Renew certificate ssl zimbra

i write all this commands to renew zimbra ssl certificate :

su - zimbra -c "zmcontrol stop"

/root/letsencrypt/letsencrypt-auto certonly --standalone --renew-by-default mydomain

cp /etc/letsencrypt/live/ /opt/zimbra/ssl/letsencrypt/

cp /etc/letsencrypt/live/ /opt/zimbra/ssl/letsencrypt/

cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key

chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*

su - zimbra -c "cd /opt/zimbra/ssl/letsencrypt/; /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem"

su - zimbra -c "zmcontrol start"

when writing su - zimbra -c "cd /opt/zimbra/ssl/letsencrypt/; /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem"
this error show appear :

** Verifying 'combined.pem' against 'cert.pem'
unable to load Private Key
139875742791344:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: ANY PRIVATE KEY
ERROR: Certificate 'combined.pem' and private key 'cert.pem' do not match.

Where does "combined.pem" come from? It's probably build/hardcoded with the previously used intermediate cert which isn't used any longer.

Unfortunately, the Zimbra devs don't have a very good grasp on the workings of the Public Key Infrastructure and have managed to have their things done quite incorrectly.

A partial solution to your problem; rebuild combined.pem with the correct intermediate (chain.pem of fullchain.pem from the letsencrypt directory, just like the cert.pem already used).

A full solution: contact the Zimbra developers and tell them they shouldn't hardcode the intermediate cert and that they shouldn't put the root certificate into the chain.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.