unable to find local issuer with JDunphys method
unable to find local issuer with JDunphys method
Hi guys,
Ive been trying to renew the ssl certs for my zimbra server and seem to have run into a problem. Whenever I try to verifycrt my certs I get the error: 'error 20 at 0 depth lookup:unable to get local issuer certificate'. I have followed JDunphys method here: https://wiki.zimbra.com/wiki/JDunphy-Letsencrypt. I have made sure to append the intermediate certificate to the end of fullchain.cer (which I know is often the culprit for this kind of error).
I have a feeling that the issue is the commercial certificates. Could anyone explain how the commercial certificates work in the chain? I have four commercial certificates: commercial_ca.crt commercial.crt commercial.key and commercial.key.old in my commercial folder.
Any explanation would be helpful, having been banging my head against a wall trying to fix this.
Cheers
Ive been trying to renew the ssl certs for my zimbra server and seem to have run into a problem. Whenever I try to verifycrt my certs I get the error: 'error 20 at 0 depth lookup:unable to get local issuer certificate'. I have followed JDunphys method here: https://wiki.zimbra.com/wiki/JDunphy-Letsencrypt. I have made sure to append the intermediate certificate to the end of fullchain.cer (which I know is often the culprit for this kind of error).
I have a feeling that the issue is the commercial certificates. Could anyone explain how the commercial certificates work in the chain? I have four commercial certificates: commercial_ca.crt commercial.crt commercial.key and commercial.key.old in my commercial folder.
Any explanation would be helpful, having been banging my head against a wall trying to fix this.
Cheers
- JDunphy
- Outstanding Member
- Posts: 889
- Joined: Fri Sep 12, 2014 11:18 pm
- Location: Victoria, BC
- ZCS/ZD Version: 9.0.0_P39 NETWORK Edition
Re: unable to find local issuer with JDunphys method
I would start with this post to see what chain you are using:
viewtopic.php?f=15&t=60781&start=110#p301489
One concern is that depending on when you started with acme.sh (there is no context to when you downloaded it and what version), it could have changed the default chain for new users... So my first question is what chain are you using? I don't follow acme.sh development as much as I use to but I remember hearing of a pending change coming especially after zeroSSL began supporting the project.
HTH
Jim
viewtopic.php?f=15&t=60781&start=110#p301489
One concern is that depending on when you started with acme.sh (there is no context to when you downloaded it and what version), it could have changed the default chain for new users... So my first question is what chain are you using? I don't follow acme.sh development as much as I use to but I remember hearing of a pending change coming especially after zeroSSL began supporting the project.
HTH
Jim
- JDunphy
- Outstanding Member
- Posts: 889
- Joined: Fri Sep 12, 2014 11:18 pm
- Location: Victoria, BC
- ZCS/ZD Version: 9.0.0_P39 NETWORK Edition
Re: unable to find local issuer with JDunphys method
If it turns out to be the chain, you can do what I show in that post or add --preferred-chain to your issue command which should make the wiki link valid again if they have changed the defaults for acme.sh
Wiki needs an update as does the script to handle zeroSSL and the 2 letsencrypt chains.
Ref: https://github.com/acmesh-official/acme ... rred-Chain
Wiki needs an update as does the script to handle zeroSSL and the 2 letsencrypt chains.
Code: Select all
--preferred-chain "x2"
Re: unable to find local issuer with JDunphys method
When I get certificates down locally with the acme.sh --issue command, does it replace the commercial certifiactes too?
Re: unable to find local issuer with JDunphys method
I am unable to use the -show_chain command with openssl, not sure whether the syntax has changed but it gives me the help output.
You say that the --preferred-chain option needs to be changed to "x2", does the corresponding wget need to reference x2 aswell?
So:
wget -O IdentTrust.pem 'https://letsencrypt.org/certs/x2.pem.txt'
instead of
wget -O IdentTrust.pem 'https://letsencrypt.org/certs/isrgrootx1.pem.txt'
?
You say that the --preferred-chain option needs to be changed to "x2", does the corresponding wget need to reference x2 aswell?
So:
wget -O IdentTrust.pem 'https://letsencrypt.org/certs/x2.pem.txt'
instead of
wget -O IdentTrust.pem 'https://letsencrypt.org/certs/isrgrootx1.pem.txt'
?
Re: unable to find local issuer with JDunphys method
As I mentioned previously, I cant seem to use the -show_chain command, but the error im getting gives me a little info.
ERROR: Unable to validate certificate chain: /opt/zimbra/.acme.sh/example.com/example.com.cer: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
error 2 at 2 depth lookup:unable to get issuer certificate
Seems the chain is a USERTRUST chain?
Im not sure if Im talking about these things in the right way or with the right terms, sorry.
Thanks for all the advice so far
ERROR: Unable to validate certificate chain: /opt/zimbra/.acme.sh/example.com/example.com.cer: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
error 2 at 2 depth lookup:unable to get issuer certificate
Seems the chain is a USERTRUST chain?
Im not sure if Im talking about these things in the right way or with the right terms, sorry.
