I have a zimbra mail server.

Recently I wanted to move to ldaps from ldap for higher security.

Did the following steps to do this.

zmlocalconfig -e ldap_master_url=ldaps://mail.domain.com:636
zmlocalconfig -e ldap_url=ldaps://mail.domain.com:636
zmlocalconfig -e ldap_starttls_supported=0
zmlocalconfig -e ldap_port=636
zmcontrol stop && zmcontrol start

wiki.zimbra.com/wiki/How_to_enable_ldaps

But, after this, external ldap tools can not connect to the server.

I can query the records within the server using ldapsearch.

If I do ldapsearch from external server, throwing following error.


ldapsearch -x -v -H 'ldaps://mail.domain.com/' -b
'ou=people,dc=domain,dc=com' -D
'uid=test1,ou=people,dc=domain,dc=com' -W -d -1
ldap_url_parse_ext(ldaps://mail.domain.com/)
ldap_initialize( ldaps://mail.domain.com:636/??base )
ldap_create
ldap_url_parse_ext(ldaps://mail.domain.com:636/??base)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP mail.domain.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 203.124.153.100:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
tls_write: want=117, written=117
0000: 16 03 00 00 70 01 00 00 6c 03 03 50 2d 1e 2e 73 ....p...l..P-..s
0010: 62 93 ae e4 3d 82 3a 3e d2 39 28 9a d1 e8 f1 46 b...=.:>.9(....F
0020: 0a 6f 01 fe 23 00 24 e1 47 c0 fc 00 00 30 00 33 .o..#.$.G....0.3
0030: 00 67 00 45 00 39 00 6b 00 88 00 16 00 32 00 40 .g.E.9.k.....2.@
0040: 00 44 00 38 00 6a 00 87 00 13 00 66 00 2f 00 3c .D.8.j.....f./.<
0050: 00 41 00 35 00 3d 00 84 00 0a 00 05 00 04 01 00 .A.5.=..........
0060: 00 13 ff 01 00 01 00 00 0d 00 0a 00 08 04 02 04 ................
0070: 01 02 01 02 02 .....
tls_read: want=5, got=5
0000: 16 03 01 00 51 ....Q
tls_read: want=81, got=81
0000: 02 00 00 4d 03 01 50 2d 1f fa 0d e6 8e 77 c3 12 ...M..P-.....w..
0010: 05 c7 bf a9 f0 92 36 b9 03 50 38 c0 01 fd 5a 25 ......6..P8...Z%
0020: 0e 7e b0 36 70 22 20 ca fd 53 f4 2b ae 2c 4c f1 .~.6p" ..S.+.,L.
0030: 96 fd 72 84 7b 9b c9 b4 79 fa c8 ed 89 7f 46 49 ..r.{...y.....FI
0040: 9e e6 ea 48 df e8 a2 00 2f 00 00 05 ff 01 00 01 ...H..../.......
0050: 00 .
tls_read: want=5, got=5
0000: 16 03 01 02 b4 .....
tls_read: want=692, got=692
0000: 0b 00 02 b0 00 02 ad 00 02 aa 30 82 02 a6 30 82 ..........0...0.
0010: 02 0f a0 03 02 01 02 02 05 13 44 79 82 29 30 0d ..........Dy.)0.
0020: 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 81 8e ..*.H........0..
0030: 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 0c 30 1.0...U....US1.0
0040: 0a 06 03 55 04 08 13 03 4e 2f 41 31 0c 30 0a 06 ...U....N/A1.0..
0050: 03 55 04 07 13 03 4e 2f 41 31 23 30 21 06 03 55 .U....N/A1#0!..U
0060: 04 0a 13 1a 5a 69 6d 62 72 61 20 43 6f 6c 6c 61 ....Zimbra Colla
