[Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086

[L. Mark Stone]

So my blog post was for Gandi SSL certificates, but the methodology is still the same: If you have a third-party issuer, then you need their intermediate certificate.

Sounds like you found yours.

Mark

[maumar]

So my blog post was for Gandi SSL certificates, but the methodology is still the same: If you have a third-party issuer, then you need their intermediate certificate.

Sounds like you found yours.

Mark

Hello Mark
here in GOGETSSL they declare that zimbra needs a sha1 chain cert, this one:

Code: Select all

    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
        Validity
            Not Before: Jan  1 00:00:00 2004 GMT
            Not After : Dec 31 23:59:59 2028 GMT
        Subject: C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)

Someone at Gogetssl support dept. wrote me this:

Code: Select all

As your certificate is old ( issued in 2017) you need to reissue your order to get updated files.
Process the reissue and try to use the bundle for installation together with added SHA-1.

this is the AAA cross signing provided by Sectigo for older devices
here:
https://support.sectigo.com/Com_Knowled ... 00000117LT

"For the vast majority of use cases Sectigo’s standard root supplies the full required client support. For unusual cases, Sectigo offers a new cross signing option with its AAA root, which does not expire until 2028."

Code: Select all

The first cert of the GOGETBUNDLE is 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            93:8b:b0:8e:62:98:7b:4f:75:f9:8c:b6:a5:04:5c:96
        Signature Algorithm: sha384WithRSAEncryption
        Issuer: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
        Validity
            Not Before: Sep  6 00:00:00 2018 GMT
            Not After : Sep  5 23:59:59 2028 GMT
        Subject: C = LV, L = Riga, O = GoGetSSL, CN = GoGetSSL RSA DV CA

you receive it with your cert or you can download here
https://www.gogetssl.com/wiki/intermedi ... tificates/
https://www.gogetssl.com/wiki/intermedi ... tificates/
https://gogetssl-cdn.s3.eu-central-1.am ... e-sha1.txt

[6125amartin]

This is likely due to the Sectigo root CA expiring yesterday:
https://www.reddit.com/r/sysadmin/comme ... y_morning/

Removing the following line from /etc/ca-certificates.conf does NOT appear to resolve the problem for Zimbra (tested on Ubuntu 18.04):
<pre>sed -i '/mozilla\/AddTrust_External_Root.crt/d' /etc/ca-certificates.conf</pre>

Please advise on how Zimbra can be updated to handle expiration of this Sectigo root CA. Thanks!

Just did a blog post on this:

https://www.missioncriticalemail.com/20 ... tallation/

Hope that helps,
Mark

Thank you Mark!

[Al-MacLean]

Just did a blog post on this:

https://www.missioncriticalemail.com/20 ... tallation/

Hope that helps,
Mark

Thanks Mark!

[L. Mark Stone]

A lot of the tech support folks at certificate issuer help desks don't understand that Zimbra needs the complete certificate chain to function.

Yes, web browsing will work, because the browsers all ship with many root and intermediate certs, so for a typical Apache/WordPress or similar web server installation, you need only tell your web server about your server certificate and your private key.

But Zimbra keeps several different keystores (no surprise, there are more than 80 different Open Source softwares in Zimbra, plus all of the Zimbra-provided code...), and those keystores as I understand it need the complete Root > Intermediate(s) > Server certificate chain on their own.

My customers yesterday with expired Sectigo intermediate certs? If Zimbra was still running, the web browsers accessing the Zimbra web UI showed no SSL issues. Why? Because the server certificate was still valid, and the browser was able to build a complete chain of trust between the certs already in the browser's own certificate store, plus the Zimbra-provided (still valid) server certificate.

Hope that helps,
Mark

[cyber7]

A lot of the tech support folks at certificate issuer help desks don't understand that Zimbra needs the complete certificate chain to function.

Yes, web browsing will work, because the browsers all ship with many root and intermediate certs, so for a typical Apache/WordPress or similar web server installation, you need only tell your web server about your server certificate and your private key.

