error 2 at 1 depth lookup:unable to get issuer certificate
-
- Posts: 21
- Joined: Sun Sep 02, 2018 5:03 pm
error 2 at 1 depth lookup:unable to get issuer certificate
Hello Every
I am really new to Zimbra, my Zimbra server is up and running, only problem is, I cant make SSL certificate work
I got this certificate from 1and1, it works perfectly with Apache,Cpanel etc, but when i am trying to install validate it, its fails.
from 1and1, I have 3 files
_private_key.key
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
_ssl_certificate.cer
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
ssl_certificate_INTERMEDIATE.cer
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
I belived i followed 2 link , but no luck.
viewtopic.php?t=62980
https://knowledge.digicert.com/solution/SO12792.html
zimbra@mail:~/ssl/zimbra/commercial$ /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial_ca.crt
** Verifying 'commercial_ca.crt' against 'commercial.key'
Certificate 'commercial_ca.crt' and private key 'commercial.key' match.
** Verifying 'commercial_ca.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
ERROR: Unable to validate certificate chain: commercial_ca.crt: C = US, O = DigiCert Inc, OU = http://www.digicert.com, CN = GeoTrust TLS RSA CA G1
error 2 at 1 depth lookup:unable to get issuer certificate
I would be very great full if any one give me some lights so that i can complete this configuration
I am really new to Zimbra, my Zimbra server is up and running, only problem is, I cant make SSL certificate work
I got this certificate from 1and1, it works perfectly with Apache,Cpanel etc, but when i am trying to install validate it, its fails.
from 1and1, I have 3 files
_private_key.key
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
_ssl_certificate.cer
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
ssl_certificate_INTERMEDIATE.cer
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
I belived i followed 2 link , but no luck.
viewtopic.php?t=62980
https://knowledge.digicert.com/solution/SO12792.html
zimbra@mail:~/ssl/zimbra/commercial$ /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial_ca.crt
** Verifying 'commercial_ca.crt' against 'commercial.key'
Certificate 'commercial_ca.crt' and private key 'commercial.key' match.
** Verifying 'commercial_ca.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
ERROR: Unable to validate certificate chain: commercial_ca.crt: C = US, O = DigiCert Inc, OU = http://www.digicert.com, CN = GeoTrust TLS RSA CA G1
error 2 at 1 depth lookup:unable to get issuer certificate
I would be very great full if any one give me some lights so that i can complete this configuration
- L. Mark Stone
- Ambassador
- Posts: 2796
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.6 Network Edition
- Contact:
Re: error 2 at 1 depth lookup:unable to get issuer certificate
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
- pup_seba
- Outstanding Member
- Posts: 687
- Joined: Sat Sep 13, 2014 2:43 am
- Location: Tarragona - Spain
- Contact:
Re: error 2 at 1 depth lookup:unable to get issuer certificate
Hi,
The link Mark gave you has all the answers
If it helps, make sure that the "intermediate" certificate your provider gave you, includes the "root" certificate too. Some providers like to give you only "part" or the certification path needed. Also remember to include the certificate itself on your verification.
/opt/zimbra/bin/zmcertmgr verifycrt comm /full_path_to_your_file/_private_key.key /full_path_to_your_file/_ssl_certificate.cer /full_path_to_your_file/ssl_certificate_INTERMEDIATE.cer
But remember, that ssl_certificate_INTERMEDIATE.cer should be (either because they provided with the full certification path or because you did it) the concatenation of the provider root and intermediates certificates.
These are only things to consider. Please make sure you follow the link Mark gave to you. It works perfectly.
gl
The link Mark gave you has all the answers
If it helps, make sure that the "intermediate" certificate your provider gave you, includes the "root" certificate too. Some providers like to give you only "part" or the certification path needed. Also remember to include the certificate itself on your verification.
