Unable to start TLS: SSL connect attempt failed error:14090086

Abu · December 30, 2020, 6:05pm

Hi all,

Today I run the command "zmcontrol status" on my zimbra server, and I got the error:
Unable to start TLS: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed when connecting to ldap master.
Cannot determine services - exiting
I check my server and everything seems normal: SSL certificate is valid, system date is correct, Mail server still works well.
But I get that error every time I run command check status (attach img).

Software: APACHE
System: Ubuntu 18.04

Can anyone help me please?
Thanks so much!

Rip · December 30, 2020, 6:40pm

Welcome to the forum @Abu
We can assist you much easire if we know about your setup..

My domain is:

I ran this command: zmcontrol status

It produced this output:

Unable to start TLS: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed when connecting to ldap master.
Cannot determine services - exiting

Are you running OpenLDAP? if so which version?

My web server is (include version): APACHE (which version?)

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: ???

I can login to a root shell on my machine (yes or no, or I don’t know): ???

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): zmcontrol Zimbra Server

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

rg305 · December 30, 2020, 7:06pm

Is all of Zimbra running on the same system - or is it split over multiple systems?
When was the last time you renewed the cert?

Abu · January 1, 2021, 6:12am

My web server is (include version): Apache/2.4.29 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: https://my.interserver.net/

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): yes, zmcontrol Zimbra Server

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Installed: 0.31.0-2~deb10u1+ubuntu18.04.1+certbot+3

Abu · January 1, 2021, 6:14am

all of Zimbra running on the same system
26.11.2020

rg305 · January 1, 2021, 7:56am

First: Make sure your system is completely up to date.
sudo apt update
sudo apt upgrade

Abu · January 2, 2021, 1:40am

all packages are up to date

rg305 · January 2, 2021, 3:29am

Change to Zimbra user and show the last commands ran (to cover installing the cert)
su zimbra
history

Abu · January 2, 2021, 3:24am

1276 201230 21:06:37 zmcontrol status
1277 201230 21:15:48 zmlocalconfig -e ldap_starttls_required=true
1278 201230 21:16:04 zmlocalconfig -e ldap_starttls_supported=1
1279 201230 21:16:24 zmcontrol restart
1280 201230 21:23:03 exit
1281 201230 21:33:36 zmlocalconfig -e ldap_starttls_supported=0
1282 201230 21:33:48 zmcontrol start
1283 201230 22:12:55 exit
1284 201231 07:54:52 zmcontrol restart
1285 201231 08:05:00 jnvkjn oenfoverfv
1286 201231 08:06:21 zmcontrol status
1287 201231 08:06:42 exit
1288 210101 09:53:37 zmlocalconfig -e ldap_starttls_supported=1
1289 210101 09:53:47 zmcontrol status
1290 210101 09:54:22 zmlocalconfig -e ldap_starttls_supported=0
1291 210101 09:54:27 zmcontrol status
1292 210101 09:59:10 exit
1293 210101 10:32:09 zmcontrol stop
1294 210101 10:33:14 zmlocalconfig -e ldap_starttls_supported=1
1295 210101 10:33:18 exit
1296 210101 10:36:17 zmcontrol status
1297 210101 10:37:09 zmcontrol stop
1298 210101 10:37:21 exit
1299 210101 10:45:11 zmcontrol start
1300 210101 10:45:29 zmlocalconfig -e ldap_starttls_supported=0
1301 210101 10:45:45 zmcontrol restart
1302 210101 10:47:57 exit
1303 210101 10:51:12 zmcontrol stop
1304 210101 10:52:08 exit
1305 210101 09:18:57 zmcontrol restart
1306 210101 11:22:21 zmcontrol restart
1307 210101 11:25:12 zmlocalconfig -e ldap_starttls_supported=1
1308 210101 11:25:21 zmcontrol status
1309 210101 11:25:51 zmcontrol restart
1310 210101 11:26:53 zmlocalconfig -e ldap_starttls_supported=0
1311 210101 11:26:57 zmcontrol restart
1312 210102 05:33:53 zmlocalconfig -e ldap_starttls_supported=1
1313 210102 05:34:04 zmcontrol restart
1314 210102 05:39:06 exit
1315 210102 05:43:54 zmcontrol restart
1316 210102 05:44:26 zmlocalconfig -e ldap_starttls_supported=0
1317 210102 05:44:32 zmcontrol restart
1318 210102 05:46:36 exit
1319 210102 05:47:33 zmcontrol restart
1320 210102 05:52:25 exit
1321 210102 07:22:54 history

rg305 · January 2, 2021, 3:30am

Try:
su zimbra
history | grep -Ev 'exit|start|stop|ldap'

