[Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
hoangnguyen
Posts: 9
Joined: Sun Mar 24, 2019 1:52 pm

[Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Post by hoangnguyen »

Hi all,

Today I run the command "zmcontrol status" on my zimbra server, and I got the error:
Unable to start TLS: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed when connecting to ldap master.
Cannot determine services - exiting

I check my server and everything seems normal: SSL certificate is valid, system date is correct, Mail server still works well.
But I get that error every time I run command check status (attach img).

Can anyone help me please?
Thanks so much!
Attachments
1.png
1.png (175.59 KiB) Viewed 60463 times
Last edited by hoangnguyen on Sun Mar 31, 2019 11:10 am, edited 1 time in total.
User avatar
DualBoot
Elite member
Elite member
Posts: 1326
Joined: Mon Apr 18, 2016 8:18 pm
Location: France - Earth
ZCS/ZD Version: ZCS FLOSS - 8.8.15 Mutli servers
Contact:

Re: ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Post by DualBoot »

Hello,

disable SSLv3 on your Zimbra server.

Regards,

PS: what is the version of your Zimbra ?
hoangnguyen
Posts: 9
Joined: Sun Mar 24, 2019 1:52 pm

Re: ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Post by hoangnguyen »

Hi DualBoot,

Thanks for respond. I'm using Zimbra version 8.8.9. Is there any risk if I disable SSlv3?
hoangnguyen
Posts: 9
Joined: Sun Mar 24, 2019 1:52 pm

Re: ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Post by hoangnguyen »

Finally, I resolved my issue by two commands:
zmlocalconfig -e ldap_starttls_required=false
zmlocalconfig -e ldap_starttls_supported=0
Zmcontrol start successfully.
User avatar
maxxer
Outstanding Member
Outstanding Member
Posts: 224
Joined: Fri Oct 04, 2013 2:12 am
Contact:

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Post by maxxer »

I have a freshly installed server, running smooth for one month, that out of the blue started throwing this error today.

Code: Select all

Unable to start TLS: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed when connecting to ldap master.
The certificate expires on Jan 2021 so it's valid.

What's the correct way to disable SSLv3 in LDAP? I found how to do it in nginx and postfix, but not in ldap.
Thanks
bsn9912
Posts: 4
Joined: Thu Jan 25, 2018 9:33 am

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Post by bsn9912 »

Hi see the exact same error as maxxer this morning on my open source zimbra server, after a regular restart.

Code: Select all

        Starting ldap...Done.
Unable to start TLS: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed when connecting to ldap master.
There was no change and no package installation.

I did the workarounds suggested earlier to disable TLS which works for me.

Code: Select all

zmlocalconfig -e ldap_starttls_required=false
zmlocalconfig -e ldap_starttls_supported=0
Does anyone know the root cause of this?

Thanks
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Post by phoenix »

I don't see that error and at a wild guess I'd say there's something wrong with the certificate, have you verified that it's OK? FWIW, I'd suggest you follow the advice of JDUNPHY (Jim) and install a letsencrypt certificate and automatically update it. The script that Jim provides does that flawlessly. :)

BTW, it's never a good idea to solve a security problem by disabling a security feature.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
dwfallin
Posts: 34
Joined: Sat Sep 13, 2014 12:10 am

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Post by dwfallin »

i'm running v8.8 and the instructions for disabling v3 are for earlier versions - not sure how significant that is. but i've followed (as closely as i can) and am still getting the error trying to start every thing:

Unable to start TLS: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed when connecting to ldap master.

i'd rather not just disable TLS - sounds kinda dangerous. i have the same question as maxxer above - how do i disable in ldap (the error implies thats where v3 is still being attempted!)
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Post by phoenix »

As this appears to be a certificate error, what have you done to check the certificates or have you even tried regenerating new certificates for your server?
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
6125amartin
Advanced member
Advanced member
Posts: 63
Joined: Sat Sep 13, 2014 1:45 am

Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

Post by 6125amartin »

This is likely due to the Sectigo root CA expiring yesterday:
https://www.reddit.com/r/sysadmin/comme ... y_morning/

Removing the following line from /etc/ca-certificates.conf does NOT appear to resolve the problem for Zimbra (tested on Ubuntu 18.04):
<pre>sed -i '/mozilla\/AddTrust_External_Root.crt/d' /etc/ca-certificates.conf</pre>

Please advise on how Zimbra can be updated to handle expiration of this Sectigo root CA. Thanks!
Post Reply