Error SSL active

INGLES
I have two errors in installing to validate my certificate; I detail the installation steps and I will put in bold two errors that they give me, I hope you can guide me.
I am using Zextras Carbonio CE on Ubuntu

Installation:
sudo snap install core; sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo certbot certonly --standalone
sudo certbot renew --dry-run

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/mail.softnet.ec/fullchain.pem
Key is saved at: /etc/letsencrypt/live/mail.softnet.ec/privkey.pem
This certificate expires on 2022-06-26.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
We were unable to subscribe you the EFF mailing list because your e-mail address appears to be invalid. You can try again later by visiting https://act.eff.org.

If you like Certbot, please consider supporting our work by:

• Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
• Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

Then I type this:

cp /etc/letsencrypt/live/mail.softnet.ec/privkey.pem /opt/zextras/ssl/carbonio/commercial/commercial.key

wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt
"/tmp/ISRG-X1.pem: Permission denied"

cat /tmp/ISRG-X1.pem>> /etc/letsencrypt/live/mail.softnet.ec/fullchain.pem

cp /etc/letsencrypt/live/mail.softnet.ec/cert.pem /tmp
cp /etc/letsencrypt/live/mail.softnet.ec/fullchain.pem /tmp

chown zextras:zextras /opt/zextras/ssl/carbonio/commercial/commercial.key

su - zextras -cn 'zmcertmgr verifycrt comm /opt/zextras/ssl/carbonio/commercial/commercial.key /tmp/cert.pem /tmp/fullchain.pem'
" Verifying '/tmp/cert.pem' against '/opt/zextras/ssl/carbonio/commercial/commercial.key'**
Certificate '/tmp/cert.pem' and private key '/opt/zextras/ssl/carbonio/commercial/commercial.key' match.
***** Verifying '/tmp/cert.pem' against '/tmp/fullchain.pem'***
ERROR: Unable to validate certificate chain: C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup: unable to get issuer certificate
error /tmp/cert.pem: verification failed"

------<-----<----<---<

ESPAÑOL
Tengo dos errores en instalar validar mi certificado; detallos los pasos de instalacion y pondre en negrita dos errores que me dan, espero me puedan guiar.
Estoy usando Zextras Carbonio CE en Ubuntu

Instalacion:
sudo snap install core; sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo certbot certonly --standalone
sudo certbot renew --dry-run

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/mail.softnet.ec/fullchain.pem
Key is saved at: /etc/letsencrypt/live/mail.softnet.ec/privkey.pem
This certificate expires on 2022-06-26.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
We were unable to subscribe you the EFF mailing list because your e-mail address appears to be invalid. You can try again later by visiting https://act.eff.org.

If you like Certbot, please consider supporting our work by:

• Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
• Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

Luego digito esto:

cp /etc/letsencrypt/live/mail.softnet.ec/privkey.pem /opt/zextras/ssl/carbonio/commercial/commercial.key

wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt
"/tmp/ISRG-X1.pem: Permission denied"

cat /tmp/ISRG-X1.pem>> /etc/letsencrypt/live/mail.softnet.ec/fullchain.pem

cp /etc/letsencrypt/live/mail.softnet.ec/cert.pem /tmp
cp /etc/letsencrypt/live/mail.softnet.ec/fullchain.pem /tmp

chown zextras:zextras /opt/zextras/ssl/carbonio/commercial/commercial.key

su - zextras -cn 'zmcertmgr verifycrt comm /opt/zextras/ssl/carbonio/commercial/commercial.key /tmp/cert.pem /tmp/fullchain.pem'
" Verifying '/tmp/cert.pem' against '/opt/zextras/ssl/carbonio/commercial/commercial.key'**
Certificate '/tmp/cert.pem' and private key '/opt/zextras/ssl/carbonio/commercial/commercial.key' match.
***** Verifying '/tmp/cert.pem' against '/tmp/fullchain.pem'***
ERROR: Unable to validate certificate chain: C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup: unable to get issuer certificate
error /tmp/cert.pem: verification failed"

The /tmp/ directory it not accessible to your user.
Try saving to another directory.
Maybe:
/var/tmp/

You should also review:
Installing a LetsEncrypt SSL Certificate - Zimbra :: Tech Center

u - zextras -cn 'zmcertmgr verifycrt comm /opt/zextras/ssl/carbonio/commercial/commercial.key /tmp/cert.pem /tmp/fullchain.pem'
ERROR
zmcertmgr verifycrt comm /opt/zextras/ssl/carbonio/commercial/commercial.key /tmp/cert.pem /tmp/fullchain.pem: n: command not found

? ? ? ?

Is the error still persistent in /tmp/cert.pem even though I put /var in front of it and nothing?

zimbra@mail:~$ su - zextras -c 'zmcertmgr verifycrt comm /opt/zextras/ssl/carbonio/commercial/commercial.key /tmp/cert.pem /tmp/fullchain.pem'
Password:
** Verifying '/tmp/cert.pem' against '/opt/zextras/ssl/carbonio/commercial/commercial.key'
Certificate '/tmp/cert.pem' and private key '/opt/zextras/ssl/carbonio/commercial/commercial.key' match.
** Verifying '/tmp/cert.pem' against '/tmp/fullchain.pem'
ERROR: Unable to validate certificate chain: C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup: unable to get issuer certificate
error /tmp/cert.pem: verification failed

Can you tell us what OpenSSL version you're running and if you have these two certificates in your trust store?

• https://crt.sh/?id=8395
• https://crt.sh/?id=9314791

OpenSSH_8.2p1 Ubuntu-4ubuntu0.4, OpenSSL 1.1.1f 31 Mar 2020
I honestly don't know where to see if those 2 certificates are; install it with the operating system at boot.

You might be able to see them with

ls /etc/ssl/certs

A more detailed list would be produced with

for i in /etc/ssl/certs/*; do openssl x509 -subject -noout -in "$i"; done

Thanks friend, I learned something new; You know I can't find these two certificates that you indicate. What function these certificates fulfill is something strange.

So if you look in /tmp is the ISRG-X1.pem actually there? Everything you are doing requires that file to exist.

Certificates (like your website certificate) have a certificate chain (a series of issuing certificates) and in this case ISRG Root X1 is the root certificate. Zimbra needs this certificate in your chain in order to build the entire chain and verify it. So that's what the ISRG Root X1 file is for.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.