0070: 62 6f 72 61 74 69 6f 6e 20 53 75 69 74 65 31 23 boration Suite1#
0080: 30 21 06 03 55 04 0b 13 1a 5a 69 6d 62 72 61 20 0!..U....Zimbra
0090: 43 6f 6c 6c 61 62 6f 72 61 74 69 6f 6e 20 53 75 Collaboration Su
00a0: 69 74 65 31 19 30 17 06 03 55 04 03 13 10 6d 61 ite1.0...U....ma
00b0: 69 6c 2e 76 69 6a 61 79 74 76 2e 63 6f 6d 30 20 il.domain.com0
00c0: 17 0d 31 32 30 38 31 32 31 39 30 33 35 33 5a 18 ..120812190353Z.
00d0: 0f 32 31 31 32 30 37 31 39 31 39 30 33 35 33 5a .21120719190353Z
00e0: 30 81 80 31 0b 30 09 06 03 55 04 06 13 02 55 53 0..1.0...U....US
00f0: 31 0c 30 0a 06 03 55 04 08 13 03 4e 2f 41 31 23 1.0...U....N/A1#
0100: 30 21 06 03 55 04 0a 13 1a 5a 69 6d 62 72 61 20 0!..U....Zimbra
0110: 43 6f 6c 6c 61 62 6f 72 61 74 69 6f 6e 20 53 75 Collaboration Su
0120: 69 74 65 31 23 30 21 06 03 55 04 0b 13 1a 5a 69 ite1#0!..U....Zi
0130: 6d 62 72 61 20 43 6f 6c 6c 61 62 6f 72 61 74 69 mbra Collaborati
0140: 6f 6e 20 53 75 69 74 65 31 19 30 17 06 03 55 04 on Suite1.0...U.
0150: 03 13 10 6d 61 69 6c 2e 76 69 6a 61 79 74 76 2e ...mail.domain.
0160: 63 6f 6d 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d com0..0...*.H...
0170: 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 .........0......
0180: c2 ea fe 28 84 d8 50 e2 e3 48 67 53 f2 68 1f e3 ...(..P..HgS.h..
0190: ea 6f 4a da 6b 96 c5 31 3d fb 67 b1 9f 53 59 5c .oJ.k..1=.g..SY\
01a0: de cb ee a3 f1 b2 fe 50 ca 70 95 78 86 a2 ae dc .......P.p.x....
01b0: 53 52 bd 05 87 c2 03 32 56 3b 10 dd ef a5 4a 75 SR.....2V;....Ju
01c0: 67 4a a2 60 f5 48 86 bc eb a8 9d 61 ad 14 88 86 gJ.`.H.....a....
01d0: b0 f1 18 92 1e 68 65 99 9d 1a de c1 fc 4e c8 12 .....he......N..
01e0: 6d 6f 6a 39 9b a4 4b 22 f0 28 0f 64 17 2b 8b 01 moj9..K".(.d.+..
01f0: ce 4e f0 59 ab cf 73 ea 6b cf f7 32 18 76 7f 8d .N.Y..s.k..2.v..
0200: 02 03 01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 .......0.0...U..
0210: 04 02 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 05 ..0.0...U.......
0220: e0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 .0...*.H........
0230: 03 81 81 00 bc 4a db 09 fe 15 f0 6c b9 18 86 cc .....J.....l....
0240: fc e7 1d e7 90 a9 f0 42 d2 af fa 13 9c e7 92 04 .......B........
0250: b2 ea 74 5b c3 b9 c8 33 2d 16 b2 82 4c f0 07 d1 ..t[...3-...L...
0260: 26 19 4b e0 1d 08 7d 56 dd c6 c7 dc a2 4f 9b db &.K...}V.....O..
0270: 66 d5 5b 39 1d 2f ed 1e 7e cb ab cc 0b 93 34 86 f.[9./..~.....4.
0280: 22 78 9a 6d 14 81 c7 9c 44 8a b6 c6 f2 2b 89 7c "x.m....D....+.|
0290: e1 d9 94 64 d7 c5 4c 8b 40 b1 6e 68 35 dd c1 7b ...d..L.@.nh5..{
02a0: 74 f1 ad f0 12 6f 73 93 0f 39 e0 b3 cb 0a cd 54 t....os..9.....T
02b0: 70 58 21 5c pX!\