Abu · January 2, 2021, 3:38am

1195 201102 07:57:58 postmap /opt/zimbra/conf/recipient_bcc
1199 201122 14:46:01 zimbra status
1200 201122 14:46:11 status
1201 201122 14:46:26 /zimbra status
1202 201122 14:46:37 zmcontrol status
1206 201124 07:04:58 zmcontrol status
1208 201126 07:09:26 zmcontrol status
1210 201126 07:18:53 zmcontrol status
1212 201126 07:32:48 zmcontrol status
1213 201128 10:52:22 certbot renew
1214 201128 10:52:48 sudo certbot renew
1215 201128 10:53:07 rgbvtr
1221 201128 11:16:21 zmcontrol status
1222 201130 07:13:01 zmcontrol status
1224 201207 09:02:43 zmcontrol status
1227 201207 09:34:13 zmcontrol status
1229 201207 09:40:31 postmap /opt/zimbra/conf/sender_bcc
1230 201207 09:40:41 postmap /opt/zimbra/conf/recipient_bcc
1232 201208 08:26:38 postmap /opt/zimbra/conf/sender_bcc
1233 201208 08:26:52 postmap /opt/zimbra/conf/recipient_bcc
1235 201209 11:37:28 zmprov gacf | grep zimbraMtaRestriction
1236 201210 10:48:00 postmap /opt/zimbra/conf/sender_bcc
1237 201210 10:48:10 postmap /opt/zimbra/confrecipient_bcc
1238 201210 10:48:20 postmap /opt/zimbra/conf/recipient_bcc
1240 201210 10:57:08 zmcontrol status
1242 201211 14:30:12 postmap /opt/zimbra/sender_bcc
1243 201211 14:30:25 postmap /opt/zimbra/conf/sender_bcc
1244 201211 14:30:36 postmap /opt/zimbra/conf/recipient_bcc
1246 201212 20:32:50 zmcontrol status
1249 201216 15:48:34 zmcontrol status
1250 201222 12:14:47 zmcontrol status
1251 201222 12:15:11 zmcontrol status
1257 201222 12:22:04 zmcontrol status
1259 201222 12:23:35 zmcontrol status
1265 201222 12:32:04 zmcontrol status
1266 201223 06:17:04 zmcontrol status
1267 201227 10:15:05 zmcontrol status
1269 201227 10:01:06 zmcontrol status
1272 201228 05:27:04 zmcontrol status
1274 201230 09:55:11 zmcontrol status
1276 201230 21:06:37 zmcontrol status
1285 201231 08:05:00 jnvkjn oenfoverfv
1286 201231 08:06:21 zmcontrol status
1289 210101 09:53:47 zmcontrol status
1291 210101 09:54:27 zmcontrol status
1296 210101 10:36:17 zmcontrol status
1308 210101 11:25:21 zmcontrol status
1321 210102 07:22:54 history

rg305 · January 2, 2021, 3:42am

OR maybe the opposite...
su zimbra
history | grep -Ei 'zmcertmgr|comm|deploy|verify'

[maybe try that as root user too]

Abu · January 2, 2021, 3:45am

872 200420 17:12:33 /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem chain.pem cert.pem
873 200420 17:12:47 /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
878 200420 17:19:33 /opt/zimbra/libexec/zmdomaincertmgr deploycrts
885 200420 18:28:19 /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
886 200420 18:28:53 /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem
888 200420 18:32:51 cp privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
889 200420 18:32:58 /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem
893 200420 18:39:28 /opt/zimbra/libexec/zmdomaincertmgr deploycrts
912 200420 19:33:33 /opt/zimbra/libexec/zmdomaincertmgr deploycrts
922 200420 23:03:22 /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
924 200420 23:06:33 /opt/zimbra/libexec/zmdomaincertmgr deploycrts
930 200420 23:08:34 /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
932 200420 23:10:10 /opt/zimbra/libexec/zmdomaincertmgr deploycrts
938 200420 23:13:30 /opt/zimbra/libexec/zmdomaincertmgr deploycrts
943 200420 23:19:12 /opt/zimbra/libexec/zmdomaincertmgr deploycrts
944 200420 23:20:29 cp privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
945 200420 23:21:27 /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem
951 200420 23:24:36 /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem
953 200420 23:25:53 cp privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
954 200420 23:26:07 /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem
959 200420 23:34:40 /opt/zimbra/libexec/zmdomaincertmgr deploycrts
990 200515 14:19:25 /opt/zimbra/libexec/zmdomaincertmgr deploycrts
996 200515 13:57:59 /opt/zimbra/bin/zmcertmgr verifycrt comm privkey5.pem cert5.pem chain5.pem
1001 200515 14:01:19 /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
1003 200515 14:02:16 cp privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
1004 200515 14:03:33 /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem
1013 200722 08:01:37 cp /var/backups/webSAYBKPS/mysql/mail.thesay.me/privkey19.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
1014 200722 08:02:03 cp privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
1015 200722 08:02:40 /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
1016 200722 08:03:08 /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem
1020 200731 11:53:02 /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
1022 200731 11:55:49 /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem
1024 200731 11:58:30 /opt/zimbra/libexec/zmdomaincertmgr deploycrts
1028 200731 12:12:31 /opt/zimbra/libexec/zmdomaincertmgr deploycrts
1040 200731 13:22:45 /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
1042 200731 13:23:11 /opt/zimbra/libexec/zmdomaincertmgr deploycrts
1044 200731 13:24:20 /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
1046 200731 13:41:10 cp privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
1047 200731 13:41:22 /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
1050 200731 13:42:24 /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem
1053 200731 13:43:46 /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem
1064 200731 13:56:40 cd common
1082 200731 14:06:02 /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
1085 200731 14:08:14 /opt/zimbra/libexec/zmdomaincertmgr deploycrts
1099 200731 14:19:05 /opt/zimbra/libexec/zmdomaincertmgr deploycrts
1108 200731 14:26:43 /opt/zimbra/libexec/zmdomaincertmgr deploycrts
1119 200731 18:22:46 /opt/zimbra/libexec/zmdomaincertmgr deploycrts
1129 200801 08:10:49 /opt/zimbra/libexec/zmdomaincertmgr deploycrts
1325 210102 07:42:22 history | grep -Ei 'zmcertmgr|comm|deploy|verify'

