unable to find local issuer with JDunphys method

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
mttc
Posts: 6
Joined: Tue Jun 15, 2021 3:13 am

unable to find local issuer with JDunphys method

Post by mttc »

Hi guys,

Ive been trying to renew the ssl certs for my zimbra server and seem to have run into a problem. Whenever I try to verifycrt my certs I get the error: 'error 20 at 0 depth lookup:unable to get local issuer certificate'. I have followed JDunphys method here: https://wiki.zimbra.com/wiki/JDunphy-Letsencrypt. I have made sure to append the intermediate certificate to the end of fullchain.cer (which I know is often the culprit for this kind of error).

I have a feeling that the issue is the commercial certificates. Could anyone explain how the commercial certificates work in the chain? I have four commercial certificates: commercial_ca.crt commercial.crt commercial.key and commercial.key.old in my commercial folder.

Any explanation would be helpful, having been banging my head against a wall trying to fix this.

Cheers
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: unable to find local issuer with JDunphys method

Post by JDunphy »

I would start with this post to see what chain you are using:

viewtopic.php?f=15&t=60781&start=110#p301489

One concern is that depending on when you started with acme.sh (there is no context to when you downloaded it and what version), it could have changed the default chain for new users... So my first question is what chain are you using? I don't follow acme.sh development as much as I use to but I remember hearing of a pending change coming especially after zeroSSL began supporting the project.

HTH

Jim
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: unable to find local issuer with JDunphys method

Post by JDunphy »

If it turns out to be the chain, you can do what I show in that post or add --preferred-chain to your issue command which should make the wiki link valid again if they have changed the defaults for acme.sh

Wiki needs an update as does the script to handle zeroSSL and the 2 letsencrypt chains.

Code: Select all

--preferred-chain  "x2"
Ref: https://github.com/acmesh-official/acme ... rred-Chain
mttc
Posts: 6
Joined: Tue Jun 15, 2021 3:13 am

Re: unable to find local issuer with JDunphys method

Post by mttc »

When I get certificates down locally with the acme.sh --issue command, does it replace the commercial certifiactes too?
mttc
Posts: 6
Joined: Tue Jun 15, 2021 3:13 am

Re: unable to find local issuer with JDunphys method

Post by mttc »

I am unable to use the -show_chain command with openssl, not sure whether the syntax has changed but it gives me the help output.

You say that the --preferred-chain option needs to be changed to "x2", does the corresponding wget need to reference x2 aswell?

So:

wget -O IdentTrust.pem 'https://letsencrypt.org/certs/x2.pem.txt'

instead of

wget -O IdentTrust.pem 'https://letsencrypt.org/certs/isrgrootx1.pem.txt'

?
mttc
Posts: 6
Joined: Tue Jun 15, 2021 3:13 am

Re: unable to find local issuer with JDunphys method

Post by mttc »

As I mentioned previously, I cant seem to use the -show_chain command, but the error im getting gives me a little info.

ERROR: Unable to validate certificate chain: /opt/zimbra/.acme.sh/example.com/example.com.cer: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
error 2 at 2 depth lookup:unable to get issuer certificate

Seems the chain is a USERTRUST chain?

Im not sure if Im talking about these things in the right way or with the right terms, sorry.

Thanks for all the advice so far
mttc
Posts: 6
Joined: Tue Jun 15, 2021 3:13 am

Re: unable to find local issuer with JDunphys method

Post by mttc »

I should also mention that this problem might have occured because I tried to certbot renew (initially we were using certbot, now weve switched to acme) outside of zimbra before i realised there was a special process for renewing for zimbra. I wonder if that has confused which chain is supposed to be used?

Sorry for not editing a single reply, my posts have not been approved yet
liverpoolfcfan
Elite member
Elite member
Posts: 1096
Joined: Sat Sep 13, 2014 12:47 am

Re: unable to find local issuer with JDunphys method

Post by liverpoolfcfan »

mttc wrote:I am unable to use the -show_chain command with openssl, not sure whether the syntax has changed but it gives me the help output.
Did you mean -showcerts ?

openssl s_connect -showcerts -connect <mailserver.domain> .......
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: unable to find local issuer with JDunphys method

Post by JDunphy »

mttc wrote:I am unable to use the -show_chain command with openssl, not sure whether the syntax has changed but it gives me the help output.

You say that the --preferred-chain option needs to be changed to "x2", does the corresponding wget need to reference x2 aswell?
This is truly odd as we are using the openssl that came with zimbra which is why we switched to the zimbra user in the instructions provided in that link above so I don't know why the syntax would have changed in your environment. It works perfectly in our zimbra instances here. Note: I am using RHEL variants of zimbra 8.8.15P22.

