CN = DST Root CA X3 error 10 at 3 depth lookup:certificate has expired

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
barrydegraaff
Zimbra Employee
Zimbra Employee
Posts: 242
Joined: Tue Jun 17, 2014 3:31 am
Contact:

Re: CN = DST Root CA X3 error 10 at 3 depth lookup:certificate has expired

Post by barrydegraaff »

--
Barry de Graaff
Email: barry.degraaff [at] synacor [dot] com
Admin of Zimbra-Community Github: https://github.com/orgs/Zimbra-Community/ and the
Zimlet Gallery https://gallery.zetalliance.org/extend/
mumon66
Posts: 1
Joined: Wed Dec 01, 2021 10:50 pm

Re: CN = DST Root CA X3 error 10 at 3 depth lookup:certificate has expired

Post by mumon66 »

Just to share another experience on 8.7.11: I've installed acme.sh client with ZeroSSL but couldn't provision obtained certificate, as verification by zmcertmgr always failed:

ERROR: Unable to validate certificate chain: /opt/zimbra/ssl/zimbra/commercial/commercial.crt: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority

So I couldn't deploy new cert. As pointed out in an old forum, this message probably comes from openssl:

openssl verify -untrusted server/fullchain.cer server/server.cer
server/server.cer: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
error 20 at 2 depth lookup:unable to get local issuer certificate

but if I run the same command as root, I got success:

# openssl verify -untrusted server/fullchain.cer server/server.cer
server/server.cer: OK

However, since zmcertmgr only runs as "zimbra", more was needed to fix.
I discovered that openssl run from zimbra user is not the system one (/opt/zimbra/common/bin/openssl vs. /usr/bin/openssl); it also looks for root CA's in /opt/zimbra/common/etc/ssl/certs, which is empty.
So I put a symlink to system root CA's folder:

ln -s /etc/ssl/certs /opt/zimbra/common/etc/ssl/certs

Another option was to only copy relevant certs in it, but I don't see why not to have all of them.
After that, "zmcertmgr verifycrt" atarted to work, so I could deploy new certificate:

$ /opt/zimbra/bin/zmcertmgr verifycrt comm server/server.key server/fullchain.cer
** Verifying 'server/fullchain.cer' against 'server/server.key'
Certificate 'server/fullchain.cer' and private key 'server/server.key' match.
** Verifying 'server/fullchain.cer' against '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
Valid certificate chain: server/fullchain.cer: OK

$ zmcertmgr deploycrt comm server/server.cer server/fullchain.cer
** Verifying 'server/server.cer' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate 'server/server.cer' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying 'server/server.cer' against 'server/fullchain.cer'
Valid certificate chain: server/server.cer: OK
[...]
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink '3f98c615.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
** Creating CA hash symlink '1b19814d.0' -> 'commercial_ca_2.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_3.crt
** Creating CA hash symlink 'fc5a8f99.0' -> 'commercial_ca_3.crt'

And voilà, certificate installed!
davidkillingsworth
Outstanding Member
Outstanding Member
Posts: 251
Joined: Sat Sep 13, 2014 2:26 am
ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU14.64-Patch 24

Re: CN = DST Root CA X3 error 10 at 3 depth lookup:certificate has expired

Post by davidkillingsworth »

I thought I had this issue fixed in November, but I got it again on February 1, 2022.

The crontab job emails that come through just show that the certificate is not yet expired.

Code: Select all

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mail.mydomain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
 /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem expires on 2022-04-02 (skipped)
No renewals were attempted.
No hooks were run.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Saving debug log to /var/log/letsencrypt/letsencrypt.log
I ran this manual command to try and fix (run as ROOT).

Code: Select all

$ sudo su
$ /usr/local/src/certbot-zimbra/certbot_zimbra.sh -n -c -L "--force-renewal"
I get this error.
ERROR:

Code: Select all

ERROR: Unable to validate certificate chain: O = Digital Signature Trust Co., CN = DST Root CA X3
error 10 at 3 depth lookup: certificate has expired
error /run/certbot-zimbra/certs-UXoBcwVr/cert.pem: verification failed
I am not able to fix the issue automatically with certbot-zimbra and daily cronjob, but I was able to go through this github issue and found the following commands to fix it manually. I am on Ubuntu 16.04.7 LTS, certbot 1.22, and certbot-zimbra v0.7.12.

https://github.com/YetOpen/certbot-zimbra/issues/140


Manual fix commands are all below.

FIX - First you need to get Zimbra up and running or certbot won't work anyway. I had rebooted the server, so Zimbra was down and would not start.

Code: Select all

$ sudo su - zimbra
zimbra@mail:~$ zmlocalconfig -e ldap_starttls_required=false
zimbra@mail:~$ zmlocalconfig -e ldap_starttls_supported=0
zimbra@mail:~$ zmcontrol start
zimbra@mail:~$ exit
FIX - Then you need to renew the certificate by specifying the preferred chain. Run as ROOT user.

Code: Select all

$ sudo su
$ certbot --force-renewal --preferred-chain "ISRG Root X1" renew
FIX - Then you run certbot-zimbra. Run as ROOT user.

Code: Select all

$ /usr/local/src/certbot-zimbra/certbot_zimbra.sh -d
$ exit
FIX - You need to undo the ldap-starttls settings. Run as Zimbra user.

Code: Select all

$ sudo su - zimbra
zimbra@mail:~$ zmlocalconfig -e ldap_starttls_required=true
zimbra@mail:~$ zmlocalconfig -e ldap_starttls_supported=1
zimbra@mail:~$ zmcontrol restart
zimbra@mail:~$ exit

I guess I will have to run this manually every 3 months unless anyone has any ideas why I am still having the problem.
Post Reply