CN = DST Root CA X3 error 10 at 3 depth lookup:certificate has expired
- barrydegraaff
- Zimbra Employee
- Posts: 242
- Joined: Tue Jun 17, 2014 3:31 am
- Contact:
Re: CN = DST Root CA X3 error 10 at 3 depth lookup:certificate has expired
Another guide is at: https://postboxservices.com/blogs/post/ ... ates-on-it
--
Barry de Graaff
Email: barry.degraaff [at] synacor [dot] com
Admin of Zimbra-Community Github: https://github.com/orgs/Zimbra-Community/ and the
Zimlet Gallery https://gallery.zetalliance.org/extend/
Barry de Graaff
Email: barry.degraaff [at] synacor [dot] com
Admin of Zimbra-Community Github: https://github.com/orgs/Zimbra-Community/ and the
Zimlet Gallery https://gallery.zetalliance.org/extend/
Re: CN = DST Root CA X3 error 10 at 3 depth lookup:certificate has expired
Just to share another experience on 8.7.11: I've installed acme.sh client with ZeroSSL but couldn't provision obtained certificate, as verification by zmcertmgr always failed:
ERROR: Unable to validate certificate chain: /opt/zimbra/ssl/zimbra/commercial/commercial.crt: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
So I couldn't deploy new cert. As pointed out in an old forum, this message probably comes from openssl:
openssl verify -untrusted server/fullchain.cer server/server.cer
server/server.cer: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
error 20 at 2 depth lookup:unable to get local issuer certificate
but if I run the same command as root, I got success:
# openssl verify -untrusted server/fullchain.cer server/server.cer
server/server.cer: OK
However, since zmcertmgr only runs as "zimbra", more was needed to fix.
I discovered that openssl run from zimbra user is not the system one (/opt/zimbra/common/bin/openssl vs. /usr/bin/openssl); it also looks for root CA's in /opt/zimbra/common/etc/ssl/certs, which is empty.
So I put a symlink to system root CA's folder:
ln -s /etc/ssl/certs /opt/zimbra/common/etc/ssl/certs
Another option was to only copy relevant certs in it, but I don't see why not to have all of them.
After that, "zmcertmgr verifycrt" atarted to work, so I could deploy new certificate:
$ /opt/zimbra/bin/zmcertmgr verifycrt comm server/server.key server/fullchain.cer
** Verifying 'server/fullchain.cer' against 'server/server.key'
Certificate 'server/fullchain.cer' and private key 'server/server.key' match.
** Verifying 'server/fullchain.cer' against '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
Valid certificate chain: server/fullchain.cer: OK
$ zmcertmgr deploycrt comm server/server.cer server/fullchain.cer
** Verifying 'server/server.cer' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate 'server/server.cer' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying 'server/server.cer' against 'server/fullchain.cer'
Valid certificate chain: server/server.cer: OK
[...]
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink '3f98c615.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
** Creating CA hash symlink '1b19814d.0' -> 'commercial_ca_2.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_3.crt
** Creating CA hash symlink 'fc5a8f99.0' -> 'commercial_ca_3.crt'
And voilà, certificate installed!
ERROR: Unable to validate certificate chain: /opt/zimbra/ssl/zimbra/commercial/commercial.crt: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
So I couldn't deploy new cert. As pointed out in an old forum, this message probably comes from openssl:
openssl verify -untrusted server/fullchain.cer server/server.cer
server/server.cer: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
error 20 at 2 depth lookup:unable to get local issuer certificate
but if I run the same command as root, I got success:
# openssl verify -untrusted server/fullchain.cer server/server.cer
server/server.cer: OK
However, since zmcertmgr only runs as "zimbra", more was needed to fix.
I discovered that openssl run from zimbra user is not the system one (/opt/zimbra/common/bin/openssl vs. /usr/bin/openssl); it also looks for root CA's in /opt/zimbra/common/etc/ssl/certs, which is empty.
So I put a symlink to system root CA's folder:
ln -s /etc/ssl/certs /opt/zimbra/common/etc/ssl/certs
Another option was to only copy relevant certs in it, but I don't see why not to have all of them.