Code: Select all

# su - zimbra
% openssl version
OpenSSL 1.1.1k FIPS 25 Mar 2021
Yes if you switched chains than you would match that with the appropriate cert so that you could verify the complete chain with zmcertmgr.

Anyway moving on... you have identified that nothing seems to have changed with acme.sh so they apparently are still defaulting to the older/original IdenTrust chain. That they may have switched was speculation on my part.

I am thinking you haven't followed the instructions and perhaps the real problem is you are manually attempting to do the process and have messed up concatenating the intermediate cert which is what the error message was saying. I just did this manually and the process still works. Here is the manual process after you have issued and received your certificate from acme.sh

Code: Select all

# su - zimbra
% cd .acme.sh 
% ./acme.sh --issue --dns dns_cf -d mail.example.com -d mail.example.net -d mail.example.org 
% cd mail.example.com
% cat ca.cer ../IdentTrust.pm > ca.cer.real
% zmcertmgr verifycrt comm example.com.key example.com.cer ca.cer.real
** Verifying 'example.com.cer' against 'example.com.key'
Certificate 'example.com.cer' and private key 'example.com.key' match.
** Verifying 'example.com.cer' against 'ca.cer.real'
% cat ../IdentTrust.pm
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
If you punt and move to the automatic method and use the zimbra.sh script than all you need to be responsible for is getting a letsencrypt certificate and making sure the cert has all the domains you require. The verification and deployment is handled by the deploy script zimbra.sh and is only called when you invoke acme.sh with the -deploy -deploy-hook in the second step. You can also modify that script so that it doesn't deploy the certificate and just verifies with zimbra. To do that... Find this in zimbra.sh

Code: Select all

  # append Intermediate 
  cat "$_cfullchain" "$(dirname "$_cca")/../IdentTrust.pem" > "${_cca}.real"
  /opt/zimbra/bin/zmcertmgr verifycrt comm "$_ckey" "$_ccert" "${_cca}.real" || return 1

  #if it verifies we can deploy it
  logger -p local2.info NETWORK "Certificate has been Renewed for $_cdomain"
  cp -f "$_ckey" /opt/zimbra/ssl/zimbra/commercial/commercial.key
  /opt/zimbra/bin/zmcertmgr deploycrt comm "$_ccert" "${_cca}.real" || return 1
  
And do something like this. Add the return 1

Code: Select all

  # append Intermediate 
  cat "$_cfullchain" "$(dirname "$_cca")/../IdentTrust.pem" > "${_cca}.real"
  /opt/zimbra/bin/zmcertmgr verifycrt comm "$_ckey" "$_ccert" "${_cca}.real" || return 1
  
  return 1

  #if it verifies we can deploy it
  logger -p local2.info NETWORK "Certificate has been Renewed for $_cdomain"
  cp -f "$_ckey" /opt/zimbra/ssl/zimbra/commercial/commercial.key
  /opt/zimbra/bin/zmcertmgr deploycrt comm "$_ccert" "${_cca}.real" || return 1
  
Finally, all the letsencrypt clients do the same thing... they might name their resulting certs differently but ultimately they all use the zmcertmgr script to verify the certificate and then call zmcertmgr again to install the certificate.

It doesn't matter which letsencrypt client. For acme.sh, we are doing it with this command to get our certificate. Again this does not install anything. you would need to issue a second acme.sh command with the --deploy option to make that happen.

Code: Select all

# su - zimbra
% cd .acme.sh
% acme.sh --issue --dns dns_cf -d mail.example.com -d mail.example.net -d mail.example.org 
The above creates a directory mail.example.com and has your certs. It does nothing else. If you want to deploy this issued certificate, copy the correct signing cert to your chain and issue the zmcertmgr commands. If you are using zimbra.sh than it does all this for you.

I hadn't realized you were using the certbot client so that would work also provided you pull the latest client I believe.

This is probably what you needed to do vs switching letsencrypt methods. viewtopic.php?f=15&t=69652&p=301599#p301599

Ref: https://community.letsencrypt.org/t/end ... mev1/88430

HTH,

Jim
mttc
Posts: 6
Joined: Tue Jun 15, 2021 3:13 am

Re: unable to find local issuer with JDunphys method

Post by mttc »

I have followed the manual method exactly and it still does not work. My version of openssl is 1.0.2, but for some reason apt-get thinks that it the latest package is 1.0.2.

The show-certs method does not work because ssl does not work, i think you have to have currently deployed and working certs for that command to return anything. Is there any other way I can find out what chain I am using?
Post Reply