unable to find local issuer with JDunphys method

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 899
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: unable to find local issuer with JDunphys method

Post by JDunphy »

I don't have anything older to test against with -show_chain so let's assume that you are not running 8.8.15P22 and most likely 8.8.15P19 which was that version of openssl I believe. We had a lot of problems when we moved to p20 which introduced the newer openssl 1.1.1i version so the pain is still with me. ;-)

Code: Select all

# su - zimbra
% cd mail.example.com
%  openssl verify -show_chain -purpose sslserver -CAfile ca.cer.real mail.example.com.cer
mail.example.com.cer: OK
Chain:
depth=0: CN = mail.example.com (untrusted)
depth=1: C = US, O = Let's Encrypt, CN = R3
depth=2: C = US, O = Internet Security Research Group, CN = ISRG Root X1
Since the above doesn't work with the older version, do this using the -d 2 option at the end. It will spit out the openssl commands which might help with some other debugging information.

Code: Select all

# su - zimbra
% cd mail.example.com
% zmcertmgr verifycrt comm mail.example.com.key mail.example.com.cer ca.cer.real -d 2
Note it will run three openssl commands to verify your cert. First did the private key sign the cert (run's 2 openssl commands and compares the hashes) and last it will verify the chain from the root.

It does that verify of the chain with the openssl example shown above but without the -show_chain option I believe.

PS... if you are certain that you have a valid certificate that won't verify, you can always do this: viewtopic.php?f=15&t=69600#p301459

Jim
Top
Post Reply

Return to “Administrators”