King0770-Notes-Cannot-Start-ldap-ldap starttls supported-Enabled: Difference between revisions
(Created page with "Recently, I had a case where the zimbra site enabled ldap_starttls_supported, but was getting an error.<br> <code><pre> zmlocalconfig -e ldap_starttls_supported=1 Host zimbra...") |
(No difference)
|
Latest revision as of 21:40, 25 April 2019
Recently, I had a case where the zimbra site enabled ldap_starttls_supported, but was getting an error.
zmlocalconfig -e ldap_starttls_supported=1
Host zimbra-ldap.example.com
Starting ldap...Done.
Unable to start TLS: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed when connecting to ldap master.
If you are seeing this error, or something similar, start ldap as the zimbra user in debug node.
ldap stop
zmlocalconfig -e ldap_starttls_supported=1
sudo /opt/zimbra/libexec/zmslapd -l LOCAL0 -u zimbra -h 'ldap://zimbra-ldap.example.com:389 ldapi:///' -F /opt/zimbra/data/ldap/config -d -4
There will a lot of output. However, if there's an issue, the bottom portion of the output may leave a clue.
5cb120e2 conn=1037 op=0 STARTTLS
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
5cb120e2 conn=1037 op=0 RESULT oid= err=0 duration=0.099ms text=
5cb120e2 daemon: activity on 1 descriptor
5cb120e2 daemon: activity on:
5cb120e2 daemon: epoll: listen=7 active_threads=0 tvp=zero
5cb120e2 daemon: epoll: listen=8 active_threads=0 tvp=zero
5cb120e2 daemon: activity on 1 descriptor
5cb120e2 daemon: activity on: 15r
5cb120e2 daemon: read active on 15
5cb120e2 daemon: epoll: listen=7 active_threads=0 tvp=zero
5cb120e2 daemon: epoll: listen=8 active_threads=0 tvp=zero
5cb120e2 connection_get(15)
5cb120e2 daemon: activity on 1 descriptor
5cb120e2 daemon: activity on:
5cb120e2 daemon: epoll: listen=7 active_threads=0 tvp=zero
5cb120e2 daemon: epoll: listen=8 active_threads=0 tvp=zero
5cb120e2 daemon: activity on 1 descriptor
5cb120e2 daemon: activity on: 15r
5cb120e2 daemon: read active on 15
5cb120e2 daemon: epoll: listen=7 active_threads=0 tvp=zero
5cb120e2 daemon: epoll: listen=8 active_threads=0 tvp=zero
5cb120e2 connection_get(15)
TLS: can't accept: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca. <<== CLUE
5cb120e2 connection_closing: readying conn=1037 sd=15 for close
5cb120e2 daemon: removing 15
5cb120e2 conn=1037 fd=15 closed (TLS negotiation failure)
5cb120e2 daemon: activity on 1 descriptor
5cb120e2 daemon: activity on:
5cb120e2 daemon: epoll: listen=7 active_threads=0 tvp=zero
5cb120e2 daemon: epoll: listen=8 active_threads=0 tvp=zero
The unknown ca part of the output implies the CA bundle is not trusted. To add your CA Bundle, run the following as the zimbra user.
zmcertmgr addcacert /path/to/your/ca/bundle/commercial_ca.crt
Next, try again.
ldap stop
zmlocalconfig -e ldap_starttls_supported=1
ldap start
More articles written by me, https://wiki.zimbra.com/wiki/King0770-Notes