Zimbra unable to start TLS: hostname verification failed. Have you ever faced this error. Its full content is “Unable to start TLS: hostname verification failed when connecting to ldap master.“
This error occurs when you install multiple SSL certificates for multiple domains in Zimbra mail system.
Recommended Reading: Install Let’s Encrypt certificate for new domain in Zimbra
Zimbra “Unable to start TLS” Why does this error appear?
Table of Contents
As you know, when you install Zimbra mail system, you need to specify an initial mail domain (I call the root domain). And by default, LDAP will start the service with SSL from this domain (running port 636).
When your system uses multiple SSL certificates with multiple domains. If you do not install the SSL certificate for the root domain correctly, this error will occur. If you use certbot-zimbra without the -e
option, you will face this error.
If you type the status command, you will get results like this.
[zimbra@mail ~]$ zmcontrol status
Unable to start TLS: hostname verification failed when connecting to ldap master.
Cannot determine services - exiting
How to fix Unable to start TLS: hostname verification failed when connecting to ldap master
At the time of this error, your Zimbra system failed and stopped working. But don’t worry.
Change to Zimbra user in your system.
[root@mail ~]# su zimbra
First, use the following two commands to disable start LDAP with SSL (or you can turn it off completely).
[zimbra@mail ~]$ zmlocalconfig -e ldap_starttls_required=false
[zimbra@mail ~]$ zmlocalconfig -e ldap_starttls_supported=0
If you check the service status, it will look like this.
[zimbra@mail ~]$ zmcontrol status
Host mail.yourdomain.com
amavis Stopped
amavisd is not running.
antispam Stopped
zmamavisdctl is not running
antivirus Stopped
zmamavisdctl is not running
zmclamdctl is not running
zmfreshclamctl is not running
imapd Stopped
imap is not running.
ldap Running
logger Stopped
zmlogswatchctl is not running
mailbox Stopped
mysql.server is not running.
zmmailboxdctl is not running.
memcached Stopped
memcached is not running.
mta Stopped
zmsaslauthdctl is not running
postfix is not running
opendkim Stopped
zmopendkimctl is not running.
proxy Stopped
proxy is not running.
service webapp Stopped
mysql.server is not running.
zmmailboxdctl is not running.
snmp Stopped
zmswatch is not running.
spell Stopped
zmapachectl is not running
stats Stopped
zimbra webapp Stopped
mysql.server is not running.
zmmailboxdctl is not running.
zimbraAdmin webapp Stopped
mysql.server is not running.
zmmailboxdctl is not running.
zimlet webapp Stopped
mysql.server is not running.
zmmailboxdctl is not running.
zmconfigd Stopped
zmconfigd is not running.
Now (if you want to disable LDAP SSL completely), you can start the Zimbra service.
[zimbra@mail ~]$ zmcontrol restart
If you want to use LDAP SSL, you need to reconfigure SSL certificates for domains correctly. You can install SSL certificate manually or use certbot-zimbra (I recommend at the beginning of the article).
And after you have restarted the Zimbra service above. Type the following 2 commands to re-enable the LDAP SSL service.
[zimbra@mail ~]$ zmlocalconfig -e ldap_starttls_required=true
[zimbra@mail ~]$ zmlocalconfig -e ldap_starttls_supported=1
Conclusion
In this article, you were able to fix the failure to start the LDAP SSL service when using multiple SSL certificates. You can successfully restart the Zimbra system. Hope the article helps you.
(This is an article from my old blog that has been inactive for a long time, I don’t want to throw it away so I will keep it and hope it helps someone).