Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: "fresenius-kabi.cl"
I ran this command:
"/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live/[redacted]/cert.pem /etc/letsencrypt/live/[redacted]/chain.pem"
It produced this output:
"** Verifying '/etc/letsencrypt/live/[redacted]/cert.pem' against '/etc/letsencrypt/live/[redacted]/chain.pem'
ERROR: Unable to validate certificate chain: /etc/letsencrypt/live/[redacted]/cert.pem: C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup:unable to get issuer certificate"
My web server is (include version): Zimbra
The operating system my web server runs on is (include version): CentOS7
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
I don't think many people here are familiar with zmcertmgr or have zimbra installations they can test against. You can search the forums for other threads, and may find an answer there.
There have recently been a few issues with people confused by openssl commands when trying to verify certificates. That is probably what you are experiencing, though it could also be from outdated software on your machine that can not build a proper trust chain.
Thank you @rg305. I have this link and waiting for next week as during troubleshooting I hit the rate limit. My concern is if it will really resolve the error mentioned above "DST Root CA X3" expired.
The following might be a solution as well:
Then that is out of context for this topic.
[and you should probably just delete your post - it adds nothing here]
Even a Verisign cert needs to the verified and deployed within a Zimbra system.
I think what you may mean is that "(paid) managed systems" are "automatically updated" (by someone else). Which also adds nothing to this topic other than to say that this problem can go away by using a managed system (pass the problem to a paid company); As that is a known solution to any/all problems - pay someone else to deal with it is a very /.well-known/ solution - LOL
That is an absolutely false statement for the large majority of commercial CA history. Traditional, commercial CAs require the manual submission of a certificate signing request (CSR) to the CA via a web form (or sometimes email). The resulting certificate can then either be downloaded from the CA or be emailed to the customer.
Also, apparently there some trouble update openssl 1.0.2k-fips on CentOS7, which is obsolete. Adding TLS 1.3 to Zimbra breakes its proxy service. Looks like problems are adding up.
Since when would files in /etc be internet accessible by default? @rg305 is asking to see a full certificate chain file inside the certbot data folder (/etc/letsencrypt).
Try removing the last cert from the fullchain.pem file.
It is only there to help older systems that don't have the "ISRG Root X1" cert in their trusted root store.
It probably is.
Make sure you are running zmcertmgr as the same user as before.
And let's start verifying by showing: ls -l /etc/letsencrypt/live/[redacted]/