/opt/zimbra/bin/zmcertmgr verifycrt comm /full_path_to_your_file/_private_key.key /full_path_to_your_file/_ssl_certificate.cer /full_path_to_your_file/ssl_certificate_INTERMEDIATE.cer
But remember, that ssl_certificate_INTERMEDIATE.cer should be (either because they provided with the full certification path or because you did it) the concatenation of the provider root and intermediates certificates.
These are only things to consider. Please make sure you follow the link Mark gave to you. It works perfectly.
gl
-
- Posts: 21
- Joined: Sun Sep 02, 2018 5:03 pm
Re: error 2 at 1 depth lookup:unable to get issuer certificate
Thanks for the link, I followed that already but the section "Single-Node Wildcard Commercial Certificate"
bellow the full command :-
Code: Select all
imbra@mail:~/ssl/zimbra/commercial$ cp _.yuma-technology.co.uk_private_key.key commercial.key
zimbra@mail:~/ssl/zimbra/commercial$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key yuma-technology.co.uk_ssl_certificate.cer _.yuma-technology.co.uk_ssl_certificate_INTERMEDIATE.cer
zimbra@mail:~/ssl/zimbra/commercial$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key yuma-technology.co.uk_ssl_certificate.cer _.yuma-technology.co.uk_ssl_certificate_INTERMEDIATE.cer
** Verifying 'yuma-technology.co.uk_ssl_certificate.cer' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate 'yuma-technology.co.uk_ssl_certificate.cer' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying 'yuma-technology.co.uk_ssl_certificate.cer' against '_.yuma-technology.co.uk_ssl_certificate_INTERMEDIATE.cer'
ERROR: Unable to validate certificate chain: yuma-technology.co.uk_ssl_certificate.cer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust TLS RSA CA G1
error 2 at 1 depth lookup:unable to get issuer certificate
-
- Posts: 21
- Joined: Sun Sep 02, 2018 5:03 pm
Re: error 2 at 1 depth lookup:unable to get issuer certificate
Hi Thankspup_seba wrote:Hi,
The link Mark gave you has all the answers
If it helps, make sure that the "intermediate" certificate your provider gave you, includes the "root" certificate too. Some providers like to give you only "part" or the certification path needed. Also remember to include the certificate itself on your verification.
/opt/zimbra/bin/zmcertmgr verifycrt comm /full_path_to_your_file/_private_key.key /full_path_to_your_file/_ssl_certificate.cer /full_path_to_your_file/ssl_certificate_INTERMEDIATE.cer
But remember, that ssl_certificate_INTERMEDIATE.cer should be (either because they provided with the full certification path or because you did it) the concatenation of the provider root and intermediates certificates.
These are only things to consider. Please make sure you follow the link Mark gave to you. It works perfectly.
gl
What ever I am doing i get bellow
Code: Select all
zimbra@mail:~/ssl/zimbra/commercial$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/_.xxxx.co.uk_private_key.key /opt/zimbra/ssl/zimbra/commercial/xxxxx.co.uk_ssl_certificate.cer /opt/zimbra/ssl/zimbra/commercial/_.xxxx.co.uk_ssl_certificate_INTERMEDIATE.cer
** Verifying '/opt/zimbra/ssl/zimbra/commercial/xxxxxx_ssl_certificate.cer' against '/opt/zimbra/ssl/zimbra/commercial/_.xxxxxx.co.uk_private_key.key'
Certificate '/opt/zimbra/ssl/zimbra/commercial/xxxxx_ssl_certificate.cer' and private key '/opt/zimbra/ssl/zimbra/commercial/_xxxxx_private_key.key' match.
** Verifying '/opt/zimbra/ssl/zimbra/commercial/xxxxx_ssl_certificate.cer' against '/opt/zimbra/ssl/zimbra/commercial/xxxxx_ssl_certificate_INTERMEDIATE.cer'
ERROR: Unable to validate certificate chain: /opt/zimbra/ssl/zimbra/commercial/xxxxxxxx_ssl_certificate.cer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust TLS RSA CA G1
error 2 at 1 depth lookup:unable to get issuer certificate
Last edited by fosiul@gmail.com on Thu Sep 06, 2018 10:21 am, edited 1 time in total.
