error 2 at 1 depth lookup:unable to get issuer certificate

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
fosiul@gmail.com
Posts: 21
Joined: Sun Sep 02, 2018 5:03 pm

error 2 at 1 depth lookup:unable to get issuer certificate

Post by fosiul@gmail.com »

Hello Every
I am really new to Zimbra, my Zimbra server is up and running, only problem is, I cant make SSL certificate work

I got this certificate from 1and1, it works perfectly with Apache,Cpanel etc, but when i am trying to install validate it, its fails.
from 1and1, I have 3 files

_private_key.key

-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

_ssl_certificate.cer
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----



ssl_certificate_INTERMEDIATE.cer
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----




I belived i followed 2 link , but no luck.
viewtopic.php?t=62980
https://knowledge.digicert.com/solution/SO12792.html



zimbra@mail:~/ssl/zimbra/commercial$ /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial_ca.crt
** Verifying 'commercial_ca.crt' against 'commercial.key'
Certificate 'commercial_ca.crt' and private key 'commercial.key' match.
** Verifying 'commercial_ca.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
ERROR: Unable to validate certificate chain: commercial_ca.crt: C = US, O = DigiCert Inc, OU = http://www.digicert.com, CN = GeoTrust TLS RSA CA G1
error 2 at 1 depth lookup:unable to get issuer certificate


I would be very great full if any one give me some lights so that i can complete this configuration
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: error 2 at 1 depth lookup:unable to get issuer certificate

Post by L. Mark Stone »

___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
User avatar
pup_seba
Outstanding Member
Outstanding Member
Posts: 687
Joined: Sat Sep 13, 2014 2:43 am
Location: Tarragona - Spain
Contact:

Re: error 2 at 1 depth lookup:unable to get issuer certificate

Post by pup_seba »

Hi,

The link Mark gave you has all the answers :)

If it helps, make sure that the "intermediate" certificate your provider gave you, includes the "root" certificate too. Some providers like to give you only "part" or the certification path needed. Also remember to include the certificate itself on your verification.

/opt/zimbra/bin/zmcertmgr verifycrt comm /full_path_to_your_file/_private_key.key /full_path_to_your_file/_ssl_certificate.cer /full_path_to_your_file/ssl_certificate_INTERMEDIATE.cer

But remember, that ssl_certificate_INTERMEDIATE.cer should be (either because they provided with the full certification path or because you did it) the concatenation of the provider root and intermediates certificates.

These are only things to consider. Please make sure you follow the link Mark gave to you. It works perfectly.

gl
fosiul@gmail.com
Posts: 21
Joined: Sun Sep 02, 2018 5:03 pm

Re: error 2 at 1 depth lookup:unable to get issuer certificate

Post by fosiul@gmail.com »

L. Mark Stone wrote:This might help:

https://wiki.zimbra.com/wiki/Administra ... cate_Tools
Thanks for the link, I followed that already but the section "Single-Node Wildcard Commercial Certificate"

bellow the full command :-

Code: Select all

imbra@mail:~/ssl/zimbra/commercial$ cp _.yuma-technology.co.uk_private_key.key commercial.key

zimbra@mail:~/ssl/zimbra/commercial$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key yuma-technology.co.uk_ssl_certificate.cer _.yuma-technology.co.uk_ssl_certificate_INTERMEDIATE.cer


zimbra@mail:~/ssl/zimbra/commercial$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key yuma-technology.co.uk_ssl_certificate.cer _.yuma-technology.co.uk_ssl_certificate_INTERMEDIATE.cer
** Verifying 'yuma-technology.co.uk_ssl_certificate.cer' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate 'yuma-technology.co.uk_ssl_certificate.cer' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying 'yuma-technology.co.uk_ssl_certificate.cer' against '_.yuma-technology.co.uk_ssl_certificate_INTERMEDIATE.cer'
ERROR: Unable to validate certificate chain: yuma-technology.co.uk_ssl_certificate.cer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust TLS RSA CA G1
error 2 at 1 depth lookup:unable to get issuer certificate
fosiul@gmail.com
Posts: 21
Joined: Sun Sep 02, 2018 5:03 pm

Re: error 2 at 1 depth lookup:unable to get issuer certificate

Post by fosiul@gmail.com »

pup_seba wrote:Hi,

The link Mark gave you has all the answers :)

If it helps, make sure that the "intermediate" certificate your provider gave you, includes the "root" certificate too. Some providers like to give you only "part" or the certification path needed. Also remember to include the certificate itself on your verification.

/opt/zimbra/bin/zmcertmgr verifycrt comm /full_path_to_your_file/_private_key.key /full_path_to_your_file/_ssl_certificate.cer /full_path_to_your_file/ssl_certificate_INTERMEDIATE.cer

But remember, that ssl_certificate_INTERMEDIATE.cer should be (either because they provided with the full certification path or because you did it) the concatenation of the provider root and intermediates certificates.

