I feel bad about asking a question about the certs in this forum but after spending the entire day researching just this one issue I'm out of resources.
Per the wiki page for Installing a LetsEncrypt SSL Certificate, I stopped services, created .pem files, copied them to the zimbra path, and changed ownership. I also followed the section Build the proper Intermediate CA plus Root CA but I believe that section is now old and requires revision. This is important so please forgive this digression:
That section, says "To sum up: chain.pem has to be concatened with the root CA. First the chain and the end of the file the root CA. The order is important."
That's not entirely accurate. Consider this quote :
That tells us a few things:I originally wrote the code that originally creates it and the definition of fullchain.pem was cert.pem and chain.pem in a single file. The fullchain.pem file is intended for using in Nginx and Apache 2.4 (and other web servers that expect the end-entity certificate and certificate chain to be provided in a single file), while chain.pem and cert.pem are intended for Apache 2.2 (and other web servers that expect the end-entity certificate and certificate chain to be provided in separate files).
1) If we're using Let's Encrypt, we need to use the intermediate cert, not the root cert. The intermediate cert was signed with the root cert.
2) That's especially important because the common link to IdenTrust to get the root cert doesn't work anymore. All we have is the intermediate cert.
3) With that, we don't need to download another pem file and concatenate, we just need to replace chain.pem with fullchain.pem.
All that said, that is what I did but zmcertmgr verifycrt ... fails with:
Code: Select all
** Verifying 'cert.pem' against 'privkey.pem'
Certificate 'cert.pem' and private key 'privkey.pem' match.
** Verifying 'cert.pem' against 'chain.pem'
ERROR: Unable to validate certificate chain: cert.pem: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
error 2 at 1 depth lookup:unable to get issuer certificate
Per suggestions in this forum I'm running CentOS 7 with 4GB RAM, everything yum-updated.
I tried to verify the cert with the openssl -untrusted flag as noted here. That failed under the zimbra user but succeeded as root. Unfortunately we can't use the zmcertmgr commands as root. I don't know if it would be of value to pass that -untrusted flag to zmcertmgr deploycrt, but I don't see a way to do that, and the deploycrt operation does a verify, so I can't get around it.
Might be a factor? I'm experimenting with an existing domain. The root of this domain is hosted elsewhere. I created a DNS "A" record for a subdomain to point to an IP address for the Zimbra server, and an MX record to get to this subdomain. (BTW, I have been able to send/receive mail with this, and I'm now trying to secure it.) In the Administration web page under Domains, it shows the domain as simply 'domain.tld', not 'subdomain.domain.tld'. I generated the cert for the subdomain, I'm accessing the web pages via the subdomain, but I'm wondering if something in there is expecting the cert to be for the root domain.
Or ... Is the verification expecting specific INbound socket ports to be open? I have only opened what seems necessary. The environment is compeletely open for OUTbound requests.
So, I'm done guessing for now. I hope this is enough info for someone to see something obvious. If not, this is a new installation and I can experiment or completely scrap it if required.
Thanks for your time and insight.