But Zimbra keeps several different keystores (no surprise, there are more than 80 different Open Source softwares in Zimbra, plus all of the Zimbra-provided code...), and those keystores as I understand it need the complete Root > Intermediate(s) > Server certificate chain on their own.

My customers yesterday with expired Sectigo intermediate certs? If Zimbra was still running, the web browsers accessing the Zimbra web UI showed no SSL issues. Why? Because the server certificate was still valid, and the browser was able to build a complete chain of trust between the certs already in the browser's own certificate store, plus the Zimbra-provided (still valid) server certificate.

Hope that helps,
Mark

The problem here is, Mark, that you are not seeing the entire picture. Other things are getting broken in the process, i.e. "opendkim". This could render all your mail as "SPAM" at companies like google, live, yahoo and many more. So, not only did they (Comodo) not notify their customers, but also exposed them to be blacklisted world-wide...

just my 10c

[maumar]

Just this morning, another server stopped with same issue, same err message
This is a wildcard cert and bundle is different. It was issued on April, but is should be reissued, just reissued, concatened AAA crossing signe chain cert and voila' all is ok

Code: Select all

/opt/zimbra/bin/zmcertmgr verifycrt comm ../commercial/commercial.key commercial.crt commercial_ca.crt
** Verifying 'commercial.crt' against '../commercial/commercial.key'
Certificate 'commercial.crt' and private key '../commercial/commercial.key' match.
** Verifying 'commercial.crt' against 'commercial_ca.crt'
Valid certificate chain: commercial.crt: OK

