Cannot Certificate Verify without X3 Root Certificate

Hirushan · October 18, 2018, 10:07am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: infinexweb.com

I ran this command: /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem

It produced this output: ** Verifying ‘cert.pem’ against ‘privkey.pem’
Certificate ‘cert.pem’ and private key ‘privkey.pem’ match.
** Verifying ‘cert.pem’ against ‘chain.pem’
ERROR: Unable to validate certificate chain: cert.pem: C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
error 2 at 1 depth lookup:unable to get issuer certificate

My web server is (include version): This is a Zimbra mail server 8.7

The operating system my web server runs on is (include version): CentOS 7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): I have access to my Zimbra admin panel

rg305 · October 18, 2018, 11:01am

try:

su zimbra
cd /certs #location where pem files are located
/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem
cp privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.pem
/opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem

Hirushan · October 18, 2018, 11:44am

Hi rg305,

I was following the Lets Encrypt guide for SSL configuration for ZImbra. Link: https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate

The issue is i am unable to sing chain.pem with the X3 Root CA chain as the link to where the chain use to be is not available anymore. Check link below:

Link_1: https://www.identrust.com/certificates/trustid/root-download-x3.html
and
Link 2: https://webtest.identrust.com/certificates/trustid/root-download-x3.html

Where can I find the X3 root CA chain to sign the chain.pem?

Thank you,

Best regards,

rg305 · October 18, 2018, 11:51am

Please show me your cert.pem file.

Hirushan · October 18, 2018, 11:55am

Hi rg305,

Thank you so much for the quick reply. Please see the cert.pem below:

jmorahan · October 18, 2018, 11:58am

I posted some information on a previous thread about Zimbra:

although I didn't get any feedback from that person as to whether it worked for them... anyway you can find a command to download the Identrust root there, at least.

rg305 · October 18, 2018, 12:07pm

Here is the corresponding root:
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----

Hirushan · October 18, 2018, 2:16pm

Hi Jmorahan,

Thank you so much for the link and the help. You actually saved my life. The command you gave me worked and I was able to get the root chain as you had explained.

Now all is working fine and the ZImbra server is back to normal operation. And also I learned that after the initial lets encrypt installation, the LDAP service does not start, the following commends helped me. For you reference:

su - zimbra
zmlocalconfig -e ldap_master_url=ldaps://zimbrahostname:636
zmlocalconfig -e ldap_url=ldaps://zimbrahostname:636
zmlocalconfig -e ldap_starttls_supported=0
zmlocalconfig -e ldap_port=636
zmcontrol stop
zmcontrol start

Hope the above helps you too.

Thanx again man.

Hirushan · October 18, 2018, 2:19pm

Hi rg305,

Thank you so much for finding the root chain. Where did you find it and how?

I used the command jmorahan had mentioned in his link. Was super useful. But I would like to know who you found the root chain.

Please do let me know.

And thank you again for you help.

Thank you,

Best regards,

rg305 · October 18, 2018, 11:24pm

When you open a .cer, or .crt, file with Windows it will show the cert with much detail:

Using that "tool", you can see the "certificate path" (chain):

Select the root cert and choose "view Certificate":

From that cert you can save it as a ".pem" file:
Chose "Details" tab and click "Copy to File...":

A "Certificate Export Wizard" will start:

Chose "Next", then "Base-64 encoded X.509 (.CER)":

Then just enter a file location and name to save the file.

Understand that ".CER" and ".PEM" are interchangeable and you have your root cert file in .PEM format.

Hirushan · October 22, 2018, 6:20am

Hi rg305 thank you for the instruction and guidance. Let me try this and get back to you

andreiga · November 13, 2018, 10:27pm

I don’t know how you did it (I mean I do, I ran you script manually) but you’ve successfully ended my 2 days of trying to install the certificates in zimbra. I made an account just to thank you!

system · December 13, 2018, 10:27pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.