rg305 · January 2, 2021, 3:47am

Show:
su zimbra
history | grep -E '111|112|113'

Abu · January 2, 2021, 3:52am

1113 200731 14:29:36 exit
1114 200731 16:06:23 zmprov md mail..ae zimbraVirtualHostName mx..ae zimbraVirtualIPAddress ...163
1115 200731 16:06:42 zmprov md .ae zimbraVirtualHostName mx..ae zimbraVirtualIPAddress ...163
1116 200731 16:10:07 zmproxyctl restart
1117 200731 16:10:47 exit
1118 200731 18:18:27 /opt/zimbra/libexec/zmdomaincertmgr savecrt .ae mail.*.ae.bundle privkey.pem
1119 200731 18:22:46 /opt/zimbra/libexec/zmdomaincertmgr deploycrts
1120 200731 18:23:59 zmproxyctl restart
1121 200731 18:25:22 cd /etc/apache2
1122 200731 18:25:26 ls
1123 200731 18:25:44 ls sites-enabled
1124 200731 18:25:56 exit
1125 200731 18:47:46 exit
1126 200801 08:07:25 zmproxyctl restart
1127 200801 08:07:58 zmcontrol restart
1128 200801 08:10:27 /opt/zimbra/libexec/zmdomaincertmgr savecrt *.ae mail..ae.bundle privkey.pem
1129 200801 08:10:49 /opt/zimbra/libexec/zmdomaincertmgr deploycrts
1197 201117 19:03:44 zmcontrol restart
1198 201118 10:16:46 exit
1199 201122 14:46:01 zimbra status
1200 201122 14:46:11 status
1201 201122 14:46:26 /zimbra status
1202 201122 14:46:37 zmcontrol status
1203 201122 14:50:00 ▒exit
1204 201122 14:50:14 exit
1205 201122 14:58:19 zmcontrol restart
1206 201124 07:04:58 zmcontrol status
1207 201124 07:05:26 exit
1208 201126 07:09:26 zmcontrol status
1209 201126 07:09:46 zmcontrol restart
1210 201126 07:18:53 zmcontrol status
1211 201126 07:19:10 zmcontrol restart
1212 201126 07:32:48 zmcontrol status
1213 201128 10:52:22 certbot renew
1214 201128 10:52:48 sudo certbot renew
1215 201128 10:53:07 rgbvtr
1216 201128 10:53:14 exit
1217 201128 10:55:19 zmcontrol stop
1218 201128 10:56:24 exit
1219 201128 10:59:37 zmcontrol start
1220 201128 11:03:00 exit
1221 201128 11:16:21 zmcontrol status
1326 210102 07:47:44 history | grep -E '111|112'

rg305 · January 2, 2021, 3:55am

Abu:

1118 200731 18:18:27 /opt/zimbra/libexec/zmdomaincertmgr savecrt *****.ae mail.***** *.ae.bundle privkey.pem
1119 200731 18:22:46 /opt/zimbra/libexec/zmdomaincertmgr deploycrts
1128 200801 08:10:27 /opt/zimbra/libexec/zmdomaincertmgr savecrt * ******.ae mail.****** .ae.bundle privkey.pem
1129 200801 08:10:49 /opt/zimbra/libexec/zmdomaincertmgr deploycrts

What happened that you are no longer installing your certs this way?

Abu · January 2, 2021, 3:58am

before me the Administrator installed it. I am now writing certbot renew

rg305 · January 2, 2021, 4:00am

certbot renew is not enough for Zimbra.
You need to read the Zimbra documentation and follow their instructions to renew the cert and deploy it into Zimbra.