] [-allservers] [[-deploy [all|ldap|mailboxd|mta|proxy]] ...]
zmcertmgr: unexpected argument(s): /tmp/commercial.key /tmp/commercial.key /tmp/commercial_ca.crt
If I'm not mistaken you can test the certs wherever you want but for deployment they must be in the /opt/zimbra/ssl/zimbra/commercial directory.
Thank you again

Alberto
Hi Alberto,

Only the commercial.key file should already be in the /opt/zimbra/ssl/zimbra/commercial directory when doing the deployment. Once the deployment is done, you'll see that that the commercial.crt file in /opt/zimbra/ssl/zimbra/commercial actually contains multiple certificates.

The certified wiki has more details: https://wiki.zimbra.com/wiki/Administra ... cate_Tools

All the best,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
Zuser
Posts: 17
Joined: Wed Sep 14, 2016 3:54 pm
ZCS/ZD Version: 8.8.x

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Post by Zuser »

As an aside we were seeing the same error message for a different reason: updated the cert due to upcoming expiry, cert chain is correct with valid expiration dates (not using Comodo/Sectigo).
What was needed was a simple 'ldap stop', 'ldap start' as zimbra user as we didn't do a service restart. Apparently until you do that the old cert (which by now had expired) are cached and used. A full zmcontrol restart does this too so should work as well, but isn't necessary.
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Post by L. Mark Stone »

Zuser wrote:As an aside we were seeing the same error message for a different reason: updated the cert due to upcoming expiry, cert chain is correct with valid expiration dates (not using Comodo/Sectigo).
What was needed was a simple 'ldap stop', 'ldap start' as zimbra user as we didn't do a service restart. Apparently until you do that the old cert (which by now had expired) are cached and used. A full zmcontrol restart does this too so should work as well, but isn't necessary.
When you deploy the cert, you'll see that the certs get installed in several different stores: ldap is one, mailboxd is another example.

Until each service is restarted, the service will continue to serve the older certificate.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
spusat
Posts: 2
Joined: Mon Jun 08, 2020 2:45 pm

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Post by spusat »

I have the same problem for comodo ssl. Can you please help step by step how can I do?

I have old ssl files;

AddTrustExternalCARoot.crt
mail_..com.crt
SectigoRSADomainValidationSecureServerCA.crt
USERTrustRSAAddTrustCA.crt


How do I add the new key?

-----BEGIN CERTIFICATE-----
MIIF2DCCA8CgAwIBAgIQTKr5yttjb+Af907YWwOGnTANBgkqhkiG9w0BAQwFADCB
hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV
BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAwMTE5
MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBhTELMAkGA1UEBhMCR0IxGzAZBgNVBAgT
EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR
Q09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNh
dGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCR
6FSS0gpWsawNJN3Fz0RndJkrN6N9I3AAcbxT38T6KhKPS38QVr2fcHK3YX/JSw8X
pz3jsARh7v8Rl8f0hj4K+j5c+ZPmNHrZFGvnnLOFoIJ6dq9xkNfs/Q36nGz637CC
9BR++b7Epi9Pf5l/tfxnQ3K9DADWietrLNPtj5gcFKt+5eNu/Nio5JIk2kNrYrhV
/erBvGy2i/MOjZrkm2xpmfh4SDBF1a3hDTxFYPwyllEnvGfDyi62a+pGx8cgoLEf
Zd5ICLqkTqnyg0Y3hOvozIFIQ2dOciqbXL1MGyiKXCJ7tKuY2e7gUYPDCUZObT6Z
+pUX2nwzV0E8jVHtC7ZcryxjGt9XyD+86V3Em69FmeKjWiS0uqlWPc9vqv9JWL7w
qP/0uK3pN/u6uPQLOvnoQ0IeidiEyxPx2bvhiWC4jChWrBQdnArncevPDt09qZah
SL0896+1DSJMwBGB7FY79tOi4lu3sgQiUpWAk2nojkxl8ZEDLXB0AuqLZxUpaVIC
u9ffUGpVRr+goyhhf3DQw6KqLCGqR84onAZFdr+CGCe01a60y1Dma/RMhnEw6abf
Fobg2P9A3fvQQoh/ozM6LlweQRGBY84YcWsr7KaKtzFcOmpH4MN5WdYgGq/yapiq
crxXStJLnbsQ/LBMQeXtHT1eKJ2czL+zUdqnR+WEUwIDAQABo0IwQDAdBgNVHQ4E
FgQUu69+Aj36pvE8hI6t7jiY7NkyMtQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB
/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAArx1UaEt65Ru2yyTUEUAJNMnMvl
wFTPoCWOAvn9sKIN9SCYPBMtrFaisNZ+EZLpLrqeLppysb0ZRGxhNaKatBYSaVqM
4dc+pBroLwP0rmEdEBsqpIt6xf4FpuHA1sj+nq6PK7o9mfjYcwlYRm6mnPTXJ9OV
2jeDchzTc+CiR5kDOF3VSXkAKRzH7JsgHAckaVd4sjn8OoSgtZx8jb8uk2Intzna
FxiuvTwJaP+EmzzV1gsD41eeFPfR60/IvYcjt7ZJQ3mFXLrrkguhxuhoqEwWsRqZ
CuhTLJK7oQkYdQxlqHvLI7cawiiFwxv/0Cti76R7CZGYZ4wUAc1oBmpjIXUDgIiK
boHGhfKppC3n9KUkEEeDys30jXlYsQab5xoq2Z0B15R97QNKyvDb6KkBPvVWmcke
jkk9u+UJueBPSZI9FoJAzMxZxuY67RIuaTxslbH9qh17f4a+Hg4yRvv7E491f0yL
S0Zj/gA0QHDBw7mh3aZw4gSzQbzpgJHqZJx64SIDqZxubw5lT2yHh17zbqD5daWb
QOhTsiedSrnAdyGN/4fy3ryM7xfft0kL0fJuMAsaDk527RH89elWsn2/x20Kk4yl
0MC2Hb46TpSi125sC8KKfPog88Tk5c0NqMuRkrF8hey1FGlmDoLnzc7ILaZRfyHB
NVOFBkpdn627G190
-----END CERTIFICATE-----
Attachments
zimbra.JPG
zimbra.JPG (78.37 KiB) Viewed 4975 times
User avatar
DualBoot
Elite member
Elite member
Posts: 1326
Joined: Mon Apr 18, 2016 8:18 pm
Location: France - Earth
ZCS/ZD Version: ZCS FLOSS - 8.8.15 Mutli servers
Contact:

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Post by DualBoot »

Hello,

did you read this helpful post from Mark on his website : https://www.missioncriticalemail.com/20 ... tallation/
I think you ran into this problem.
Regards,
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Post by L. Mark Stone »

spusat wrote:I have the same problem for comodo ssl. Can you please help step by step how can I do?


The picture you attached shows you running certificate verification on the existing certificates in /opt/zimbra/ssl/zimbra/commercial. This doesn't accomplish anything for you.

You need to drop the individual server certificate in /tmp, along with the new unexpired intermediates concatenated together in the correct order into a single bundle file, and then run the verification like so:

/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/ssl/commercial.crt /tmp/ssl/intermediate_bundle.crt

Also note that /opt/zimbra/ssl/zimbra/commercial/commercial.crt is NOT just your single server SSL certificate; it's the single server SSL certificate at the top plus all of your intermediates, all together in one file.

Assembling that collection of certs into a new commercial.crt file and dropping that file into /opt/zimbra/ssl/zimbra/commercial is just one of the housekeeping tasks performed by zmcertmgr when you deploy certificates.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
Post Reply