CN = DST Root CA X3 error 10 at 3 depth lookup:certificate has expired

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
realsparticle
Posts: 28
Joined: Sat Sep 13, 2014 3:29 am

CN = DST Root CA X3 error 10 at 3 depth lookup:certificate has expired

Postby realsparticle » Fri Oct 08, 2021 9:02 am

This morning our certificates were due for renewal.

Certbot did the necessary but failed when verifying as you can see below.

Never seen this type of message and could do with a little step by step help to resolve this issue which appears to be due to a CA Root certificate expiring.

How do we solve this problem?

Any help would be appreciated.

Cheers
Spart

Zimbra version Release 8.8.9.GA

Code: Select all

** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/privkey.pem'
Certificate '/opt/zimbra/ssl/letsencrypt/cert.pem' and private key '/opt/zimbra/ssl/letsencrypt/privkey.pem' match.
** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem'
ERROR: Unable to validate certificate chain: /opt/zimbra/ssl/letsencrypt/cert.pem: O = Digital Signature Trust Co., CN = DST Root CA X3
error 10 at 3 depth lookup:certificate has expired
OK
Unable to verify cert!


phoenix
Ambassador
Ambassador
Posts: 26878
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: CN = DST Root CA X3 error 10 at 3 depth lookup:certificate has expired

Postby phoenix » Fri Oct 08, 2021 10:03 am

Have you looked at any of the recent forum threads on the expiration of the Root certificate?
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
realsparticle
Posts: 28
Joined: Sat Sep 13, 2014 3:29 am

Re: CN = DST Root CA X3 error 10 at 3 depth lookup:certificate has expired

Postby realsparticle » Fri Oct 08, 2021 10:17 am

phoenix wrote:Have you looked at any of the recent forum threads on the expiration of the Root certificate?


We did quite a bit of google fu, but to be honest the many many stage solutions were like rocket science to us. We were hoping someone would provide a simple step by step solution to this problem. Without compromising our installation.

There were no posts we found that matched exactly what we were seeing.

The server has been so stable for so long, this was a shock.

Any help is appreciated.

Cheers
Spart
realsparticle
Posts: 28
Joined: Sat Sep 13, 2014 3:29 am

Re: CN = DST Root CA X3 error 10 at 3 depth lookup:certificate has expired

Postby realsparticle » Mon Oct 11, 2021 1:48 pm

:D

I followed this guide and I now have a fully working zimbra with up to date certificates.

Replace with your domain :)

Then:

cp /etc/letsencrypt/live//privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem
wget -O /tmp/R3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem
The files in /etc/letsencrypt/live/ are symbolic links to files in /etc/letsencrypt/archive/.
Check which files they point at (cert.pem, chain.pem, ...)

Then perform this, but replace the part with correct one.

cat /tmp/R3.pem > /etc/letsencrypt/archive//chain.pem
cat /tmp/ISRG-X1.pem >> /etc/letsencrypt/archive//chain.pem
As zimbra (su - zimbra) user perform

/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live//cert.pem /etc/letsencrypt/live//chain.pem
If it runs successfully perform deploy. If it gives you file permissions error temporarily do this:

chmod o+rx /etc/letsencrypt/archive
chmod o+rx /etc/letsencrypt/live

And verify the cert again.

You can run certbot-zimbra deploy, or the below one:

I ran certbot_zimbra.sh and selected to use the cert that I already had from the failed previous attempt.

Afterwards remove the extra permissions (as root)

chmod o-rx /etc/letsencrypt/archive
chmod o-rx /etc/letsencrypt/live

Restart zimbra:

zmcontrol restart`

I had to restart the full server to stop issues when I was sending test emails. So something requires a reboot of the system to be fully recognised.

Cheers
Spart
fiddels
Posts: 1
Joined: Wed Oct 13, 2021 9:37 am

Re: CN = DST Root CA X3 error 10 at 3 depth lookup:certificate has expired

Postby fiddels » Wed Oct 13, 2021 9:39 am

:D

Works for me, thank you!

Return to “Administrators”

Who is online

Users browsing this forum: Google [Bot] and 38 guests