Cannot Certificate Verify without X3 Root Certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: infinexweb.com

I ran this command: /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem

It produced this output: ** Verifying ‘cert.pem’ against ‘privkey.pem’
Certificate ‘cert.pem’ and private key ‘privkey.pem’ match.
** Verifying ‘cert.pem’ against ‘chain.pem’
ERROR: Unable to validate certificate chain: cert.pem: C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
error 2 at 1 depth lookup:unable to get issuer certificate

My web server is (include version): This is a Zimbra mail server 8.7

The operating system my web server runs on is (include version): CentOS 7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): I have access to my Zimbra admin panel

try:

su zimbra
cd /certs #location where pem files are located
/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem
cp privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.pem
/opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem

Hi rg305,

I was following the Lets Encrypt guide for SSL configuration for ZImbra. Link: https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate

The issue is i am unable to sing chain.pem with the X3 Root CA chain as the link to where the chain use to be is not available anymore. Check link below:

Link_1: https://www.identrust.com/certificates/trustid/root-download-x3.html
and
Link 2: https://webtest.identrust.com/certificates/trustid/root-download-x3.html

Where can I find the X3 root CA chain to sign the chain.pem?

Thank you,

Best regards,

Please show me your cert.pem file.

Hi rg305,

Thank you so much for the quick reply. Please see the cert.pem below:

-----BEGIN CERTIFICATE-----
MIIGBzCCBO+gAwIBAgISA2PYHqshhrUhkG3OjW0v+UMWMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODEwMTgwNzM0NDhaFw0x
OTAxMTYwNzM0NDhaMBkxFzAVBgNVBAMTDmluZmluZXh3ZWIuY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzYCAHroaxE/roZP4uK6h9O70wgQVlQ9l
lQAxl6DEFSQk+wWqjm58WsRDGg001eq1pzQbk42n31Aeeopt7G3t7X6NH6gIbHQa
yKCB4b+Fe00n8AhUxpYteQdoRfQBGMUZ6W71gsURTwdtI91Usnw5eY9ofzwIToNQ
2tZgOzHcyj7m7piJ5n+PXcegQtQaH82k3HHnW3/Py0h8librwOd1B3WCyXJHtfD5
XUP0cxOkvLlxaVP7WJ7Xji3EaqlMOJqbaczF3e4TLYWZtKLA9tnvKvJoEKSeG9qY
nti70u199dorxzU0FhkF/sdaurjnNTWYhkx266xj2OzqXmFvuFiYBQIDAQABo4ID
FjCCAxIwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQKdWU6OvcITGQOJf90lUXVcTZs
STAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRj
MGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5v
cmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5v
cmcvMBkGA1UdEQQSMBCCDmluZmluZXh3ZWIuY29tMIH+BgNVHSAEgfYwgfMwCAYG
Z4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEFBQcCARYaaHR0cDovL2Nw
cy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGeDIGbVGhpcyBDZXJ0aWZp
Y2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBSZWx5aW5nIFBhcnRpZXMg
YW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBDZXJ0aWZpY2F0ZSBQb2xp
Y3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5vcmcvcmVwb3NpdG9yeS8w
ggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgBVgdTCFpA2AUrqC5tXPFPwwOQ4eHAl
CBcvo6odBxPTDAAAAWaGUBrRAAAEAwBHMEUCIBveS5AOeL5/U73sRj9Et5ocwJB9
vBq81RTDI3s5TGL2AiEApwILAb0hcZCJtRHQYS9EULy9n5UAbFvIU8UfeDiQKgQA
dgApPFGWVMg5ZbqqUPxYB9S3b79Yeily3KTDDPTlRUf0eAAAAWaGUBzRAAAEAwBH
MEUCIEzEo18pXY6T+lhk0aaKDnXbWE3MgbhSW/i7U7peUdmAAiEA9bvUUs9kCAOQ
axAeUMRv4oJUkMPbnbSqjLIY81WH4MwwDQYJKoZIhvcNAQELBQADggEBAGBCnYeh
2EMlir/4RYayECOWhe7C1yVm8mGeqP7cr+LP4igieTY1lWID6QeqQ1w6CoLXKcRP
ZEx7zEbJPwcDgYdQSS8bqzjiO6ifcJhS4uVgW/t415IL52MzeGEwJGjOy1/ZM7VQ
25Q9LDq88auUcmpKL98BsTPdcefdXDdVHEXKRN3+mMvKoR3vjLYGBgK7hOl0XROH
wuyV+DOUos4sNVIkiQ30QpJYlh4RFQycD3bsPJ93HPwHIGP9ymIX9IMWNyg8HSqL
Qd/n//BzXjzKt4lw2bN7Ea8VJ7cqFXlM3HwyhptgBvjahfaoWj1Ps5tcW0BsdO/O
2Dk9tRUMSWSgjes=
-----END CERTIFICATE-----

I posted some information on a previous thread about Zimbra:

although I didn't get any feedback from that person as to whether it worked for them... anyway you can find a command to download the Identrust root there, at least.

2 Likes

Here is the corresponding root:
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----

1 Like

Hi Jmorahan,

Thank you so much for the link and the help. You actually saved my life. :slight_smile: The command you gave me worked and I was able to get the root chain as you had explained.

Now all is working fine and the ZImbra server is back to normal operation. And also I learned that after the initial lets encrypt installation, the LDAP service does not start, the following commends helped me. For you reference:

su - zimbra
zmlocalconfig -e ldap_master_url=ldaps://zimbrahostname:636
zmlocalconfig -e ldap_url=ldaps://zimbrahostname:636
zmlocalconfig -e ldap_starttls_supported=0
zmlocalconfig -e ldap_port=636
zmcontrol stop
zmcontrol start

Hope the above helps you too.

Thanx again man.

2 Likes

Hi rg305,

Thank you so much for finding the root chain. Where did you find it and how?

I used the command jmorahan had mentioned in his link. Was super useful. But I would like to know who you found the root chain.

Please do let me know.

And thank you again for you help.

Thank you,

Best regards,

When you open a .cer, or .crt, file with Windows it will show the cert with much detail:

Using that "tool", you can see the "certificate path" (chain):

Select the root cert and choose "view Certificate":


From that cert you can save it as a ".pem" file:
Chose "Details" tab and click "Copy to File...":

A "Certificate Export Wizard" will start:
image

Chose "Next", then "Base-64 encoded X.509 (.CER)":
image

Then just enter a file location and name to save the file.

Understand that ".CER" and ".PEM" are interchangeable and you have your root cert file in .PEM format.

1 Like

Hi rg305 thank you for the instruction and guidance. Let me try this and get back to you :slight_smile:

I don’t know how you did it (I mean I do, I ran you script manually) but you’ve successfully ended my 2 days of trying to install the certificates in zimbra. I made an account just to thank you!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.