After that, "zmcertmgr verifycrt" atarted to work, so I could deploy new certificate:
$ /opt/zimbra/bin/zmcertmgr verifycrt comm server/server.key server/fullchain.cer
** Verifying 'server/fullchain.cer' against 'server/server.key'
Certificate 'server/fullchain.cer' and private key 'server/server.key' match.
** Verifying 'server/fullchain.cer' against '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
Valid certificate chain: server/fullchain.cer: OK
$ zmcertmgr deploycrt comm server/server.cer server/fullchain.cer
** Verifying 'server/server.cer' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate 'server/server.cer' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying 'server/server.cer' against 'server/fullchain.cer'
Valid certificate chain: server/server.cer: OK
[...]
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink '3f98c615.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
** Creating CA hash symlink '1b19814d.0' -> 'commercial_ca_2.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_3.crt
** Creating CA hash symlink 'fc5a8f99.0' -> 'commercial_ca_3.crt'
And voilà, certificate installed!
-
- Outstanding Member
- Posts: 251
- Joined: Sat Sep 13, 2014 2:26 am
- ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU14.64-Patch 24
Re: CN = DST Root CA X3 error 10 at 3 depth lookup:certificate has expired
I thought I had this issue fixed in November, but I got it again on February 1, 2022.
The crontab job emails that come through just show that the certificate is not yet expired.
I ran this manual command to try and fix (run as ROOT).
I get this error.
ERROR:
I am not able to fix the issue automatically with certbot-zimbra and daily cronjob, but I was able to go through this github issue and found the following commands to fix it manually. I am on Ubuntu 16.04.7 LTS, certbot 1.22, and certbot-zimbra v0.7.12.
https://github.com/YetOpen/certbot-zimbra/issues/140
Manual fix commands are all below.
FIX - First you need to get Zimbra up and running or certbot won't work anyway. I had rebooted the server, so Zimbra was down and would not start.
FIX - Then you need to renew the certificate by specifying the preferred chain. Run as ROOT user.
FIX - Then you run certbot-zimbra. Run as ROOT user.
FIX - You need to undo the ldap-starttls settings. Run as Zimbra user.
I guess I will have to run this manually every 3 months unless anyone has any ideas why I am still having the problem.
The crontab job emails that come through just show that the certificate is not yet expired.
Code: Select all
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mail.mydomain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
/etc/letsencrypt/live/mail.mydomain.com/fullchain.pem expires on 2022-04-02 (skipped)
No renewals were attempted.
No hooks were run.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Code: Select all
$ sudo su
$ /usr/local/src/certbot-zimbra/certbot_zimbra.sh -n -c -L "--force-renewal"
ERROR:
Code: Select all
ERROR: Unable to validate certificate chain: O = Digital Signature Trust Co., CN = DST Root CA X3
error 10 at 3 depth lookup: certificate has expired
error /run/certbot-zimbra/certs-UXoBcwVr/cert.pem: verification failed
https://github.com/YetOpen/certbot-zimbra/issues/140
Manual fix commands are all below.
FIX - First you need to get Zimbra up and running or certbot won't work anyway. I had rebooted the server, so Zimbra was down and would not start.
Code: Select all
$ sudo su - zimbra
zimbra@mail:~$ zmlocalconfig -e ldap_starttls_required=false
zimbra@mail:~$ zmlocalconfig -e ldap_starttls_supported=0
zimbra@mail:~$ zmcontrol start
zimbra@mail:~$ exit
Code: Select all
$ sudo su
$ certbot --force-renewal --preferred-chain "ISRG Root X1" renew
Code: Select all
$ /usr/local/src/certbot-zimbra/certbot_zimbra.sh -d
$ exit
Code: Select all
$ sudo su - zimbra
zimbra@mail:~$ zmlocalconfig -e ldap_starttls_required=true
zimbra@mail:~$ zmlocalconfig -e ldap_starttls_supported=1
zimbra@mail:~$ zmcontrol restart
zimbra@mail:~$ exit
I guess I will have to run this manually every 3 months unless anyone has any ideas why I am still having the problem.