- pup_seba
- Outstanding Member
- Posts: 687
- Joined: Sat Sep 13, 2014 2:43 am
- Location: Tarragona - Spain
- Contact:
Re: error 2 at 1 depth lookup:unable to get issuer certificate
It just seems that either you are missing a root or intermediate certificate in your '_ca.cer' file.
'make sure that the "intermediate" certificate your provider gave you, includes the "root" certificate too. Some providers like to give you only "part" or the certification path needed'
'that ssl_certificate_INTERMEDIATE.cer should be (either because they provided with the full certification path or because you did it) the concatenation of the provider root and intermediates certificates.'
'make sure that the "intermediate" certificate your provider gave you, includes the "root" certificate too. Some providers like to give you only "part" or the certification path needed'
'that ssl_certificate_INTERMEDIATE.cer should be (either because they provided with the full certification path or because you did it) the concatenation of the provider root and intermediates certificates.'
-
- Posts: 21
- Joined: Sun Sep 02, 2018 5:03 pm
Re: error 2 at 1 depth lookup:unable to get issuer certificate
Hello ,pup_seba wrote:It just seems that either you are missing a root or intermediate certificate in your '_ca.cer' file.
'make sure that the "intermediate" certificate your provider gave you, includes the "root" certificate too. Some providers like to give you only "part" or the certification path needed'
'that ssl_certificate_INTERMEDIATE.cer should be (either because they provided with the full certification path or because you did it) the concatenation of the provider root and intermediates certificates.'
Thanks for the information.
those 3 files came from the provider (1and1), when we configure our Apache or even postfix , Cpanel for SSL certificate I just need to provide those 3 files and it works every where.
so what is the difference here ? Do i need to copy ca.cer and Intermediate.cer into one file ? (I also tryed that but did not work)
so i am totally confused,
Thanks
- pup_seba
- Outstanding Member
- Posts: 687
- Joined: Sat Sep 13, 2014 2:43 am
- Location: Tarragona - Spain
- Contact:
Re: error 2 at 1 depth lookup:unable to get issuer certificate
I can't tell you the difference as I don't know how you other applications work.
Zimbra has its own Wikis and those are the ones to follow.
What I can do is confirm that the procedures in the link Mike gave you, do work. And unless the error message is missleading, what's wrong in your case is that you are missing one or more intermediate certificates or (mosy likely) the root certificate as per the error 'unable to get issuer certificate'.
Answering your other question (which should be clear after reading the provided wiki), no, you don't have/need to concatenate your cert and the ca. What needs to be concatenated are all the intermediates and the root.
Try to talk with your provider to make sure you have all the files you need.
Zimbra has its own Wikis and those are the ones to follow.
What I can do is confirm that the procedures in the link Mike gave you, do work. And unless the error message is missleading, what's wrong in your case is that you are missing one or more intermediate certificates or (mosy likely) the root certificate as per the error 'unable to get issuer certificate'.
Answering your other question (which should be clear after reading the provided wiki), no, you don't have/need to concatenate your cert and the ca. What needs to be concatenated are all the intermediates and the root.
Try to talk with your provider to make sure you have all the files you need.
-
- Posts: 21
- Joined: Sun Sep 02, 2018 5:03 pm
Re: error 2 at 1 depth lookup:unable to get issuer certificate
Thanks, let me speak with them, see if they provide me root certificatepup_seba wrote:
Try to talk with your provider to make sure you have all the files you need.
I will come back soon.
-
- Posts: 21
- Joined: Sun Sep 02, 2018 5:03 pm
Re: error 2 at 1 depth lookup:unable to get issuer certificate
Spoke with Vendor, they said, They dont provide Root certificate and thats only valid for Web server .fosiul@gmail.com wrote:Thanks, let me speak with them, see if they provide me root certificatepup_seba wrote:
Try to talk with your provider to make sure you have all the files you need.
I will come back soon.
So i guess i will have to buy new SSL certificate .
..