Renew certificate ssl zimbra

i write all this commands to renew zimbra ssl certificate :

su - zimbra -c "zmcontrol stop"

/root/letsencrypt/letsencrypt-auto certonly --standalone --renew-by-default mydomain

cp /etc/letsencrypt/live/webmail.cho.com.tn/privkey.pem /opt/zimbra/ssl/letsencrypt/

cp /etc/letsencrypt/live/webmail.cho.com.tn/cert.pem /opt/zimbra/ssl/letsencrypt/

cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key

chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*

su - zimbra -c "cd /opt/zimbra/ssl/letsencrypt/; /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem"

su - zimbra -c "zmcontrol start"

when writing su - zimbra -c "cd /opt/zimbra/ssl/letsencrypt/; /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem"
this error show appear :

** Verifying 'combined.pem' against 'cert.pem'
unable to load Private Key
139875742791344:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: ANY PRIVATE KEY
ERROR: Certificate 'combined.pem' and private key 'cert.pem' do not match.

Where does "combined.pem" come from? It's probably build/hardcoded with the previously used intermediate cert which isn't used any longer.

Unfortunately, the Zimbra devs don't have a very good grasp on the workings of the Public Key Infrastructure and have managed to have their things done quite incorrectly.

A partial solution to your problem; rebuild combined.pem with the correct intermediate (chain.pem of fullchain.pem from the letsencrypt directory, just like the cert.pem already used).

A full solution: contact the Zimbra developers and tell them they shouldn't hardcode the intermediate cert and that they shouldn't put the root certificate into the chain.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.