Bundle follows

Code: Select all

-----BEGIN CERTIFICATE-----
MIIF1zCCA7+gAwIBAgIRAJOLsI5imHtPdfmMtqUEXJYwDQYJKoZIhvcNAQEMBQAw
gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK
ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD
VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTE4
MDkwNjAwMDAwMFoXDTI4MDkwNTIzNTk1OVowTDELMAkGA1UEBhMCTFYxDTALBgNV
BAcTBFJpZ2ExETAPBgNVBAoTCEdvR2V0U1NMMRswGQYDVQQDExJHb0dldFNTTCBS
U0EgRFYgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCfwF4hD6E1
kLglXs1n2fH5vMQukCGyyD4LqLsc3pSzeh8we7njU4TB85BH5YXqcfwiH1Sf78aB
hk1FgXoAZ3EQrF49We8mnTtTPFRnMwEHLJRpY9I/+peKeAZNL0MJG5zM+9gmcSpI
OTI6p7MPela72g0pBQjwcExYLqFFVsnroEPTRRlmfTBTRi9r7rYcXwIct2VUCRmj
jR1GX13op370YjYwgGv/TeYqUWkNiEjWNskFDEfxSc0YfoBwwKdPNfp6t/5+RsFn
lgQKstmFLQbbENsdUEpzWEvZUpDC4qPvRrxEKcF0uLoZhEnxhskwXSTC64BNtc+l
VEk7/g/be8svAgMBAAGjggF1MIIBcTAfBgNVHSMEGDAWgBRTeb9aqitKz1SA4dib
wJ3ysgNmyzAdBgNVHQ4EFgQU+ftQxItnu2dk/oMhpqnOP1WEk5kwDgYDVR0PAQH/
BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMCIGA1UdIAQbMBkwDQYLKwYBBAGyMQECAkAwCAYGZ4EMAQIBMFAG
A1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9VU0VSVHJ1
c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB2BggrBgEFBQcBAQRqMGgw
PwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNvbS9VU0VSVHJ1c3RS
U0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNlcnRy
dXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAXXRDKHiA5DOhNKsztwayc8qtlK4q
Vt2XNdlzXn4RyZIsC9+SBi0Xd4vGDhFx6XX4N/fnxlUjdzNN/BYY1gS1xK66Uy3p
rw9qI8X12J4er9lNNhrsvOcjB8CT8FyvFu94j3Bs427uxcSukhYbERBAIN7MpWKl
VWxT3q8GIqiEYVKa/tfWAvnOMDDSKgRwMUtggr/IE77hekQm20p7e1BuJODf1Q7c
FPt7T74m3chg+qu0xheLI6HsUFuOxc7R5SQlkFvaVY5tmswfWpY+rwhyJW+FWNbT
uNXkxR4v5KOQPWrY100/QN68/j17paKuSXNcsr56snuB/Dx+MACLBdsF35HxPadx
78vkfQ37WcVmKZtHrHJQ/QUyjxdG8fezMsh0f+puUln/O+NlsFtipve8qYa9h/K5
yD0oZN93ChWve78XrV4vCpjO75Nk5B8O9CWQqGTHbhkgvjyb9v/B+sYJqB22/NLl
R4RPvbmqDJGeEI+4u6NJ5YiLIVVsX+dyfFP8zUbSsj6J34RyCYKBbQ4L+r7k8Srs
LY51WUFP292wkFDPSDmV7XsUNTDOZoQcBh2Fycf7xFfxeA+6ERx2d8MpPPND7yS2
1dkf+SY5SdpSbAKtYmbqb9q8cZUDEImNWJFUVHBLDOrnYhGwJudE3OBXRTxNhMDm
IXnjEeWrFvAZQhk=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFgTCCBGmgAwIBAgIQOXJEOvkit1HX02wQ3TE1lTANBgkqhkiG9w0BAQwFADB7
MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE
AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4
MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5
MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO
ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0
aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sI
s9CsVw127c0n00ytUINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnG
vDoZtF+mvX2do2NCtnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQ
Ijy8/hPwhxR79uQfjtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfb
IWax1Jt4A8BQOujM8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0
tyA9yn8iNK5+O2hmAUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97E
xwzf4TKuzJM7UXiVZ4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNV
icQNwZNUMBkTrNN9N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5
D9kCnusSTJV882sFqV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJ
WBp/kjbmUZIO8yZ9HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ
5lhCLkMaTLTwJUdZ+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzG
KAgEJTm4Diup8kyXHAc/DVL17e8vgg8CAwEAAaOB8jCB7zAfBgNVHSMEGDAWgBSg
EQojPpbxB+zirynvgqV/0DCktDAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rID
ZsswDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAG
BgRVHSAAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvY2EuY29t
L0FBQUNlcnRpZmljYXRlU2VydmljZXMuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggr
BgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUA
A4IBAQAYh1HcdCE9nIrgJ7cz0C7M7PDmy14R3iJvm3WOnnL+5Nb+qh+cli3vA0p+
rvSNb3I8QzvAP+u431yqqcau8vzY7qN7Q/aGNnwU4M309z/+3ri0ivCRlv79Q2R+
/czSAaF9ffgZGclCKxO/WIu6pKJmBHaIkU4MiRTOok3JMrO66BQavHHxW/BBC5gA
CiIDEOUMsfnNkjcZ7Tvx5Dq2+UUTJnWvu6rvP3t3O9LEApE9GQDTF1w52z97GA1F
zZOFli9d31kWTz9RvdVFGD/tSo7oBmF0Ixa1DVBzJ0RHfxBdiSprhTEUxOipakyA
vGp4z7h/jnZymQyd/teRCBaho1+V
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb
MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow
GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj
YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezEL
MAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
BwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMM
GEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQua
BtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe
3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5YZ92IFCokcdmtet4
YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4qMsXeDZR
rOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cm
ez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQU
oBEKIz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF
MAMBAf8wewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20v
QUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29t
b2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDANBgkqhkiG9w0BAQUF
AAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm7l3sAg9g1o1Q
GE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz
Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2
G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsi
l2D4kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3
smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg==
-----END CERTIFICATE-----

[maumar]

Further inspection:
unzipping Gogetssl bundle

Code: Select all

unzip _xxx_it.zip 
Archive:  _xxx_it.zip
  inflating: _xxx_it.crt
  inflating: USERTrust_RSA_Certification_Authority.crt
  inflating: AAA_Certificate_Services.crt
  

As you can see, they provide you with the new USERTrust_RSA_Certification_Authority and the cross AAA

[Bittone]

Hello everyone,
I have the very same problem of the expired cert.
After activating the workaround I have a problem deploying the new ca_bundle.
After downloading from my issuer website the new bundle I tested it with zmcertmgr verifycrt and everything seems fine.

