Letsencrypt Cert refused

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
jppo
Posts: 5
Joined: Sat Sep 13, 2014 2:57 am

Letsencrypt Cert refused

Post by jppo »

Hello,

I m trying to install a Letsencrypt certificate on my brand new Ubuntu 20.04 server and it does not work, the certificate is refusee with a message :
ERROR: Unable to validate certificate chain: C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup: unable to get issuer certificate
error cert.pem: verification failed
On my old system (16.04) the certificates were installed without any problem ... until the last one.
The ISRG certificate seems to be OK :
ISRG_Root_X1.pem -> /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt

Any help will be welcome
jppo
Posts: 5
Joined: Sat Sep 13, 2014 2:57 am

Re: Letsencrypt Cert refused

Post by jppo »

Hello,

My problem is always there, even if I upgrade my system to Ubuntu 20.04 LTS and use the last certbot version :
certbot --version
certbot 1.26.0

The problem is always there when I try to verify the cert :
zmcertmgr verifycrt self privkey.pem cert.pem chain.pem
** Verifying 'cert.pem' against 'privkey.pem'
Certificate 'cert.pem' and private key 'privkey.pem' match.
** Verifying 'cert.pem' against 'fullchain.pem'
ERROR: Unable to validate certificate chain: C = US, O = Let's Encrypt, CN = R3
error 2 at 1 depth lookup: unable to get issuer certificate
error cert.pem: verification failed

I try with "fullchain.pem" instead of "chain.pem", the result is always the same,
I try to copy the "ISRG_Root_X1.pem" to "/opt/zimbra/ssl/letsencrypt" with the same error !

Please help.

PS : I use letsencrypt certs since years and never had a problem, I was with Ubuntu 16.04 and
I upgrade to 20.04 in 2021/08 just before the "september certficate problem" and I have not
succeeded in upgrading the certificate since october.
jppo
Posts: 5
Joined: Sat Sep 13, 2014 2:57 am

Re: Letsencrypt Cert refused

Post by jppo »

It is done, all is OK now, it was only a bad character in the hostname !
But messages are not very clear :
User avatar
barrydegraaff
Zimbra Employee
Zimbra Employee
Posts: 242
Joined: Tue Jun 17, 2014 3:31 am
Contact:

Re: Letsencrypt Cert refused

Post by barrydegraaff »

For everyone else having issues with Let's Encrypt please follow the step-by-step guide at https://wiki.zimbra.com/wiki/Installing ... ertificate
--
Barry de Graaff
Email: barry.degraaff [at] synacor [dot] com
Admin of Zimbra-Community Github: https://github.com/orgs/Zimbra-Community/ and the
Zimlet Gallery https://gallery.zetalliance.org/extend/
User avatar
jogerj
Posts: 6
Joined: Wed Jul 22, 2020 9:10 am

Re: Letsencrypt Cert refused

Post by jogerj »

I've been using this script https://github.com/VojtechMyslivec/letsencrypt-zimbra for years now, the only time it failed was when the older root certificate expired last year and got replaced with ISRG Root X1. It automates the whole thing, the setup is simple and it's robust.
Post Reply