ERROR: Unable to validate certificate chain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ""

I ran this command:
"/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live/[redacted]/cert.pem /etc/letsencrypt/live/[redacted]/chain.pem"

It produced this output:
"** Verifying '/etc/letsencrypt/live/[redacted]/cert.pem' against '/etc/letsencrypt/live/[redacted]/chain.pem'
ERROR: Unable to validate certificate chain: /etc/letsencrypt/live/[redacted]/cert.pem: C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup:unable to get issuer certificate"

My web server is (include version): Zimbra

The operating system my web server runs on is (include version): CentOS7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):


The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 1.11.0

I don't think many people here are familiar with zmcertmgr or have zimbra installations they can test against. You can search the forums for other threads, and may find an answer there.

There have recently been a few issues with people confused by openssl commands when trying to verify certificates. That is probably what you are experiencing, though it could also be from outdated software on your machine that can not build a proper trust chain.

see Openssl verification fails for Letsencrypt issued certificate


Hi @flowbird and welcome to the LE community forum :slight_smile:


verifies OK, you also have to deploy the cert.
Installing a LetsEncrypt SSL Certificate - Zimbra :: Tech Center


Thank you @rg305. I have this link and waiting for next week as during troubleshooting I hit the rate limit. My concern is if it will really resolve the error mentioned above "DST Root CA X3" expired.
The following might be a solution as well:


Paid certs deploy automatically..........

Not according to the Zimbra docs when also using the CLI: Installing a Comodo SSL Certificate on Zimbra Collaboration - Zimbra :: Tech Center (picked a random commercial CA from the how-tos). Care to elaborate?

Note that those commercial CA certificates require manual intervention while Let's Encrypt certificates should ideally be automated at all costs.


I use Zimbra with LE and have never paid for those scripted deployments.


@rg305 I wasnt refering to Zimbra specifically. I was thinking about paid certs / CAs ( like VeriSign ) ...........

Then that is out of context for this topic.
[and you should probably just delete your post - it adds nothing here]

Even a Verisign cert needs to the verified and deployed within a Zimbra system.
I think what you may mean is that "(paid) managed systems" are "automatically updated" (by someone else). Which also adds nothing to this topic other than to say that this problem can go away by using a managed system (pass the problem to a paid company); As that is a known solution to any/all problems - pay someone else to deal with it is a very /.well-known/ solution - LOL


That is an absolutely false statement for the large majority of commercial CA history. Traditional, commercial CAs require the manual submission of a certificate signing request (CSR) to the CA via a web form (or sometimes email). The resulting certificate can then either be downloaded from the CA or be emailed to the customer.


Ok. Suggestion to blacklist X3 CA certificate did not work for me
( RHEL/CentOS 7 Fix for Let’s Encrypt Change | by Dorai Ashok S A | Sep, 2021 | Dev Genius )

Also, apparently there some trouble update openssl 1.0.2k-fips on CentOS7, which is obsolete. Adding TLS 1.3 to Zimbra breakes its proxy service. Looks like problems are adding up.

1 Like

Please show this (public) file:

And what shows:
yum install ca-certificates


@rg305 Files inside /etc/ are internet-accessible? :man_facepalming:

Since when would files in /etc be internet accessible by default? @rg305 is asking to see a full certificate chain file inside the certbot data folder (/etc/letsencrypt).


Please stop the trolling.
It's the public part of the cert - that the web server serves publicly.


yum install ca-certificates
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
epel/x86_64/metalink | 39 kB 00:00:00

  • base:
  • centos-sclo-rh:
  • centos-sclo-sclo:
  • epel:
  • extras:
  • updates:
    base | 3.6 kB 00:00:00
    centos-sclo-rh | 3.0 kB 00:00:00
    centos-sclo-sclo | 3.0 kB 00:00:00
    epel | 4.7 kB 00:00:00
    extras | 2.9 kB 00:00:00
    updates | 2.9 kB 00:00:00
    vmware-tools | 951 B 00:00:00
    zimbra | 2.9 kB 00:00:00
    zimbra-8811-oss | 2.9 kB 00:00:00
    (1/2): epel/x86_64/updateinfo | 1.0 MB 00:00:00
    (2/2): epel/x86_64/primary_db | 7.0 MB 00:00:01
    Package ca-certificates-2021.2.50-72.el7_9.noarch already installed and latest version
    Nothing to do

Thank you RG305 !!


Try removing the last cert from the fullchain.pem file.
It is only there to help older systems that don't have the "ISRG Root X1" cert in their trusted root store.


It probably is.
Make sure you are running zmcertmgr as the same user as before.
And let's start verifying by showing:
ls -l /etc/letsencrypt/live/[redacted]/


Dear RG305.

Thank you for all your help. Problem solved. Basically, all steps described here

The exact step, which resolved was

wget -O /tmp/ISRG-X1.pem
cat /tmp/ISRG-X1.pem >> /etc/letsencrypt/live/