Code: Select all

[zimbra@postino commercial]$ ls -la
total 28
drwxr-x---. 2 zimbra zimbra    72 Jun  3 11:53 .
drwxr-x---. 5 zimbra zimbra    64 Jul 11  2016 ..
-rw-r-----. 1 zimbra zimbra 12078 Jun  3 11:53 commercial.crt
-rw-r-----. 1 zimbra zimbra  1734 Jun  3 11:53 commercial.key
-rw-r-----. 1 zimbra zimbra  9831 Jun  3 11:56 commercial_ca.crt
[zimbra@postino commercial]$ zmcertmgr verifycrt comm ./commercial.key ./commercial.crt ./commercial_ca.crt 
** Verifying './commercial.crt' against './commercial.key'
Certificate './commercial.crt' and private key './commercial.key' match.
** Verifying './commercial.crt' against './commercial_ca.crt'
Valid certificate chain: ./commercial.crt: OK

But when I try to install them I get:

Code: Select all

[zimbra@postino commercial]$ zmcertmgr deploycrt  comm                                                       
** Creating /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Creating /opt/zimbra/ssl/zimbra/commercial/commercial.key
** Creating /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
** Verifying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
ERROR: Unable to validate certificate chain: /opt/zimbra/ssl/zimbra/commercial/commercial.crt: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
error 10 at 3 depth lookup:certificate has expired
C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
error 10 at 2 depth lookup:certificate has expired
OK
[zimbra@postino commercial]$ ls -la
total 28
drwxr-x---. 2 zimbra zimbra    72 Jun  3 11:58 .
drwxr-x---. 5 zimbra zimbra    64 Jul 11  2016 ..
-rw-r-----. 1 zimbra zimbra 12078 Jun  3 11:58 commercial.crt
-rw-r-----. 1 zimbra zimbra  1734 Jun  3 11:58 commercial.key
-rw-r-----. 1 zimbra zimbra  9747 Jun  3 11:58 commercial_ca.crt

As you can see the commercial_ca.crt has been replaced by the old one and I cannot complete the installation of the new ca_bundle.
Any ideas why I get this ? According to the manual the certs must be placed in /opt/zimbra/ssl/zimbra/commercial dir and that's exactly what I did but the bundle gets overwritten.

Zimbra version is 8.7.11 community

Thank you all for your attention


Alberto

[L. Mark Stone]

A lot of the tech support folks at certificate issuer help desks don't understand that Zimbra needs the complete certificate chain to function.

Yes, web browsing will work, because the browsers all ship with many root and intermediate certs, so for a typical Apache/WordPress or similar web server installation, you need only tell your web server about your server certificate and your private key.

But Zimbra keeps several different keystores (no surprise, there are more than 80 different Open Source softwares in Zimbra, plus all of the Zimbra-provided code...), and those keystores as I understand it need the complete Root > Intermediate(s) > Server certificate chain on their own.

My customers yesterday with expired Sectigo intermediate certs? If Zimbra was still running, the web browsers accessing the Zimbra web UI showed no SSL issues. Why? Because the server certificate was still valid, and the browser was able to build a complete chain of trust between the certs already in the browser's own certificate store, plus the Zimbra-provided (still valid) server certificate.

Hope that helps,
Mark

The problem here is, Mark, that you are not seeing the entire picture. Other things are getting broken in the process, i.e. "opendkim". This could render all your mail as "SPAM" at companies like google, live, yahoo and many more. So, not only did they (Comodo) not notify their customers, but also exposed them to be blacklisted world-wide...

just my 10c

Very interesting that DKIM is broken with expired intermediates, thanks. There's probably other functionality then that is broken as well.

All the best,
Mark