[Solved] ERROR: Unable to validate certificate chain: C = US, O = Internet Security Research Group, CN = ISRG Root X1

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
davidkillingsworth
Outstanding Member
Outstanding Member
Posts: 251
Joined: Sat Sep 13, 2014 2:26 am
ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU14.64-Patch 24

[Solved] ERROR: Unable to validate certificate chain: C = US, O = Internet Security Research Group, CN = ISRG Root X1

Post by davidkillingsworth »

This morning I woke up to my mail client reporting that the certificate on my Zimbra server was expired and couldn't be verified. I don't remember the exact message, but it was showing that the certificate had expired yesterday.

I found this strange because I have Let's Encrypt certificate. I am using https://github.com/YetOpen/certbot-zimbra and I have a cronjob that tries to do the renewal every night. I monitor these emails that are generated and I didn't find any recent renewals or errors. I used these instructions to install everything -> https://lorenzo.mile.si/letsencrypt-zim ... y-way/242/

When I looked at the certificate, it had indeed expired.

Here is how I fixed it.

The first thing that I tried was to restart the Zimbra server. But this made things worse because zimbra would no longer start. The cached cert was no longer cached and I got this error.

Code: Select all

Unable to start TLS: SSL connect attempt failed error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed when connecting to ldap master.
I tried to manually run the certbot renewal with this command (note, run this as your normal user, not zimbra user):

Code: Select all

$ sudo /usr/local/src/certbot-zimbra/certbot_zimbra.sh -d
I found that I received this error:

Code: Select all

certbot-zimbra v0.7.11 - https://github.com/YetOpen/certbot-zimbra
Checking for dependencies...
Detected Zimbra 8.8.15 on UBUNTU16_64
Using zmhostname to detect domain.
Using domain mail.MYDOMAIN.COM (as certificate DN)
Preparing certificates for deployment.
Testing with zmcertmgr.
** Verifying '/run/certbot-zimbra/certs-kodpuAxi/cert.pem' against '/run/certbot-zimbra/certs-kodpuAxi/privkey.pem'
Certificate '/run/certbot-zimbra/certs-kodpuAxi/cert.pem' and private key '/run/certbot-zimbra/certs-kodpuAxi/privkey.pem' match.
** Verifying '/run/certbot-zimbra/certs-kodpuAxi/cert.pem' against '/run/certbot-zimbra/certs-kodpuAxi/zimbra_chain.pem'
ERROR: Unable to validate certificate chain: C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup: unable to get issuer certificate
error /run/certbot-zimbra/certs-kodpuAxi/cert.pem: verification failed

An error seems to have occurred. Please read the output above for clues and try to rectify the situation.
If you believe this is an error with the script, please file an issue at https://github.com/YetOpen/certbot-zimbra.
After looking around on the https://github.com/YetOpen/certbot-zimbra site, I found that there is a new version v0.7.12 and I had v0.7.11 installed.

I upgraded using this method.

Code: Select all

$ cd /usr/local/src
$ sudo mv certbot-zimbra certbot-zimbra.0.7.11
$ sudo git clone https://github.com/YetOpen/certbot-zimbra.git
I had to restart Zimbra so that certbot-zimbra.sh would run, so we need to disable the following to allow zimbra to start even without a valid certificate.

Code: Select all

$ sudo su - zimbra
zimbra@mail:~$ zmlocalconfig -e ldap_starttls_required=false
zimbra@mail:~$ zmlocalconfig -e ldap_starttls_supported=0
zimbra@mail:~$ zmcontrol start
I then ran the following to force a renewal of the certificate. Note, this is run as root, not zimbra user, so run exit first to get back to your own account.

Code: Select all

$ exit
$ sudo /usr/local/src/certbot-zimbra/certbot_zimbra.sh -n -c -L "--force-renewal"
The cert renewal ran successfully this time without any errors and restarted zimbra.

You need to re-enable the security that we disabled to start the zimbra server earlier and restart zimbra again.

Code: Select all

$ sudo su - zimbra
zimbra@mail:~$ zmlocalconfig -e ldap_starttls_required=true
zimbra@mail:~$ zmlocalconfig -e ldap_starttls_supported=1
zimbra@mail:~$ zmcontrol restart
The server is now started back up and the certificate expires in 3 months.
GlooM
Advanced member
Advanced member
Posts: 127
Joined: Sat Sep 13, 2014 12:50 am

Re: [Solved] ERROR: Unable to validate certificate chain: C = US, O = Internet Security Research Group, CN = ISRG Root X

Post by GlooM »

Greetings!

$ sudo /usr/local/src/certbot-zimbra/certbot_zimbra.sh -n -c -L "--force-renewal"

Will this method work after the DST Root CA X3 certificate is expired on 30.09.2021 ?
Post Reply