unable to validate letsencrypt certificate

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
soa_85
Posts: 1
Joined: Wed Jun 15, 2022 7:29 pm

unable to validate letsencrypt certificate

Post by soa_85 »

Hi can anyone help me?
I use Zimbra Release 8.8.15_GA_3869.RHEL7_64_20190917004220 RHEL7_64 FOSS edition, Patch 8.8.15_P30\
it's time to update the letsencrypt certificate after 90 days, but have a problem:
su - zimbra -c "zmcertmgr verifycrt comm
> /opt/zimbra/ssl/zimbra/commercial/privkey.pem
> /opt/zimbra/ssl/zimbra/commercial/cert.pem
> /opt/zimbra/ssl/zimbra/commercial/chain.pem"
** Verifying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
ERROR: Unable to validate certificate chain: CN = mail.mydomane
error 10 at 0 depth lookup: certificate has expired
------------------------------------------------------------------------------------------------
I update previous certs and this according to this instruction:
/opt/letsencrypt/letsencrypt-auto renew
cp /etc/letsencrypt/live/mail.mydomain/* /opt/zimbra/ssl/zimbra/commercial/
chown zimbra /opt/zimbra/ssl/zimbra/commercial/*
cd /opt/zimbra/ssl/zimbra/commercial
wget https://letsencrypt.org/certs/isrgrootx1.pem.txt
wget https://letsencrypt.org/certs/letsencry ... x3.pem.txt
echo "-----BEGIN CERTIFICATE-----" > new_chain.pem
openssl x509 -in chain.pem -outform der | base64 -w 64 >> new_chain.pem
echo "-----END CERTIFICATE-----" >> new_chain.pem
mv new_chain.pem chain.pem
cat isrgrootx1.pem.txt >> chain.pem
cat letsencryptauthorityx3.pem.txt >> chain.pem
su - zimbra -c "zmcertmgr verifycrt comm
/opt/zimbra/ssl/zimbra/commercial/privkey.pem
/opt/zimbra/ssl/zimbra/commercial/cert.pem
/opt/zimbra/ssl/zimbra/commercial/chain.pem"
mv privkey.pem commercial.key
su - zimbra -c "zmcertmgr deploycrt comm
/opt/zimbra/ssl/zimbra/commercial/cert.pem
/opt/zimbra/ssl/zimbra/commercial/chain.pem"
su - zimbra -c "zmcontrol restart"
auanton
Posts: 4
Joined: Thu Sep 11, 2014 10:36 am

Re: unable to validate letsencrypt certificate

Post by auanton »

you saved my day - after ten hours of all sorts of errors trying to deploy a valid certificate
(the last one was "error 2 at 2 depth lookup:unable to get issuer certificate")
thank you
anton
User avatar
dominix
Advanced member
Advanced member
Posts: 51
Joined: Sat Sep 13, 2014 1:07 am
Location: Pacific sud
ZCS/ZD Version: 7.2.7 ... 8.8.15 ... 9.0.0

Re: unable to validate letsencrypt certificate

Post by dominix »

Code: Select all

echo "-----BEGIN CERTIFICATE-----" > new_chain.pem
openssl x509 -in chain.pem -outform der | base64 -w 64 >> new_chain.pem
echo "-----END CERTIFICATE-----" >> new_chain.pem

why not use instead :

Code: Select all

openssl x509 -in chain.pem -outform pem > new_chain.pem
Post Reply