tls_read: want=5, got=5
0000: 16 03 01 00 04 .....
tls_read: want=4, got=4
0000: 0e 00 00 00 ....
tls_write: want=139, written=139
0000: 16 03 01 00 86 10 00 00 82 00 80 80 9a 48 cc cc .............H..
0010: ea 83 ea 8e 84 98 15 76 59 25 91 83 c0 6c 12 e2 .......vY%...l..
0020: 32 50 38 86 6a d9 6e 19 dc a7 60 73 91 24 5c da 2P8.j.n...`s.$\.
0030: 90 cb 32 5d e9 45 0b df c6 7d 47 4d 2a fe 74 e9 ..2].E...}GM*.t.
0040: 90 6e 33 fc 42 09 43 e0 e9 5e 66 c3 03 10 9b 03 .n3.B.C..^f.....
0050: e3 a0 2e 5f 9f f6 ce 9f 99 10 57 1d 2b ad f3 29 ..._......W.+..)
0060: a7 d8 93 2c 0b 95 e2 c3 57 6b e7 55 b7 5c 55 b8 ...,....Wk.U.\U.
0070: 9b 36 cc 79 ee 3d e9 e3 64 37 f7 59 95 72 7d 79 .6.y.=..d7.Y.r}y
0080: b7 81 28 b1 c5 7b 14 75 df 91 00 ..(..{.u...
tls_write: want=6, written=6
0000: 14 03 01 00 01 01 ......
tls_write: want=229, written=229
0000: 16 03 01 00 e0 df c0 ea 8a 8c f5 94 28 cb 61 f5 ............(.a.
0010: cf c4 b1 b7 09 3a 86 99 f1 f4 2b 5d 6a 16 da b6 .....:....+]j...
0020: 44 17 0f 7d 71 9d 0b e5 b5 e2 b1 01 33 63 7f 06 D..}q.......3c..
0030: c0 57 7b c5 ba 66 37 60 92 b4 8e f8 87 b3 6f 61 .W{..f7`......oa
0040: 5d cf a2 80 4e e2 a4 69 53 69 60 3b d9 2c 8b 18 ]...N..iSi`;.,..
0050: e6 39 03 73 dd 17 74 d5 97 47 84 7d 62 42 1b 94 .9.s..t..G.}bB..
0060: 77 7c 44 77 b8 f9 59 37 cb 52 15 07 94 e6 eb fe w|Dw..Y7.R......
0070: f0 a7 ab 04 f7 1b 03 e9 a5 25 53 70 e4 20 47 d4 .........%Sp. G.
0080: a4 01 3b de 4b 7f 4b ff 06 d0 90 cf 98 14 fd 94 ..;.K.K.........
0090: f9 85 6e 25 6a 61 47 0a df 3d 79 94 b8 ee d2 04 ..n%jaG..=y.....
00a0: da ab b4 99 39 e1 55 09 3a 00 4a 31 72 86 bd ed ....9.U.:.J1r...
00b0: cb ae de 33 74 0e e6 d5 1d 37 8f a9 b8 6e 9a 61 ...3t....7...n.a
00c0: f1 5a 66 52 f1 89 2c 5e 2b f7 f6 e6 85 6b 70 6a .ZfR..,^+....kpj
00d0: a0 95 6c 5e c3 d2 f9 d6 a3 bc 53 96 9b 43 39 3a ..l^......S..C9:
00e0: 5a 4d 1f c9 84 ZM...
tls_read: want=5, got=5
0000: 14 03 01 00 01 .....
tls_read: want=1, got=1
0000: 01 .
tls_read: want=5, got=5
0000: 16 03 01 00 30 ....0
tls_read: want=48, got=48
0000: cf 15 d2 46 4b 19 cc 6c 12 35 fb aa 5b fe ef 8e ...FK..l.5..[...
0010: 2f 60 fe 49 26 4e 3e f8 15 06 f9 09 03 de 37 22 /`.I&N>.......7"
0020: f4 8e 5a 0f 29 fc ea 1a 46 d5 7b 07 3f 6a 87 36 ..Z.)...F.{.?j.6
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)


What is mean by the error?
TLS: peer cert untrusted or revoked (0x42)

In server side, in the file /etc/openldap/ldap.conf

I tried with both the settings.

1. TLS_REQCERT never

2. TLS_REQCERT allow

But still, getting same error.
Because of this, can not use the addressbook from any of the email
clients I use.

Please help with your suggestions to solve the issue.

Thanks.