These are only things to consider. Please make sure you follow the link Mark gave to you. It works perfectly.

gl
Hi Thanks

What ever I am doing i get bellow

Code: Select all

zimbra@mail:~/ssl/zimbra/commercial$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/_.xxxx.co.uk_private_key.key  /opt/zimbra/ssl/zimbra/commercial/xxxxx.co.uk_ssl_certificate.cer /opt/zimbra/ssl/zimbra/commercial/_.xxxx.co.uk_ssl_certificate_INTERMEDIATE.cer
** Verifying '/opt/zimbra/ssl/zimbra/commercial/xxxxxx_ssl_certificate.cer' against '/opt/zimbra/ssl/zimbra/commercial/_.xxxxxx.co.uk_private_key.key'
Certificate '/opt/zimbra/ssl/zimbra/commercial/xxxxx_ssl_certificate.cer' and private key '/opt/zimbra/ssl/zimbra/commercial/_xxxxx_private_key.key' match.
** Verifying '/opt/zimbra/ssl/zimbra/commercial/xxxxx_ssl_certificate.cer' against '/opt/zimbra/ssl/zimbra/commercial/xxxxx_ssl_certificate_INTERMEDIATE.cer'
ERROR: Unable to validate certificate chain: /opt/zimbra/ssl/zimbra/commercial/xxxxxxxx_ssl_certificate.cer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust TLS RSA CA G1
error 2 at 1 depth lookup:unable to get issuer certificate
Last edited by fosiul@gmail.com on Thu Sep 06, 2018 10:21 am, edited 1 time in total.
User avatar
pup_seba
Outstanding Member
Outstanding Member
Posts: 687
Joined: Sat Sep 13, 2014 2:43 am
Location: Tarragona - Spain
Contact:

Re: error 2 at 1 depth lookup:unable to get issuer certificate

Post by pup_seba »

It just seems that either you are missing a root or intermediate certificate in your '_ca.cer' file.

'make sure that the "intermediate" certificate your provider gave you, includes the "root" certificate too. Some providers like to give you only "part" or the certification path needed'

'that ssl_certificate_INTERMEDIATE.cer should be (either because they provided with the full certification path or because you did it) the concatenation of the provider root and intermediates certificates.'
fosiul@gmail.com
Posts: 21
Joined: Sun Sep 02, 2018 5:03 pm

Re: error 2 at 1 depth lookup:unable to get issuer certificate

Post by fosiul@gmail.com »

pup_seba wrote:It just seems that either you are missing a root or intermediate certificate in your '_ca.cer' file.

'make sure that the "intermediate" certificate your provider gave you, includes the "root" certificate too. Some providers like to give you only "part" or the certification path needed'

'that ssl_certificate_INTERMEDIATE.cer should be (either because they provided with the full certification path or because you did it) the concatenation of the provider root and intermediates certificates.'
Hello ,
Thanks for the information.

those 3 files came from the provider (1and1), when we configure our Apache or even postfix , Cpanel for SSL certificate I just need to provide those 3 files and it works every where.

so what is the difference here ? Do i need to copy ca.cer and Intermediate.cer into one file ? (I also tryed that but did not work)
so i am totally confused,

Thanks
User avatar
pup_seba
Outstanding Member
Outstanding Member
Posts: 687
Joined: Sat Sep 13, 2014 2:43 am
Location: Tarragona - Spain
Contact:

Re: error 2 at 1 depth lookup:unable to get issuer certificate

Post by pup_seba »

I can't tell you the difference as I don't know how you other applications work.

Zimbra has its own Wikis and those are the ones to follow.

What I can do is confirm that the procedures in the link Mike gave you, do work. And unless the error message is missleading, what's wrong in your case is that you are missing one or more intermediate certificates or (mosy likely) the root certificate as per the error 'unable to get issuer certificate'.

Answering your other question (which should be clear after reading the provided wiki), no, you don't have/need to concatenate your cert and the ca. What needs to be concatenated are all the intermediates and the root.

Try to talk with your provider to make sure you have all the files you need.
fosiul@gmail.com
Posts: 21
Joined: Sun Sep 02, 2018 5:03 pm

Re: error 2 at 1 depth lookup:unable to get issuer certificate

Post by fosiul@gmail.com »

pup_seba wrote:
Try to talk with your provider to make sure you have all the files you need.
Thanks, let me speak with them, see if they provide me root certificate

I will come back soon.
fosiul@gmail.com
Posts: 21
Joined: Sun Sep 02, 2018 5:03 pm

Re: error 2 at 1 depth lookup:unable to get issuer certificate

Post by fosiul@gmail.com »

fosiul@gmail.com wrote:
pup_seba wrote:
Try to talk with your provider to make sure you have all the files you need.
Thanks, let me speak with them, see if they provide me root certificate

I will come back soon.
Spoke with Vendor, they said, They dont provide Root certificate and thats only valid for Web server .

So i guess i will have to buy new SSL certificate .

..
Post Reply