ERROR: Unable to validate certificate chain: cert.pem: C = US, O

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem

It produced this output: ERROR: Unable to validate certificate chain: cert.pem: C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup:unable to get issuer certificate

My web server is (include version): Zimbra 8.8.15

The operating system my web server runs on is (include version):
Centos7
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.11.0

2

It looks like Zimbra has a custom step they’d like you to do:

https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate

The commands here about fetching the X1 root and appending it to the chain might be required. I’m not sure what they’re doing to require that though.

3

when I run the command
wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt ,
suddenly the error
ERROR: cannot verify letsencrypt.org's certificate, issued by '/C=US /O=Let's Encrypt/CN=R3':
Issued certificate has expired.
To connect to letsencrypt.org insecurely, use `--no-check-certificate'. , what should I do?

4

Check the date/time on your server.

5

I have checked and everything is correct

[root@mail ~]# timedatectl status
Local time: Thu 2022-06-30 10:28:32 WIB
Universal time: Thu 2022-06-30 03:28:32 UTC
RTC time: Thu 2022-06-30 03:28:22
Time zone: Asia/Jakarta (WIB, +0700)
NTP enabled: n/a
NTP synchronized: no
RTC in local TZ: no
DST active: n/a

6

it worked, but still error like this

/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live/mail12.com/cert.pem /etc/letsencrypt/live/mail12.com/chain.pem

** Verifying '/etc/letsencrypt/live/mail12.com/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/etc/letsencrypt/live/mail12.com/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/etc/letsencrypt/live/mail12.com/cert.pem' against '/etc/letsencrypt/live/mail12.com/chain.pem'
ERROR: Unable to validate certificate chain: /etc/letsencrypt/live/mail12.com/cert.pem: C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup:unable to get issuer certificate

8

Show:

trust dump --filter="pkcs11:id=%79%b4%59%e6%7b%b6%e5%e4%01%73%80%08%88%c8%1a%58%f6%e9%9b%6e;type=cert"

If nothing is shown, try:
update-ca-trust
[then do it again]

9

I suppose your wget is linked to an older version of OpenSSL, probably 1.0.2. You should try to upgrade your software so it uses OpenSSL 1.1.1.

10 
[root@mail ~]# trust dump --filter="pkcs11:id=%79%b4%59%e6%7b%b6%e5%e4%01%73%80%08%88%c8%1a%58%f6%e9%9b%6e;type=cert"
# pkcs11:id=%79%b4%59%e6%7b%b6%e5%e4%01%73%80%08%88%c8%1a%58%f6%e9%9b%6e;type=cert
[p11-kit-object-v1]
private: false
label: "ISRG Root X1"
issuer: "0O1%0b0%09%06%03U%04%06%13%02US1%290%27%06%03U%04%0a%13 Internet Security Research Group1%150%13%06%03U%04%03%13%0cISRG Root X1"
serial-number: "%02%11%00%82%10%cf%b0%d2%40%e3YDc%e0%bbc%82%8b%00"
trusted: true
certificate-category: authority
java-midp-security-domain: 0
url: ""
hash-of-subject-public-key: "%f8%16Q%3c%fd%1bD%9f.k%28%a1%97%22%1f%b8%1fQN%3c"
hash-of-issuer-public-key: ""
check-value: "%ca%bd%2a"
subject: "0O1%0b0%09%06%03U%04%06%13%02US1%290%27%06%03U%04%0a%13 Internet Security Research Group1%150%13%06%03U%04%03%13%0cISRG Root X1"
id: "y%b4Y%e6%7b%b6%e5%e4%01s%80%08%88%c8%1aX%f6%e9%9bn"
start-date: "20150604"
end-date: "20350604"
modifiable: false
nss-mozilla-ca-policy: true
x-distrusted: false
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----
11

So, what should I do?

12

after update what should i do?

