[Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086
-
- Posts: 9
- Joined: Sun Mar 24, 2019 1:52 pm
[Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086
Hi all,
Today I run the command "zmcontrol status" on my zimbra server, and I got the error:
Unable to start TLS: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed when connecting to ldap master.
Cannot determine services - exiting
I check my server and everything seems normal: SSL certificate is valid, system date is correct, Mail server still works well.
But I get that error every time I run command check status (attach img).
Can anyone help me please?
Thanks so much!
Today I run the command "zmcontrol status" on my zimbra server, and I got the error:
Unable to start TLS: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed when connecting to ldap master.
Cannot determine services - exiting
I check my server and everything seems normal: SSL certificate is valid, system date is correct, Mail server still works well.
But I get that error every time I run command check status (attach img).
Can anyone help me please?
Thanks so much!
- Attachments
-
- 1.png (175.59 KiB) Viewed 68297 times
Last edited by hoangnguyen on Sun Mar 31, 2019 11:10 am, edited 1 time in total.
- DualBoot
- Elite member
- Posts: 1326
- Joined: Mon Apr 18, 2016 8:18 pm
- Location: France - Earth
- ZCS/ZD Version: ZCS FLOSS - 8.8.15 Mutli servers
- Contact:
Re: ERROR: Unable to start TLS: SSL connect attempt failed error:14090086
Hello,
disable SSLv3 on your Zimbra server.
Regards,
PS: what is the version of your Zimbra ?
disable SSLv3 on your Zimbra server.
Regards,
PS: what is the version of your Zimbra ?
-
- Posts: 9
- Joined: Sun Mar 24, 2019 1:52 pm
Re: ERROR: Unable to start TLS: SSL connect attempt failed error:14090086
Hi DualBoot,
Thanks for respond. I'm using Zimbra version 8.8.9. Is there any risk if I disable SSlv3?
Thanks for respond. I'm using Zimbra version 8.8.9. Is there any risk if I disable SSlv3?
-
- Posts: 9
- Joined: Sun Mar 24, 2019 1:52 pm
Re: ERROR: Unable to start TLS: SSL connect attempt failed error:14090086
Finally, I resolved my issue by two commands:
zmlocalconfig -e ldap_starttls_required=false
zmlocalconfig -e ldap_starttls_supported=0
Zmcontrol start successfully.
zmlocalconfig -e ldap_starttls_required=false
zmlocalconfig -e ldap_starttls_supported=0
Zmcontrol start successfully.
Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086
I have a freshly installed server, running smooth for one month, that out of the blue started throwing this error today.
The certificate expires on Jan 2021 so it's valid.
What's the correct way to disable SSLv3 in LDAP? I found how to do it in nginx and postfix, but not in ldap.
Thanks
Code: Select all
Unable to start TLS: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed when connecting to ldap master.
What's the correct way to disable SSLv3 in LDAP? I found how to do it in nginx and postfix, but not in ldap.
Thanks
Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086
Hi see the exact same error as maxxer this morning on my open source zimbra server, after a regular restart.
There was no change and no package installation.
I did the workarounds suggested earlier to disable TLS which works for me.
Does anyone know the root cause of this?
Thanks
Code: Select all
Starting ldap...Done.
Unable to start TLS: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed when connecting to ldap master.
I did the workarounds suggested earlier to disable TLS which works for me.
Code: Select all
zmlocalconfig -e ldap_starttls_required=false
zmlocalconfig -e ldap_starttls_supported=0
Thanks
Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086
I don't see that error and at a wild guess I'd say there's something wrong with the certificate, have you verified that it's OK? FWIW, I'd suggest you follow the advice of JDUNPHY (Jim) and install a letsencrypt certificate and automatically update it. The script that Jim provides does that flawlessly. 
BTW, it's never a good idea to solve a security problem by disabling a security feature.

BTW, it's never a good idea to solve a security problem by disabling a security feature.
Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086
i'm running v8.8 and the instructions for disabling v3 are for earlier versions - not sure how significant that is. but i've followed (as closely as i can) and am still getting the error trying to start every thing:
Unable to start TLS: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed when connecting to ldap master.
i'd rather not just disable TLS - sounds kinda dangerous. i have the same question as maxxer above - how do i disable in ldap (the error implies thats where v3 is still being attempted!)
Unable to start TLS: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed when connecting to ldap master.
i'd rather not just disable TLS - sounds kinda dangerous. i have the same question as maxxer above - how do i disable in ldap (the error implies thats where v3 is still being attempted!)
Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086
As this appears to be a certificate error, what have you done to check the certificates or have you even tried regenerating new certificates for your server?
-
- Advanced member
- Posts: 63
- Joined: Sat Sep 13, 2014 1:45 am
Re: [Resolved] ERROR: Unable to start TLS: SSL connect attempt failed error:14090086
This is likely due to the Sectigo root CA expiring yesterday:
https://www.reddit.com/r/sysadmin/comme ... y_morning/
Removing the following line from /etc/ca-certificates.conf does NOT appear to resolve the problem for Zimbra (tested on Ubuntu 18.04):
<pre>sed -i '/mozilla\/AddTrust_External_Root.crt/d' /etc/ca-certificates.conf</pre>
Please advise on how Zimbra can be updated to handle expiration of this Sectigo root CA. Thanks!
https://www.reddit.com/r/sysadmin/comme ... y_morning/
Removing the following line from /etc/ca-certificates.conf does NOT appear to resolve the problem for Zimbra (tested on Ubuntu 18.04):
<pre>sed -i '/mozilla\/AddTrust_External_Root.crt/d' /etc/ca-certificates.conf</pre>
Please advise on how Zimbra can be updated to handle expiration of this Sectigo root CA. Thanks!