Fullchain does not match cert and chain

vicedp · January 15, 2020, 8:51am

My domain is: mail.bankvictoriasyariah.co.id

I ran this command: certbot certificates

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/mail.bankvictoriasyariah.co.id.conf produced an unexpected error: fullchain does not match cert + chain for mail.bankvictoriasyariah.co.id!. Skipping.

The following renewal configurations were invalid:
/etc/letsencrypt/renewal/mail.bankvictoriasyariah.co.id.conf

My web server is (include version): nginx

The operating system my web server runs on is (include version): Ubuntu Xenial 16.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): via ssh

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Certbot 0.31

I already check the cert.pem, chain.pem & fullchain.pem through this directory
/etc/letsencrypt/live/mail.bankvictoriasyariah.co.id vs /opt/zimbra/ssl/letsencrypt and the result is match, like the first and the last words on the given ceritificate from each .pem and the file size also exact.

How do i solve this problem ?

rg305 · January 15, 2020, 11:45pm

Please show this file:

and also, the full output of:
ls -l /etc/letsencrypt/live/*

vicedp · January 16, 2020, 1:23am

Here the output

renew_before_expiry = 30 days

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/mail.bankvictoriasyariah.co.id
cert = /etc/letsencrypt/live/mail.bankvictoriasyariah.co.id/cert.pem
privkey = /etc/letsencrypt/live/mail.bankvictoriasyariah.co.id/privkey.pem
chain = /etc/letsencrypt/live/mail.bankvictoriasyariah.co.id/chain.pem
fullchain = /etc/letsencrypt/live/mail.bankvictoriasyariah.co.id/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = webroot
installer = None
account = 306xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
pre_hook = /usr/local/sbin/certbot_zimbra.sh -p
renew_hook = /usr/local/sbin/certbot_zimbra.sh -r -d mail.bankvictoriasyariah.co.id
[[webroot_map]]
mail.bankvictoriasyariah.co.id = /opt/zimbra/data/nginx/html
#authenticator = nginx
#installer = nginx
#server = https://acme-v02.api.letsencrypt.org/directory

/etc/letsencrypt/live/mail.bankvictoriasyariah.co.id:
total 4
lrwxrwxrwx 1 root root 54 Dec 24 23:24 cert.pem -> …/…/archive/mail.bankvictoriasyariah.co.id/cert3.pem
lrwxrwxrwx 1 root root 55 Dec 24 23:24 chain.pem -> …/…/archive/mail.bankvictoriasyariah.co.id/chain3.pem
lrwxrwxrwx 1 root root 59 Dec 24 23:24 fullchain.pem -> …/…/archive/mail.bankvictoriasyariah.co.id/fullchain3.pem
lrwxrwxrwx 1 root root 57 Dec 24 23:24 privkey.pem -> …/…/archive/mail.bankvictoriasyariah.co.id/privkey3.pem
-rw-r–r-- 1 zimbra zimbra 692 Dec 18 13:47 README

root@root:/etc/nginx/sites-available# ls -l /opt/zimbra/ssl/letsencrypt/
total 20
-rw-r----- 1 zimbra zimbra 1948 Dec 24 23:54 cert.pem
-rw-r----- 1 zimbra zimbra 2847 Dec 24 23:54 chain.pem
-rw-r----- 1 zimbra zimbra 3595 Dec 24 23:54 fullchain.pem
-rw-r----- 1 zimbra zimbra 1704 Dec 24 23:54 privkey.pem
-rw-r----- 1 zimbra zimbra 692 Dec 24 23:54 README

rg305 · January 16, 2020, 2:46am

OK; So far, so good.
Please show output of:
ls -l /etc/letsencrypt/archive/*

vicedp · January 16, 2020, 2:47am

Here is the result

root@root:/etc/nginx/sites-available# ls -l /etc/letsencrypt/archive/*
total 48
-rw-r–r-- 1 zimbra zimbra 1952 Dec 18 13:47 cert1.pem
-rw-r–r-- 1 zimbra zimbra 1948 Dec 19 10:00 cert2.pem
-rw-r–r-- 1 root root 1948 Dec 24 23:24 cert3.pem
-rw-r–r-- 1 zimbra zimbra 1647 Dec 18 13:47 chain1.pem
-rw-r–r-- 1 zimbra zimbra 2847 Dec 24 16:20 chain2.pem
-rw-r–r-- 1 root root 2847 Dec 24 23:52 chain3.pem
-rw-r–r-- 1 zimbra zimbra 3599 Dec 18 13:47 fullchain1.pem
-rw-r–r-- 1 zimbra zimbra 3595 Dec 19 10:00 fullchain2.pem
-rw-r–r-- 1 root root 3595 Dec 24 23:24 fullchain3.pem
-rw------- 1 zimbra zimbra 1704 Dec 18 13:47 privkey1.pem
-rw------- 1 zimbra zimbra 1704 Dec 19 10:00 privkey2.pem
-rw------- 1 root zimbra 1704 Dec 24 23:24 privkey3.pem