13

That is the correct certificate.
Please show:
yum list updates

15

[root@mail ~]# yum list updates
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
epel/x86_64/metalink | 9.4 kB 00:00:00

  • base: mirror.idroot.cloud
  • epel: linux.domainesia.com
  • extras: mirror.idroot.cloud
  • updates: mirror.idroot.cloud
    base | 3.6 kB 00:00:00
    epel | 4.7 kB 00:00:00
    extras | 2.9 kB 00:00:00
    updates | 2.9 kB 00:00:00
    zimbra | 2.9 kB 00:00:00
    zimbra-8815-oss | 2.9 kB 00:00:00
    Updated Packages
    bash.x86_64 4.2.46-35.el7_9 updates
    bind-export-libs.x86_64 32:9.11.4-26.P2.el7_9.9 updates
    bind-libs.x86_64 32:9.11.4-26.P2.el7_9.9 updates
    bind-libs-lite.x86_64 32:9.11.4-26.P2.el7_9.9 updates
    bind-license.noarch 32:9.11.4-26.P2.el7_9.9 updates
    bind-utils.x86_64 32:9.11.4-26.P2.el7_9.9 updates
    binutils.x86_64 2.27-44.base.el7_9.1 updates
    cronie.x86_64 1.4.11-24.el7_9 updates
    cronie-anacron.x86_64 1.4.11-24.el7_9 updates
    cyrus-sasl-lib.x86_64 2.1.26-24.el7_9 updates
    device-mapper.x86_64 7:1.02.170-6.el7_9.5 updates
    device-mapper-event.x86_64 7:1.02.170-6.el7_9.5 updates
    device-mapper-event-libs.x86_64 7:1.02.170-6.el7_9.5 updates
    device-mapper-libs.x86_64 7:1.02.170-6.el7_9.5 updates
    dhclient.x86_64 12:4.2.5-83.el7.centos.1 updates
    dhcp-common.x86_64 12:4.2.5-83.el7.centos.1 updates
    dhcp-libs.x86_64 12:4.2.5-83.el7.centos.1 updates
    dmidecode.x86_64 1:3.2-5.el7_9.1 updates
    epel-release.noarch 7-14 epel
    expat.x86_64 2.1.0-14.el7_9 updates
    fail2ban.noarch 0.11.2-3.el7 epel
    fail2ban-firewalld.noarch 0.11.2-3.el7 epel
    fail2ban-sendmail.noarch 0.11.2-3.el7 epel
    fail2ban-server.noarch 0.11.2-3.el7 epel
    firewalld.noarch 0.6.3-13.el7_9 updates
    firewalld-filesystem.noarch 0.6.3-13.el7_9 updates
    glib2.x86_64 2.56.1-9.el7_9 updates
    glibc.x86_64 2.17-326.el7_9 updates
    glibc-common.x86_64 2.17-326.el7_9 updates
    glibc-devel.x86_64 2.17-326.el7_9 updates
    glibc-headers.x86_64 2.17-326.el7_9 updates
    grub2.x86_64 1:2.02-0.87.0.1.el7.centos.9 updates
    grub2-common.noarch 1:2.02-0.87.0.1.el7.centos.9 updates
    grub2-efi-x64.x86_64 1:2.02-0.87.0.1.el7.centos.9 updates
    grub2-pc.x86_64 1:2.02-0.87.0.1.el7.centos.9 updates
    grub2-pc-modules.noarch 1:2.02-0.87.0.1.el7.centos.9 updates
    grub2-tools.x86_64 1:2.02-0.87.0.1.el7.centos.9 updates
    grub2-tools-extra.x86_64 1:2.02-0.87.0.1.el7.centos.9 updates
    grub2-tools-minimal.x86_64 1:2.02-0.87.0.1.el7.centos.9 updates
    gzip.x86_64 1.5-11.el7_9 updates
    kbd.x86_64 1.15.5-16.el7_9 updates
    kbd-legacy.noarch 1.15.5-16.el7_9 updates
    kbd-misc.noarch 1.15.5-16.el7_9 updates
    kernel.x86_64 3.10.0-1160.66.1.el7 updates
