Cannot Certificate Verify without X3 Root Certificate


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: infinexweb.com

I ran this command: /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem

It produced this output: ** Verifying ‘cert.pem’ against ‘privkey.pem’
Certificate ‘cert.pem’ and private key ‘privkey.pem’ match.
** Verifying ‘cert.pem’ against ‘chain.pem’
ERROR: Unable to validate certificate chain: cert.pem: C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
error 2 at 1 depth lookup:unable to get issuer certificate

My web server is (include version): This is a Zimbra mail server 8.7

The operating system my web server runs on is (include version): CentOS 7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): I have access to my Zimbra admin panel


#2

try:

su zimbra
cd /certs #location where pem files are located
/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem
cp privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.pem
/opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem


#3

Hi rg305,

I was following the Lets Encrypt guide for SSL configuration for ZImbra. Link: https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate

The issue is i am unable to sing chain.pem with the X3 Root CA chain as the link to where the chain use to be is not available anymore. Check link below:

Link_1: https://www.identrust.com/certificates/trustid/root-download-x3.html
and
Link 2: https://webtest.identrust.com/certificates/trustid/root-download-x3.html

Where can I find the X3 root CA chain to sign the chain.pem?

Thank you,

Best regards,


#4

Please show me your cert.pem file.


#5

Hi rg305,

Thank you so much for the quick reply. Please see the cert.pem below:

-----BEGIN CERTIFICATE-----
MIIGBzCCBO+gAwIBAgISA2PYHqshhrUhkG3OjW0v+UMWMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODEwMTgwNzM0NDhaFw0x
OTAxMTYwNzM0NDhaMBkxFzAVBgNVBAMTDmluZmluZXh3ZWIuY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzYCAHroaxE/roZP4uK6h9O70wgQVlQ9l
lQAxl6DEFSQk+wWqjm58WsRDGg001eq1pzQbk42n31Aeeopt7G3t7X6NH6gIbHQa
yKCB4b+Fe00n8AhUxpYteQdoRfQBGMUZ6W71gsURTwdtI91Usnw5eY9ofzwIToNQ
2tZgOzHcyj7m7piJ5n+PXcegQtQaH82k3HHnW3/Py0h8librwOd1B3WCyXJHtfD5
XUP0cxOkvLlxaVP7WJ7Xji3EaqlMOJqbaczF3e4TLYWZtKLA9tnvKvJoEKSeG9qY
nti70u199dorxzU0FhkF/sdaurjnNTWYhkx266xj2OzqXmFvuFiYBQIDAQABo4ID
FjCCAxIwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQKdWU6OvcITGQOJf90lUXVcTZs
STAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRj
MGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5v
cmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5v
cmcvMBkGA1UdEQQSMBCCDmluZmluZXh3ZWIuY29tMIH+BgNVHSAEgfYwgfMwCAYG
Z4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEFBQcCARYaaHR0cDovL2Nw
cy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGeDIGbVGhpcyBDZXJ0aWZp
Y2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBSZWx5aW5nIFBhcnRpZXMg
YW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBDZXJ0aWZpY2F0ZSBQb2xp
Y3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5vcmcvcmVwb3NpdG9yeS8w
ggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgBVgdTCFpA2AUrqC5tXPFPwwOQ4eHAl
CBcvo6odBxPTDAAAAWaGUBrRAAAEAwBHMEUCIBveS5AOeL5/U73sRj9Et5ocwJB9
vBq81RTDI3s5TGL2AiEApwILAb0hcZCJtRHQYS9EULy9n5UAbFvIU8UfeDiQKgQA
dgApPFGWVMg5ZbqqUPxYB9S3b79Yeily3KTDDPTlRUf0eAAAAWaGUBzRAAAEAwBH
MEUCIEzEo18pXY6T+lhk0aaKDnXbWE3MgbhSW/i7U7peUdmAAiEA9bvUUs9kCAOQ
axAeUMRv4oJUkMPbnbSqjLIY81WH4MwwDQYJKoZIhvcNAQELBQADggEBAGBCnYeh
2EMlir/4RYayECOWhe7C1yVm8mGeqP7cr+LP4igieTY1lWID6QeqQ1w6CoLXKcRP
ZEx7zEbJPwcDgYdQSS8bqzjiO6ifcJhS4uVgW/t415IL52MzeGEwJGjOy1/ZM7VQ
25Q9LDq88auUcmpKL98BsTPdcefdXDdVHEXKRN3+mMvKoR3vjLYGBgK7hOl0XROH
wuyV+DOUos4sNVIkiQ30QpJYlh4RFQycD3bsPJ93HPwHIGP9ymIX9IMWNyg8HSqL
Qd/n//BzXjzKt4lw2bN7Ea8VJ7cqFXlM3HwyhptgBvjahfaoWj1Ps5tcW0BsdO/O
2Dk9tRUMSWSgjes=
-----END CERTIFICATE-----


#6

I posted some information on a previous thread about Zimbra:

although I didn’t get any feedback from that person as to whether it worked for them… anyway you can find a command to download the Identrust root there, at least.


#7

Here is the corresponding root:
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----


#9

Hi Jmorahan,

Thank you so much for the link and the help. You actually saved my life. :slight_smile: The command you gave me worked and I was able to get the root chain as you had explained.

Now all is working fine and the ZImbra server is back to normal operation. And also I learned that after the initial lets encrypt installation, the LDAP service does not start, the following commends helped me. For you reference:

su - zimbra
zmlocalconfig -e ldap_master_url=ldaps://zimbrahostname:636
zmlocalconfig -e ldap_url=ldaps://zimbrahostname:636
zmlocalconfig -e ldap_starttls_supported=0
zmlocalconfig -e ldap_port=636
zmcontrol stop
zmcontrol start

Hope the above helps you too.

Thanx again man.


#10

Hi rg305,

Thank you so much for finding the root chain. Where did you find it and how?

I used the command jmorahan had mentioned in his link. Was super useful. But I would like to know who you found the root chain.

Please do let me know.

And thank you again for you help.

Thank you,

Best regards,


#11

When you open a .cer, or .crt, file with Windows it will show the cert with much detail:

Using that “tool”, you can see the “certificate path” (chain):

Select the root cert and choose “view Certificate”:


From that cert you can save it as a “.pem” file:
Chose “Details” tab and click “Copy to File…”:

A “Certificate Export Wizard” will start:
image

Chose “Next”, then “Base-64 encoded X.509 (.CER)”:
image

Then just enter a file location and name to save the file.

Understand that “.CER” and “.PEM” are interchangeable and you have your root cert file in .PEM format.


#12

Hi rg305 thank you for the instruction and guidance. Let me try this and get back to you :slight_smile:


#13

I don’t know how you did it (I mean I do, I ran you script manually) but you’ve successfully ended my 2 days of trying to install the certificates in zimbra. I made an account just to thank you!