Another Letsencrypt method

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
bagett88
Posts: 1
Joined: Wed Aug 25, 2021 8:55 am

Re: Another Letsencrypt method

Postby bagett88 » Wed Aug 25, 2021 8:58 am

zimbraxtc wrote:
zimbraxtc wrote:Hello and thanks for a great thread!

Im running a old 8.6 and would like to install a lets encrypt cert...

So... I used getssl to generate those files:
-rw------- 1 root root 5768 apr 4 15:55 chain.crt
-rw------- 1 root root 6076 apr 4 16:21 fullchain.crt
-rw------- 1 root root 3448 apr 4 15:41 mymailserver.se.crt
-rw------- 1 root root 1614 apr 4 15:06 mymailserver.se.csr
-rw------- 1 root root 3243 apr 4 15:06 mymailserver.se.key

I also tried to append fullchain with files according to different posts but I didnt get it to work and just run into:
fredde@xx:~/.getssl/mymailserver/archive/2021_04_04_15_06$ sudo /opt/zimbra/bin/zmcertmgr verifycrt comm mymailserver.se.key mymailserver.se.crt fullchain.crt
** Verifying mymailserver.se.crt against mymailserver.se.key
Certificate (mymailserver.se.crt) and private key (mymailserver.key) match.
XXXXX ERROR: Invalid Certificate: mymailserver.se.crt: C = US, O = (STAGING) Internet Security Research Group, CN = (STAGING) Pretend Pear X1
error 2 at 2 depth lookup:unable to get issuer certificate

I have tried to append fullchain.crt with a lot of different certs but cant get it working...

I have looked into: https://letsencrypt.org/certificates/ but really cant see what I am doing wrong.

Any great ideas??

Thanks a lot!


Fixed it by rerunning getssl with a specified chain and appended correct cert x1. And got a OK


more details please...
have the same problem.


cmel
Posts: 1
Joined: Sat Aug 28, 2021 12:44 pm

Re: Another Letsencrypt method

Postby cmel » Sat Aug 28, 2021 12:56 pm

bagett88 wrote:
zimbraxtc wrote:
zimbraxtc wrote:Hello and thanks for a great thread!

Im running a old 8.6 and would like to install a lets encrypt cert...

So... I used getssl to generate those files:
-rw------- 1 root root 5768 apr 4 15:55 chain.crt
-rw------- 1 root root 6076 apr 4 16:21 fullchain.crt
-rw------- 1 root root 3448 apr 4 15:41 mymailserver.se.crt
-rw------- 1 root root 1614 apr 4 15:06 mymailserver.se.csr
-rw------- 1 root root 3243 apr 4 15:06 mymailserver.se.key

I also tried to append fullchain with files according to different posts but I didnt get it to work and just run into:
fredde@xx:~/.getssl/mymailserver/archive/2021_04_04_15_06$ sudo /opt/zimbra/bin/zmcertmgr verifycrt comm mymailserver.se.key mymailserver.se.crt fullchain.crt
** Verifying mymailserver.se.crt against mymailserver.se.key
Certificate (mymailserver.se.crt) and private key (mymailserver.key) match.
XXXXX ERROR: Invalid Certificate: mymailserver.se.crt: C = US, O = (STAGING) Internet Security Research Group, CN = (STAGING) Pretend Pear X1
error 2 at 2 depth lookup:unable to get issuer certificate

I have tried to append fullchain.crt with a lot of different certs but cant get it working...

I have looked into: https://letsencrypt.org/certificates/ but really cant see what I am doing wrong.

Any great ideas??

Thanks a lot!


Fixed it by rerunning getssl with a specified chain and appended correct cert x1. And got a OK


more details please...
have the same problem.



I've managed to update my certificate, and here are the steps I've done that might help you:

1. Ensure you updated the acme.sh
2. Use the ZeroSSL version by calling at least once the "acmi.sh" with the flag

Code: Select all

--preferred-chain "ISRG"

3. Go through the DNS validation and your certificate will be generated
4. The generated "fullchain.cer" will not validate with Zimbra. You need to create the "correct" one.
5. Go to https://whatsmychaincert.com/ and paste your domain.com.cer value on "Generate the Correct Chain" and check the option to include the root certificate (this is important)
6. Copy the correct chain and use it as "fullchain.cer" on your zimbra server. This new and correct fullchain_correct.cer already has the root certificate!
7. Test that everything validates

Code: Select all

sudo /opt/zimbra/bin/zmcertmgr verifycrt comm "mail.domain.com.key" "mail.domain.com" "fullchain_correct.cer"


Hope it helps.
User avatar
barrydegraaff
Zimbra Employee
Zimbra Employee
Posts: 129
Joined: Tue Jun 17, 2014 3:31 am
Contact:

Re: Another Letsencrypt method

Postby barrydegraaff » Thu Sep 23, 2021 8:40 am

--
Barry de Graaff
Admin of Zimbra-Community Github: https://github.com/orgs/Zimbra-Community/
Developer of Zimbra OpenPGP Zimlet, Zimbra ownCloud Zimlet and more.
A Zetalliance Founder http://www.zetalliance.org/
GlooM
Advanced member
Advanced member
Posts: 113
Joined: Sat Sep 13, 2014 12:50 am

Re: Another Letsencrypt method

Postby GlooM » Fri Sep 24, 2021 6:51 am


Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 31 guests