    kernel-headers.x86_64 3.10.0-1160.66.1.el7 updates
    kernel-tools.x86_64 3.10.0-1160.66.1.el7 updates
    kernel-tools-libs.x86_64 3.10.0-1160.66.1.el7 updates
    kexec-tools.x86_64 2.0.15-51.el7_9.3 updates
    kpartx.x86_64 0.4.9-135.el7_9 updates
    krb5-devel.x86_64 1.15.1-51.el7_9 updates
    krb5-libs.x86_64 1.15.1-51.el7_9 updates
    libX11.x86_64 1.6.7-4.el7_9 updates
    libX11-common.noarch 1.6.7-4.el7_9 updates
    libkadm5.x86_64 1.15.1-51.el7_9 updates
    libpcap.x86_64 14:1.5.3-13.el7_9 updates
    libuv.x86_64 1:1.44.1-1.el7 epel
    libuv-devel.x86_64 1:1.44.1-1.el7 epel
    libxml2.x86_64 2.9.1-6.el7_9.6 updates
    lvm2.x86_64 7:2.02.187-6.el7_9.5 updates
    lvm2-libs.x86_64 7:2.02.187-6.el7_9.5 updates
    microcode_ctl.x86_64 2:2.1-73.13.el7_9 updates
    nspr.x86_64 4.32.0-1.el7_9 updates
    nss.x86_64 3.67.0-4.el7_9 updates
    nss-softokn.x86_64 3.67.0-3.el7_9 updates
    nss-softokn-freebl.x86_64 3.67.0-3.el7_9 updates
    nss-sysinit.x86_64 3.67.0-4.el7_9 updates
    nss-tools.x86_64 3.67.0-4.el7_9 updates
    nss-util.x86_64 3.67.0-1.el7_9 updates
    openldap.x86_64 2.4.44-25.el7_9 updates
    openssh.x86_64 7.4p1-22.el7_9 updates
    openssh-clients.x86_64 7.4p1-22.el7_9 updates
    openssh-server.x86_64 7.4p1-22.el7_9 updates
    openssl.x86_64 1:1.0.2k-25.el7_9 updates
    openssl-devel.x86_64 1:1.0.2k-25.el7_9 updates
    openssl-libs.x86_64 1:1.0.2k-25.el7_9 updates
    polkit.x86_64 0.112-26.el7_9.1 updates
    python-firewall.noarch 0.6.3-13.el7_9 updates
    python-perf.x86_64 3.10.0-1160.66.1.el7 updates
    python-virtualenv.noarch 15.1.0-6.el7_9 updates
    python2-distro.noarch 1.5.0-1.el7 epel
    rpm.x86_64 4.11.3-48.el7_9 updates
    rpm-build-libs.x86_64 4.11.3-48.el7_9 updates
    rpm-libs.x86_64 4.11.3-48.el7_9 updates
    rpm-python.x86_64 4.11.3-48.el7_9 updates
    rsyslog.x86_64 8.24.0-57.el7_9.3 updates
    screen.x86_64 4.1.0-0.27.20120314git3c2946.el7_9 updates
    sudo.x86_64 1.8.23-10.el7_9.2 updates
    systemd.x86_64 219-78.el7_9.5 updates
    systemd-libs.x86_64 219-78.el7_9.5 updates
    systemd-python.x86_64 219-78.el7_9.5 updates
    systemd-sysv.x86_64 219-78.el7_9.5 updates
    tzdata.noarch 2022a-1.el7 updates
    unzip.x86_64 6.0-24.el7_9 updates
    virt-what.x86_64 1.18-4.el7_9.1 updates
    wpa_supplicant.x86_64 1:2.6-12.el7_9.2 updates
    xz.x86_64 5.2.2-2.el7_9 updates
    xz-libs.x86_64 5.2.2-2.el7_9 updates
    zimbra-apache-components.x86_64 2.0.7-1zimbra8.8b1.el7 zimbra-8815-oss
    zimbra-apr-util-libs.x86_64 1.6.1-1zimbra8.7b2.el7 zimbra-8815-oss
    zimbra-chat.x86_64 3.0.2.1655178187-1.r7 zimbra-8815-oss
    zimbra-clamav.x86_64 0.103.3-1zimbra8.8b3.el7 zimbra-8815-oss
    zimbra-clamav-libs.x86_64 0.103.3-1zimbra8.8b3.el7 zimbra-8815-oss
