King0770-Notes-Cannot-Start-ldap-ldap starttls supported-Enabled

Recently, I had a case where the zimbra site enabled ldap_starttls_supported, but was getting an error.

zmlocalconfig -e ldap_starttls_supported=1

Host zimbra-ldap.example.com
        Starting ldap...Done.
Unable to start TLS: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed when connecting to ldap master.

If you are seeing this error, or something similar, start ldap as the zimbra user in debug node.

ldap stop

zmlocalconfig -e ldap_starttls_supported=1

sudo /opt/zimbra/libexec/zmslapd -l LOCAL0 -u zimbra -h 'ldap://zimbra-ldap.example.com:389 ldapi:///' -F /opt/zimbra/data/ldap/config -d -4

There will a lot of output. However, if there's an issue, the bottom portion of the output may leave a clue.

5cb120e2 conn=1037 op=0 STARTTLS
  0000:  30 0c 02 01 01 78 07 0a  01 00 04 00 04 00         0....x........
5cb120e2 conn=1037 op=0 RESULT oid= err=0 duration=0.099ms text=
5cb120e2 daemon: activity on 1 descriptor
5cb120e2 daemon: activity on:
5cb120e2 daemon: epoll: listen=7 active_threads=0 tvp=zero
5cb120e2 daemon: epoll: listen=8 active_threads=0 tvp=zero
5cb120e2 daemon: activity on 1 descriptor
5cb120e2 daemon: activity on: 15r
5cb120e2 daemon: read active on 15
5cb120e2 daemon: epoll: listen=7 active_threads=0 tvp=zero
5cb120e2 daemon: epoll: listen=8 active_threads=0 tvp=zero
5cb120e2 connection_get(15)
5cb120e2 daemon: activity on 1 descriptor
5cb120e2 daemon: activity on:
5cb120e2 daemon: epoll: listen=7 active_threads=0 tvp=zero
5cb120e2 daemon: epoll: listen=8 active_threads=0 tvp=zero
5cb120e2 daemon: activity on 1 descriptor
5cb120e2 daemon: activity on: 15r
5cb120e2 daemon: read active on 15
5cb120e2 daemon: epoll: listen=7 active_threads=0 tvp=zero
5cb120e2 daemon: epoll: listen=8 active_threads=0 tvp=zero
5cb120e2 connection_get(15)
TLS: can't accept: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca.    <<== CLUE
5cb120e2 connection_closing: readying conn=1037 sd=15 for close
5cb120e2 daemon: removing 15
5cb120e2 conn=1037 fd=15 closed (TLS negotiation failure)
5cb120e2 daemon: activity on 1 descriptor
5cb120e2 daemon: activity on:
5cb120e2 daemon: epoll: listen=7 active_threads=0 tvp=zero
5cb120e2 daemon: epoll: listen=8 active_threads=0 tvp=zero

The unknown ca part of the output implies the CA bundle is not trusted. To add your CA Bundle, run the following as the zimbra user.

zmcertmgr addcacert /path/to/your/ca/bundle/commercial_ca.crt

Next, try again.

ldap stop
zmlocalconfig -e ldap_starttls_supported=1
ldap start



More articles written by me, https://wiki.zimbra.com/wiki/King0770-Notes

Jump to: navigation, search