[FIXED] Variation on the theme: invoke PKIX path building failed...

[chris_60]

OS: Ubuntu 18.04.6 LTS
Zimbra: 9.0.0.ZEXTRAS.202007114.UBUNTU18.64 UBUNTU18_64 FOSS edition, Patch 9.0.0_P14

Yet another variation on this error:

Code: Select all

zimbra@foomail:~$ zmprov gcf zimbraMailTrustedIP
ERROR: zclient.IO_ERROR (invoke PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, server: localhost) (cause: javax.net.ssl.SSLHandshakeException PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)

This began to occur after updating the LetsEncrypt certs this past month. I have used LetsEncrypt for a long time without issue.

The present cert is good, installed correctly, and all other aspects of Zimbra work nominally with the single exception of the cli tools.

Code: Select all

zimbra@foomail:~$ /opt/zimbra/bin/zmcertmgr viewdeployedcrt
- imapd: /opt/zimbra/conf/imapd.crt
notBefore=Apr 11 15:29:56 2022 GMT
notAfter=Jul 10 15:29:55 2022 GMT
subject=CN = *.foo.bar
issuer=C = US, O = Let's Encrypt, CN = R3

I have followed a suggestion posted in response to several other variations of this error:

Code: Select all

zimbra@foomail:~$ /opt/zimbra/common/bin/keytool -import -alias LE_fullchain -keystore /opt/zimbra/common/etc/java/cacerts -file /etc/letsencrypt/live/foo.bar/fullchain.pem

But this does not fix this particular problem.

Any thoughts are welcome.

Chris

[chris_60]

Doing more digging:

Code: Select all

zimbra@foomail:~$ zmprov -d gcf zimbraMailTrustedIP
========== SOAP SEND ==========
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
  <soap:Header>
    <context xmlns="urn:zimbra">
      <nosession/>
      <userAgent name="zmprov" version="9.0.0_GA_4022"/>
      <authTokenControl voidOnExpired="0"/>
    </context>
  </soap:Header>
  <soap:Body>
    <AuthRequest xmlns="urn:zimbraAdmin">
      <name>secret</name>
      <password>super_secret</password>
    </AuthRequest>
  </soap:Body>
</soap:Envelope>
===============================
ERROR: zclient.IO_ERROR (invoke PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, server: localhost) (cause: javax.net.ssl.SSLHandshakeException PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)

The problem must occur when the script submits a SOAP request to the server. Maybe the script cannot verify the SOAP server's cert?

Yet all seems to be well with the currently deployed cert...

Code: Select all

zimbra@foomail:~$ /opt/zimbra/bin/zmcertmgr viewdeployedcrt | egrep -i 'opt|notBefore|notAfter|issuer'
- imapd: /opt/zimbra/conf/imapd.crt
notBefore=Apr 11 15:29:56 2022 GMT
notAfter=Jul 10 15:29:55 2022 GMT
issuer=C = US, O = Let's Encrypt, CN = R3
- ldap: /opt/zimbra/conf/slapd.crt
notBefore=Apr 11 15:29:56 2022 GMT
notAfter=Jul 10 15:29:55 2022 GMT
issuer=C = US, O = Let's Encrypt, CN = R3
- mailboxd: /opt/zimbra/mailboxd/etc/mailboxd.pem
notBefore=Apr 11 15:29:56 2022 GMT
notAfter=Jul 10 15:29:55 2022 GMT
issuer=C = US, O = Let's Encrypt, CN = R3
- mta: /opt/zimbra/conf/smtpd.crt
notBefore=Apr 11 15:29:56 2022 GMT
notAfter=Jul 10 15:29:55 2022 GMT
issuer=C = US, O = Let's Encrypt, CN = R3
- proxy: /opt/zimbra/conf/nginx.crt
notBefore=Apr 11 15:29:56 2022 GMT
notAfter=Jul 10 15:29:55 2022 GMT
issuer=C = US, O = Let's Encrypt, CN = R3

And FWIW:

Code: Select all

zimbra@foomail:~$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/ssl/certs/cert.pem /opt/ssl/certs/fullchain.pem
** Verifying '/opt/ssl/certs/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/opt/ssl/certs/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/opt/ssl/certs/cert.pem' against '/opt/ssl/certs/fullchain.pem'
Valid certificate chain: /opt/ssl/certs/cert.pem: OK

[chris_60]

Fixed:

Code: Select all

zimbra@foomail:~$ /opt/zimbra/common/bin/keytool -import -alias foo.bar -keystore /opt/zimbra/common/etc/java/cacerts -file /etc/letsencrypt/live/foo.bar/chain.pem

I would have thought that fullchain.pem included chain.pem, but it did not.

[barrydegraaff]

For Let's Encrypt please follow the step-by-step guide at https://wiki.zimbra.com/wiki/Installing ... ertificate

[NothingCtrl]

For Let's Encrypt please follow the step-by-step guide at https://wiki.zimbra.com/wiki/Installing ... ertificate

I follow this guide but have the same error, follow @chris_60 post help me fix this error.

[barrydegraaff]

Double check you are getting an RSA certificate from Let's Encrypt use option: --key-type rsa

Throw away your old Let's Encrypt folder from /etc/letsencrypt and try again.