    zimbra-common-core-jar.x86_64 8.8.15.1655458176-1.r7 zimbra-8815-oss
    zimbra-common-core-libs.x86_64 8.8.15.1654854265-1.r7 zimbra-8815-oss
    zimbra-common-mbox-conf-attrs.x86_64 8.8.15.1652767386-1.r7 zimbra-8815-oss
    zimbra-common-mbox-conf-msgs.x86_64 8.8.15.1652703447-1.r7 zimbra-8815-oss
    zimbra-core-components.x86_64 2.0.16-1zimbra8.8b1.el7 zimbra-8815-oss
    zimbra-curl.x86_64 7.49.1-1zimbra8.7b3.el7 zimbra-8815-oss
    zimbra-curl-libs.x86_64 7.49.1-1zimbra8.7b3.el7 zimbra-8815-oss
    zimbra-cyrus-sasl.x86_64 2.1.26-1zimbra8.7b3.el7 zimbra-8815-oss
    zimbra-cyrus-sasl-libs.x86_64 2.1.26-1zimbra8.7b3.el7 zimbra-8815-oss
    zimbra-dnscache-components.x86_64 1.0.3-1zimbra8.7b1.el7 zimbra-8815-oss
    zimbra-heimdal-libs.x86_64 1.5.3-1zimbra8.7b3.el7 zimbra-8815-oss
    zimbra-httpd.x86_64 2.4.53-1zimbra8.7b3.el7 zimbra-8815-oss
    zimbra-jetty-distribution.x86_64 9.4.46.v20220331-2.r7 zimbra-8815-oss
    zimbra-ldap-components.x86_64 1.0.16-1zimbra8.8b1.el7 zimbra-8815-oss
    zimbra-lmdb.x86_64 2.4.59-1zimbra8.8b5.el7 zimbra-8815-oss
    zimbra-lmdb-libs.x86_64 2.4.59-1zimbra8.8b5.el7 zimbra-8815-oss
    zimbra-mariadb.x86_64 10.1.25-1zimbra8.7b3.el7 zimbra-8815-oss
    zimbra-mariadb-libs.x86_64 10.1.25-1zimbra8.7b3.el7 zimbra-8815-oss
    zimbra-mbox-admin-console-war.x86_64 8.8.15.1653031987-1.r7 zimbra-8815-oss
    zimbra-mbox-store-libs.x86_64 8.8.15.1654854265-1.r7 zimbra-8815-oss
    zimbra-mbox-war.x86_64 8.8.15.1655458176-1.r7 zimbra-8815-oss
    zimbra-mbox-webclient-war.x86_64 8.8.15.1654769776-1.r7 zimbra-8815-oss
    zimbra-mta-components.x86_64 1.0.15-1zimbra8.8b1.el7 zimbra-8815-oss
    zimbra-mta-patch.x86_64 8.8.15.1655471268.p32-1.r7 zimbra-8815-oss
    zimbra-net-snmp.x86_64 5.8-1zimbra8.7b2.el7 zimbra-8815-oss
    zimbra-net-snmp-libs.x86_64 5.8-1zimbra8.7b2.el7 zimbra-8815-oss
    zimbra-nginx.x86_64 1.20.0-1zimbra8.8b3.el7 zimbra-8815-oss
    zimbra-opendkim.x86_64 2.10.3-1zimbra8.7b5.el7 zimbra-8815-oss
    zimbra-opendkim-libs.x86_64 2.10.3-1zimbra8.7b5.el7 zimbra-8815-oss
    zimbra-openjdk.x86_64 17.0.2-1zimbra8.8b1.el7 zimbra-8815-oss
    zimbra-openjdk-cacerts.x86_64 1.0.8-1zimbra8.7b1.el7 zimbra-8815-oss
    zimbra-openldap-client.x86_64 2.4.59-1zimbra8.8b5.el7 zimbra-8815-oss
    zimbra-openldap-libs.x86_64 2.4.59-1zimbra8.8b5.el7 zimbra-8815-oss
    zimbra-openldap-server.x86_64 2.4.59-1zimbra8.8b5.el7 zimbra-8815-oss
    zimbra-openssl.x86_64 1.1.1n-1zimbra8.7b4.el7 zimbra-8815-oss
    zimbra-openssl-libs.x86_64 1.1.1n-1zimbra8.7b4.el7 zimbra-8815-oss
    zimbra-patch.x86_64 8.8.15.1655471268.p32-1.r7 zimbra-8815-oss
    zimbra-perl.x86_64 1.0.5-1zimbra8.7b1.el7 zimbra-8815-oss
    zimbra-perl-crypt-openssl-random.x86_64 0.11-1zimbra8.7b3.el7 zimbra-8815-oss
    zimbra-perl-crypt-openssl-rsa.x86_64 0.31-1zimbra8.7b2.el7 zimbra-8815-oss
