Problem on renew certificat

Hello,

I've got a problem this morning when trying to renew my certificat.

The error problem is :

** Verifying 'cert.pem' against 'chain.pem'
ERROR: Unable to validate certificate chain: cert.pem: CN = mail.ipsla.fr
error 20 at 0 depth lookup:unable to get local issuer certificate

Is someone can help me ?

Thanks and Regards
Olivier

1 Like

When you opened this thread in the Help section, you should have been provided with a questionnaire. Maybe you didn't get it somehow (which is weird), or you've decided to delete it. In any case, all the answers to this questionnaire are required:


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Thank you for your answer,

Every 90 days I renew some certificat. This morning I've got a problem when I try do deploy the service :

zimbra@yozuri:~/ssl/letsencrypt$ /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem
** Verifying 'cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate 'cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying 'cert.pem' against 'chain.pem'
ERROR: Unable to validate certificate chain: cert.pem: CN = mail.ipsla.fr
error 20 at 0 depth lookup:unable to get local issuer certificate

I try to renew certificat for 4 domains :

letsencrypt certonly -d mail.ipsla.fr -d smtp.ipsla.fr -d webmail.ipsla.fr -d yozuri.ipslanetwork.net

But the main important is mail.ipsla.fr

My server is running on :

zimbra@yozuri:~/ssl/letsencrypt$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.4 LTS
Release: 16.04
Codename: xenial

I think your system software is outdated and doesn't recognize either the current Let's Encrypt intermediate certificates or the root certificate. You should start by checking apt packages are all up to date.

You should check that the file chain.pem is recently updated and not something that's being reused as otherwise it could contain old intermediates.

Based on Installing a StartSSL SSL Certificate with zmcertmgr - Zimbra :: Tech Center it looks like zimbra imports the certificate files into Java keystore. See also Administration Console and CLI Certificate Tools - Zimbra :: Tech Center

I believe letsencrypt was the oldname for certbot and zmcertmgr is the tool used to help configure certs with Zimbra.

I would suggest contacting Zimbra support to get details non exactly what their product is trying to do

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.