Zimbra unable to start TLS: hostname verification failed

Zimbra unable to start TLS: hostname verification failed. Have you ever faced this error. Its full content is “Unable to start TLS: hostname verification failed when connecting to ldap master.“

This error occurs when you install multiple SSL certificates for multiple domains in Zimbra mail system.

Recommended Reading: Install Let’s Encrypt certificate for new domain in Zimbra

Zimbra “Unable to start TLS” Why does this error appear?

As you know, when you install Zimbra mail system, you need to specify an initial mail domain (I call the root domain). And by default, LDAP will start the service with SSL from this domain (running port 636).

When your system uses multiple SSL certificates with multiple domains. If you do not install the SSL certificate for the root domain correctly, this error will occur. If you use certbot-zimbra without the -e option, you will face this error.

If you type the status command, you will get results like this.

[zimbra@mail ~]$ zmcontrol status
Unable to start TLS: hostname verification failed when connecting to ldap master.
Cannot determine services - exiting

How to fix Unable to start TLS: hostname verification failed when connecting to ldap master

At the time of this error, your Zimbra system failed and stopped working. But don’t worry.

Change to Zimbra user in your system.

[root@mail ~]# su zimbra

First, use the following two commands to disable start LDAP with SSL (or you can turn it off completely).

[zimbra@mail ~]$ zmlocalconfig -e ldap_starttls_required=false
[zimbra@mail ~]$ zmlocalconfig -e ldap_starttls_supported=0

If you check the service status, it will look like this.

[zimbra@mail ~]$ zmcontrol status
Host mail.yourdomain.com
	amavis                  Stopped
		amavisd is not running.
	antispam                Stopped
		zmamavisdctl is not running
	antivirus               Stopped
		zmamavisdctl is not running
		zmclamdctl is not running
		zmfreshclamctl is not running
	imapd                   Stopped
		imap is not running.
	ldap                    Running
	logger                  Stopped
		zmlogswatchctl is not running
	mailbox                 Stopped
		mysql.server is not running.
		zmmailboxdctl is not running.
	memcached               Stopped
		memcached is not running.
	mta                     Stopped
		zmsaslauthdctl is not running
		postfix is not running
	opendkim                Stopped
		zmopendkimctl is not running.
	proxy                   Stopped
		proxy is not running.
	service webapp          Stopped
		mysql.server is not running.
		zmmailboxdctl is not running.
	snmp                    Stopped
		zmswatch is not running.
	spell                   Stopped
		zmapachectl is not running
	stats                   Stopped
	zimbra webapp           Stopped
		mysql.server is not running.
		zmmailboxdctl is not running.
	zimbraAdmin webapp      Stopped
		mysql.server is not running.
		zmmailboxdctl is not running.
	zimlet webapp           Stopped
		mysql.server is not running.
		zmmailboxdctl is not running.
	zmconfigd               Stopped
		zmconfigd is not running.

Now (if you want to disable LDAP SSL completely), you can start the Zimbra service.

[zimbra@mail ~]$ zmcontrol restart

If you want to use LDAP SSL, you need to reconfigure SSL certificates for domains correctly. You can install SSL certificate manually or use certbot-zimbra (I recommend at the beginning of the article).

And after you have restarted the Zimbra service above. Type the following 2 commands to re-enable the LDAP SSL service.

[zimbra@mail ~]$ zmlocalconfig -e ldap_starttls_required=true
[zimbra@mail ~]$ zmlocalconfig -e ldap_starttls_supported=1

Conclusion

In this article, you were able to fix the failure to start the LDAP SSL service when using multiple SSL certificates. You can successfully restart the Zimbra system. Hope the article helps you.

(This is an article from my old blog that has been inactive for a long time, I don’t want to throw it away so I will keep it and hope it helps someone).