    zimbra-perl-dbd-mysql.x86_64 4.050-1zimbra8.7b4.el7 zimbra-8815-oss
    zimbra-perl-innotop.x86_64 1.9.1-1zimbra8.7b3.el7 zimbra-8815-oss
    zimbra-perl-io-socket-ssl.x86_64 2.068-1zimbra8.7b2.el7 zimbra-8815-oss
    zimbra-perl-libwww.x86_64 6.13-1zimbra8.7b3.el7 zimbra-8815-oss
    zimbra-perl-lwp-protocol-https.x86_64 6.06-1zimbra8.7b3.el7 zimbra-8815-oss
    zimbra-perl-mail-dkim.x86_64 0.40-1zimbra8.7b3.el7 zimbra-8815-oss
    zimbra-perl-mail-spamassassin.x86_64 3.4.6-1zimbra8.8b3.el7 zimbra-8815-oss
    zimbra-perl-net-http.x86_64 6.09-1zimbra8.7b3.el7 zimbra-8815-oss
    zimbra-perl-net-ssleay.x86_64 1.88-1zimbra8.7b2.el7 zimbra-8815-oss
    zimbra-perl-soap-lite.x86_64 1.19-1zimbra8.7b3.el7 zimbra-8815-oss
    zimbra-perl-xml-parser.x86_64 2.44-1zimbra8.7b3.el7 zimbra-8815-oss
    zimbra-perl-xml-sax-expat.x86_64 0.51-1zimbra8.7b3.el7 zimbra-8815-oss
    zimbra-perl-xml-simple.x86_64 2.25-1zimbra8.7b2.el7 zimbra-8815-oss
    zimbra-php.x86_64 7.4.27-1zimbra8.7b3.el7 zimbra-8815-oss
    zimbra-postfix.x86_64 3.6.1-1zimbra8.7b3.el7 zimbra-8815-oss
    zimbra-postfix-logwatch.x86_64 1.40.03-1zimbra8.7b1.el7 zimbra-8815-oss
    zimbra-proxy-components.x86_64 1.0.10-1zimbra8.8b1.el7 zimbra-8815-oss
    zimbra-proxy-patch.x86_64 8.8.15.1655471268.p32-1.r7 zimbra-8815-oss
    zimbra-snmp-components.x86_64 1.0.3-1zimbra8.7b1.el7 zimbra-8815-oss
    zimbra-spamassassin-rules.x86_64 1.0.0-1zimbra8.8b5.el7 zimbra-8815-oss
    zimbra-spell-components.x86_64 2.0.8-1zimbra8.8b1.el7 zimbra-8815-oss
    zimbra-store-components.x86_64 1.0.3-1zimbra8.7b1.el7 zimbra-8815-oss
    zimbra-timezone-data.x86_64 2.0.1.1646993388-1.r7 zimbra-8815-oss
    zimbra-unbound.x86_64 1.11.0-1zimbra8.7b3.el7 zimbra-8815-oss
    zimbra-unbound-libs.x86_64 1.11.0-1zimbra8.7b3.el7 zimbra-8815-oss
    zlib.x86_64 1.2.7-20.el7_9 updates
    zlib-devel.x86_64 1.2.7-20.el7_9 updates

is there something wrong?

16

Hm, it seems CentOS 7 is in "Maintenance Updates2" only, which probably means there won't be an (official) OpenSSL 1.1.1. for it. There are alternatives for using OpenSSL 1.0.2 and servers serving the Let's Encrypt "long chain" here: Old Let's Encrypt Root Certificate Expiration and OpenSSL 1.0.2 - OpenSSL Blog

Looks like there are many packages to be updated. It's adviced to update regularly to get the latest security updates.

17

Updating [all of] Zimbra might overcome that problem.

18

does that mean I have to upgrade my zimbra version? to what version?

19

Slight understatement (if that's possible)...
I counted 169 packages!
Has this system ever been updated?

20

is it safe to update? the data?

21

Those are questions better asked on their support channel(s).

22

means there is no other way but to update the zimbra system?