rg305 · January 16, 2020, 3:00am

Rearranging those (to make some sense out of it)…

We can see that only the first set "balance" and agree on the same date/time stamp:

-rw-r–r-- 1 zimbra zimbra 1952 Dec 18 13:47 cert1.pem
-rw-r–r-- 1 zimbra zimbra 1647 Dec 18 13:47 chain1.pem
-rw-r–r-- 1 zimbra zimbra 3599 Dec 18 13:47 fullchain1.pem
[1952 + 1647 = 3599]
[all 3 show 13:47]

-rw-r–r-- 1 zimbra zimbra 1948 Dec 19 10:00 cert2.pem
-rw-r–r-- 1 zimbra zimbra 2847 Dec 24 16:20 chain2.pem
-rw-r–r-- 1 zimbra zimbra 3595 Dec 19 10:00 fullchain2.pem
[1948 + 2847 != 3595]
[only 2 show 10:00 - the other is 6 minutes and 20 seconds newer]

-rw-r–r-- 1 root root 1948 Dec 24 23:24 cert3.pem
-rw-r–r-- 1 root root 2847 Dec 24 23:52 chain3.pem
-rw-r–r-- 1 root root 3595 Dec 24 23:24 fullchain3.pem
[1948 + 2847 != 3595]
[only 2 show 23:24 - the other is 8 seconds newer]

I can only assume that your renewal script is modifying the original files [bad practice]:

Maybe we should have a look at:
/usr/local/sbin/certbot_zimbra.sh

vicedp · January 16, 2020, 3:30am

That is strange …

I’m sure the certificates from /opt/zimbra/ssl/letsencrypt/* is the same with the one in /etc/letsencrypt/live/mail.bankvictoriasyariah.co.id/*

the reason is the certificates in /opt/zimbra/ssl/letsencrypt/* is copied from /etc/letsencrypt/live/mail.bankvictoriasyariah.co.id/* at Dec 24th

I haven’t executed /usr/local/sbin/certbot_zimbra.sh ever, i’m still preparing and read closed article untill i know how to do it right.

Since there are the certificate with different time stamps, can i copy chain.pem from /opt/zimbra/ssl/letsencrypt/ to /etc/letsencrypt/live/mail.bankvictoriasyariah.co.id/ ?

I want to execute certbot_zimbra.sh sometime in this end of the weekend or next weekend, should i remove the exisiting certificates or just leave as it is ?

How do i upgrade existing certbot from 0.31 to the latest ?

rg305 · January 16, 2020, 3:48am

It is set to do that every time a renewal happens (automatically).

I can't be certain that will fix things - - but may be worth a try.
[first copy the original file to another name or location in case we need to put it back]
Perhaps looking at the script and or looking within the chainX.pem files may tell us what is going wrong.

vicedp · January 16, 2020, 4:58am

Even if i did not type certbot_zimbra.sh -n for the first run ? i only download it and do chmod directory

rg305 · January 16, 2020, 5:02am

YES.
These files are run automatically.

The first script is run every time (always before).
The second script is run only when a cert is renewed (conditionally after).

vicedp · January 16, 2020, 5:09am

Okay, thank you so much for the explanation.

I'm gonna read carefully for closed topics.

system · February 15, 2020, 5:09am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
certbot.errors.Error: fullchain does not match cert + chain for mail.texrio.ru! Help	3	1553	March 22, 2020
Fullchain.pem (failure) Help	13	1932	March 30, 2023
Renew config file has incorrect 'fullchain_path' 'cert_path' and 'chain_path' Server	7	2542	February 25, 2017
Renewall Success but the expiry date still the same Help	45	2384	January 23, 2020
Fullchain.pem (failure) Help	7	9409	January 1, 2019

Fullchain does not match cert and chain

renew_before_expiry = 30 days

Options used in the renewal process

Related topics