ERROR: Unable to validate certificate chain: C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup: unable to get issuer certificate
error cert.pem: verification failed
My zimbra server is:
Release 8.8.15_GA_3953.RHEL8_64_20200629025823 RHEL8_64 FOSS edition, Patch 8.8.15_P25
The operating system is:
CentOS Linux release 8.5.2111
Since I have changed the certificates in the zimbra's repository, its services fail to start, thus the webserver is down as well.
Is there a chance to get these back to life? I'm running the company's mail server on it and now it is broken definitely.
Fine! What do you mean follow the doc? Which doc?
(I really mean it! For over 10 hours trying to get a solution. Still "Unable to validate certificate chain: C = US, O = Internet Security Research Group, CN = ISRG Root X1")
Well, I have found a workaround here.
It was you who had warned the author of the post that this is a shortcut and not a solution. But right now I just have to start my server.
Ideas?
After some investigation, I found that the chain.pem that is received from the Letsencrypt contains two certificates, one of them is the certificate for the R3 chain, issued by the ISRG Root X1. The second certificate is for the ISRG Root X1, issued by DST Root CA X3. But I don't have a valid certificate for DST Root CA X3 in the system. This is why I get error unable to validate chain ISRG Root X1.
Ideas?
Version: 3 (0x2)
Serial Number:
40:01:77:21:37:d4:e9:42:b8:ee:76:aa:3c:64:0a:b7
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
Validity
Not Before: Jan 20 19:14:03 2021 GMT
Not After : Sep 30 18:14:03 2024 GMT
Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Zimbra is super anal.
It requires the entire chain before it can be verified.
The fullchain.pem would normally contain all that is needed [but NOT for Zimbra].
Here is a script file I made and use to update the cert:
#!/bin/bash
cp /etc/letsencrypt/live/MY-DOMAIN/*.pem /opt/zimbra/ssl/letsencrypt/
su - zimbra -c "/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/letsencrypt/cert.pem"
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
su - zimbra -c "/opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/shortchain.pem"
Thank you a lot for the script and the solution.
Well, it seems that the script won't use the chain.pem file, but rather the file shortchain.pem, which consists of the R3 certificate issued by ISRG Root X1 and the self-signed certificate for ISRG Root X1. This is the .pem that was proposed by denos in the thread that I have mentioned above.
So, why this solution is not so good in long time perspective? It could even be automated. The issue with it would be limited time for use - only 2 years instead of 13.
Regards
Then we have to put an eye on R3.
Is there a place where R3 can be downloaded from automatically? Updated.
Ok, nevermind, R3 can be downloaded from the link https://letsencrypt.org/certs/lets-encrypt-r3.pem. X1 can be downloaded using the link https://letsencrypt.org/certs/isrgrootx1.pem.
BTW, why in the scripts is used the file with .txt extension for downloading, because of antiviruses?
So, we need to download 2 files and put them one by one into the shortchain.pem.
I assume that all the certificate renewing procedure could be done using the following script. Please, be welcome to correct the statements if something is wrong.
#!/bin/bash
MYDOMAIN="www.example.com" # change www.example.com with your domain
ZimbraSSL="/opt/zimbra/ssl/letsencrypt"
certbot certonly --standalone
cd $ZimbraSSL/
rm ./*.pem
cp /etc/letsencrypt/live/$MYDOMAIN/*.pem ./
wget https://letsencrypt.org/certs/lets-encrypt-r3.pem https://letsencrypt.org/certs/isrgrootx1.pem -O ./shortchain.pem
chown zimbra:zimbra ./*
su - zimbra -c "cd $ZimbraSSL/ && /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem shortchain.pem"
if [ $? -ne 0 ]; then
echo FAIL to verify the certificates, so no changes produced
exit 1
fi
\cp ./privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
su - zimbra -c "cd $ZimbraSSL/ && /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem shortchain.pem"
I'd like to make the script running automatically by a cron job, but I don't know how to do it in case of certbot, as I have seen some info that it generates shedules upon installation. But I didn't find a cron job regard certbot.
certbot should already be cron enabled [by default installation].
It should run certbot renew twice a day.
What you need is the addition of a --deploy-hook ("deployment hook"), that can run the added script to ingest the new cert into Zimbra.
OR
You can simply run that ingest script once a week (every week - always ingesting the latest available cert).
As for R3, it can be replaced with R4 or R5 or whatever without any notice.
Intermediate certs are never expected to be "hard-coded" anywhere.
The ACME protocol ensures the delivery of the current chain.
We are trying to work outside that protocol...
So, whatever we do will not be permanent.
OR will it?
Try using these steps to create that shortchain.pem file programmatically.
I have build a script in order to test the pieces you suggested, but first a question to the first statement: Why do we have to use "/opt/zimbra/ssl/letsencrypt/chain.pem" while that folder exists there only when we create it via script or manually - this folder (and the files inside) doesn't exist by default?
Nevertheless, I used the statements proposed by you.
This statement returns error "cat: /etc/ssl/certs/4042bcee.0: No such file or directory"
I guess that this statement should copy first certificate from the chain, but it is wrongly built. My "openssl version" returns "OpenSSL 1.1.1k FIPS 25 Mar 2021"
