I found this strange because I have Let's Encrypt certificate. I am using https://github.com/YetOpen/certbot-zimbra and I have a cronjob that tries to do the renewal every night. I monitor these emails that are generated and I didn't find any recent renewals or errors. I used these instructions to install everything -> https://lorenzo.mile.si/letsencrypt-zim ... y-way/242/
When I looked at the certificate, it had indeed expired.
Here is how I fixed it.
The first thing that I tried was to restart the Zimbra server. But this made things worse because zimbra would no longer start. The cached cert was no longer cached and I got this error.
Code: Select all
Unable to start TLS: SSL connect attempt failed error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed when connecting to ldap master.
Code: Select all
$ sudo /usr/local/src/certbot-zimbra/certbot_zimbra.sh -d
Code: Select all
certbot-zimbra v0.7.11 - https://github.com/YetOpen/certbot-zimbra
Checking for dependencies...
Detected Zimbra 8.8.15 on UBUNTU16_64
Using zmhostname to detect domain.
Using domain mail.MYDOMAIN.COM (as certificate DN)
Preparing certificates for deployment.
Testing with zmcertmgr.
** Verifying '/run/certbot-zimbra/certs-kodpuAxi/cert.pem' against '/run/certbot-zimbra/certs-kodpuAxi/privkey.pem'
Certificate '/run/certbot-zimbra/certs-kodpuAxi/cert.pem' and private key '/run/certbot-zimbra/certs-kodpuAxi/privkey.pem' match.
** Verifying '/run/certbot-zimbra/certs-kodpuAxi/cert.pem' against '/run/certbot-zimbra/certs-kodpuAxi/zimbra_chain.pem'
ERROR: Unable to validate certificate chain: C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup: unable to get issuer certificate
error /run/certbot-zimbra/certs-kodpuAxi/cert.pem: verification failed
An error seems to have occurred. Please read the output above for clues and try to rectify the situation.
If you believe this is an error with the script, please file an issue at https://github.com/YetOpen/certbot-zimbra.
I upgraded using this method.
Code: Select all
$ cd /usr/local/src
$ sudo mv certbot-zimbra certbot-zimbra.0.7.11
$ sudo git clone https://github.com/YetOpen/certbot-zimbra.git
Code: Select all
$ sudo su - zimbra
zimbra@mail:~$ zmlocalconfig -e ldap_starttls_required=false
zimbra@mail:~$ zmlocalconfig -e ldap_starttls_supported=0
zimbra@mail:~$ zmcontrol start
Code: Select all
$ exit
$ sudo /usr/local/src/certbot-zimbra/certbot_zimbra.sh -n -c -L "--force-renewal"
You need to re-enable the security that we disabled to start the zimbra server earlier and restart zimbra again.
Code: Select all
$ sudo su - zimbra
zimbra@mail:~$ zmlocalconfig -e ldap_starttls_required=true
zimbra@mail:~$ zmlocalconfig -e ldap_starttls_supported=1
zimbra@mail:~$ zmcontrol restart