SystemMen - Zimbra unable to start TLS: hostname verification failed. Have you ever faced this error. Its full content is “Unable to start TLS: hostname verification failed when connecting to ldap master.”
This error occurs when you install multiple SSL certificates for multiple domains in Zimbra mail system.
Recommended Reading: Install Let’s Encrypt certificate for new domain in Zimbra
Zimbra “Unable to start TLS” Why does this error appear?
As you know, when you install Zimbra mail system, you need to specify an initial mail domain (I call the root domain). And by default, LDAP will start the service with SSL from this domain (running port 636).
When your system uses multiple SSL certificates with multiple domains. If you do not install the SSL certificate for the root domain correctly, this error will occur. If you use certbot-zimbra without the -e option, you will face this error.
If you type the status command, you will get results like this.
[zimbra@mail ~]$ zmcontrol status Unable to start TLS: hostname verification failed when connecting to ldap master. Cannot determine services - exiting
How to fix Unable to start TLS: hostname verification failed when connecting to ldap master
At the time of this error, your Zimbra system failed and stopped working. But don’t worry.
Change to Zimbra user in your system.
[root@mail ~]# su zimbra
First, use the following two commands to disable start LDAP with SSL (or you can turn it off completely).
[zimbra@mail ~]$ zmlocalconfig -e ldap_starttls_required=false [zimbra@mail ~]$ zmlocalconfig -e ldap_starttls_supported=0
If you check the service status, it will look like this.
[zimbra@mail ~]$ zmcontrol status Host mail.yourdomain.com amavis Stopped amavisd is not running. antispam Stopped zmamavisdctl is not running antivirus Stopped zmamavisdctl is not running zmclamdctl is not running zmfreshclamctl is not running imapd Stopped imap is not running. ldap Running logger Stopped zmlogswatchctl is not running mailbox Stopped mysql.server is not running. zmmailboxdctl is not running. memcached Stopped memcached is not running. mta Stopped zmsaslauthdctl is not running postfix is not running opendkim Stopped zmopendkimctl is not running. proxy Stopped proxy is not running. service webapp Stopped mysql.server is not running. zmmailboxdctl is not running. snmp Stopped zmswatch is not running. spell Stopped zmapachectl is not running stats Stopped zimbra webapp Stopped mysql.server is not running. zmmailboxdctl is not running. zimbraAdmin webapp Stopped mysql.server is not running. zmmailboxdctl is not running. zimlet webapp Stopped mysql.server is not running. zmmailboxdctl is not running. zmconfigd Stopped zmconfigd is not running.
Now (if you want to disable LDAP SSL completely), you can start the Zimbra service.
[zimbra@mail ~]$ zmcontrol restart
If you want to use LDAP SSL, you need to reconfigure SSL certificates for domains correctly. You can install SSL certificate manually or use certbot-zimbra (I recommend at the beginning of the article).
And after you have restarted the Zimbra service above. Type the following 2 commands to re-enable the LDAP SSL service.
[zimbra@mail ~]$ zmlocalconfig -e ldap_starttls_required=true [zimbra@mail ~]$ zmlocalconfig -e ldap_starttls_supported=1
Conclusion
In this article, you were able to fix the failure to start the LDAP SSL service when using multiple SSL certificates. You can successfully restart the Zimbra system. Hope the article helps you.
«« Install Let’s Encrypt certificate for new domain in ZimbraHow to add new domain in Zimbra admin »»