Thanks for all the advice so far
Re: unable to find local issuer with JDunphys method
I should also mention that this problem might have occured because I tried to certbot renew (initially we were using certbot, now weve switched to acme) outside of zimbra before i realised there was a special process for renewing for zimbra. I wonder if that has confused which chain is supposed to be used?
Sorry for not editing a single reply, my posts have not been approved yet
Sorry for not editing a single reply, my posts have not been approved yet
-
- Elite member
- Posts: 1096
- Joined: Sat Sep 13, 2014 12:47 am
Re: unable to find local issuer with JDunphys method
Did you mean -showcerts ?mttc wrote:I am unable to use the -show_chain command with openssl, not sure whether the syntax has changed but it gives me the help output.
openssl s_connect -showcerts -connect <mailserver.domain> .......
- JDunphy
- Outstanding Member
- Posts: 889
- Joined: Fri Sep 12, 2014 11:18 pm
- Location: Victoria, BC
- ZCS/ZD Version: 9.0.0_P39 NETWORK Edition
Re: unable to find local issuer with JDunphys method
This is truly odd as we are using the openssl that came with zimbra which is why we switched to the zimbra user in the instructions provided in that link above so I don't know why the syntax would have changed in your environment. It works perfectly in our zimbra instances here. Note: I am using RHEL variants of zimbra 8.8.15P22.mttc wrote:I am unable to use the -show_chain command with openssl, not sure whether the syntax has changed but it gives me the help output.
You say that the --preferred-chain option needs to be changed to "x2", does the corresponding wget need to reference x2 aswell?
Code: Select all
# su - zimbra
% openssl version
OpenSSL 1.1.1k FIPS 25 Mar 2021
Anyway moving on... you have identified that nothing seems to have changed with acme.sh so they apparently are still defaulting to the older/original IdenTrust chain. That they may have switched was speculation on my part.
I am thinking you haven't followed the instructions and perhaps the real problem is you are manually attempting to do the process and have messed up concatenating the intermediate cert which is what the error message was saying. I just did this manually and the process still works. Here is the manual process after you have issued and received your certificate from acme.sh
Code: Select all
# su - zimbra
% cd .acme.sh
% ./acme.sh --issue --dns dns_cf -d mail.example.com -d mail.example.net -d mail.example.org
% cd mail.example.com
% cat ca.cer ../IdentTrust.pm > ca.cer.real
% zmcertmgr verifycrt comm example.com.key example.com.cer ca.cer.real
** Verifying 'example.com.cer' against 'example.com.key'
Certificate 'example.com.cer' and private key 'example.com.key' match.
** Verifying 'example.com.cer' against 'ca.cer.real'
% cat ../IdentTrust.pm
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
Code: Select all
# append Intermediate
cat "$_cfullchain" "$(dirname "$_cca")/../IdentTrust.pem" > "${_cca}.real"
/opt/zimbra/bin/zmcertmgr verifycrt comm "$_ckey" "$_ccert" "${_cca}.real" || return 1
#if it verifies we can deploy it
logger -p local2.info NETWORK "Certificate has been Renewed for $_cdomain"
cp -f "$_ckey" /opt/zimbra/ssl/zimbra/commercial/commercial.key
/opt/zimbra/bin/zmcertmgr deploycrt comm "$_ccert" "${_cca}.real" || return 1
Code: Select all
# append Intermediate
cat "$_cfullchain" "$(dirname "$_cca")/../IdentTrust.pem" > "${_cca}.real"
/opt/zimbra/bin/zmcertmgr verifycrt comm "$_ckey" "$_ccert" "${_cca}.real" || return 1
return 1
#if it verifies we can deploy it
logger -p local2.info NETWORK "Certificate has been Renewed for $_cdomain"
cp -f "$_ckey" /opt/zimbra/ssl/zimbra/commercial/commercial.key
/opt/zimbra/bin/zmcertmgr deploycrt comm "$_ccert" "${_cca}.real" || return 1
It doesn't matter which letsencrypt client. For acme.sh, we are doing it with this command to get our certificate. Again this does not install anything. you would need to issue a second acme.sh command with the --deploy option to make that happen.
Code: Select all
# su - zimbra
% cd .acme.sh
% acme.sh --issue --dns dns_cf -d mail.example.com -d mail.example.net -d mail.example.org
I hadn't realized you were using the certbot client so that would work also provided you pull the latest client I believe.
This is probably what you needed to do vs switching letsencrypt methods. viewtopic.php?f=15&t=69652&p=301599#p301599
Ref: https://community.letsencrypt.org/t/end ... mev1/88430
HTH,
Jim
Re: unable to find local issuer with JDunphys method
I have followed the manual method exactly and it still does not work. My version of openssl is 1.0.2, but for some reason apt-get thinks that it the latest package is 1.0.2.
The show-certs method does not work because ssl does not work, i think you have to have currently deployed and working certs for that command to return anything. Is there any other way I can find out what chain I am using?
The show-certs method does not work because ssl does not work, i think you have to have currently deployed and working certs for that command to return anything. Is there any other way I can find out what chain I am using?