Since this last month, can't install zimbra certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mail.petrotechgroup.com

I ran this command:
I was able to renew my certificate correctly using this:
certbot renew --force-renewal --preferred-chain "ISRG Root X2" --key-type rsa

It produced this output:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mail.petrotechgroup.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for files.petrotechgroup.com and 6 more domains
Reloading nginx server after certificate renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded:
  /etc/letsencrypt/live/mail.petrotechgroup.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

My web server is (include version):
My zimbra an centos installation are old

The operating system my web server runs on is (include version): CentOS Linux release 7.9.2009 (Core)

I can login to a root shell on my machine (yes or no, or I don't know): yes

So, I have been following this guide for ages and it has always worked.
Basically I download ISRG-X1 and then concatenate with chain.pem, then deploy, that always worked, but now:

** Verifying '/etc/letsencrypt/live/mail.petrotechgroup.com/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/etc/letsencrypt/live/mail.petrotechgroup.com/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/etc/letsencrypt/live/mail.petrotechgroup.com/cert.pem' against '/etc/letsencrypt/live/mail.petrotechgroup.com/chainZimbra.pem'
ERROR: Unable to validate certificate chain: /etc/letsencrypt/live/mail.petrotechgroup.com/cert.pem: C = US, O = Let's Encrypt, CN = R11
error 2 at 1 depth lookup:unable to get issuer certificate

chainZimbra.pem isn't real file that certbot manages about: use jest chain.pem. you can't pin intermedate and expect it to work

4 Likes

This won't ever help you.

That's a really weird combination, that I don't think can work.

That sounds like a weird, broken guide.

What exactly are you trying to accomplish?

If you're using an RSA key, just not specifying a preferred chain will give you a normal RSA chain, where cert.pem and chain.pem together give the fullchain.pem, and server software will either want the cert.pem and chain.pem separately in two places, or the fullchain.pem in one place.

4 Likes

Sorry typo on ISRG-X1.
I added the rsa part because I saw that in a workaround too, I just removed that and I'm following the guide as is

This is what I'm doing now

#!/bin/bash
cp "/etc/letsencrypt/live/mail.petrotechgroup.com/privkey.pem" /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
wget -O /tmp/ISRG-X2.pem https://letsencrypt.org/certs/isrg-root-x2.pem
rm -f "/etc/letsencrypt/live/mail.petrotechgroup.com/chainZimbra.pem"
cp "/etc/letsencrypt/live/mail.petrotechgroup.com/chain.pem" "/etc/letsencrypt/live/mail.petrotechgroup.com/chainZimbra.pem"
cat /tmp/ISRG-X2.pem >> "/etc/letsencrypt/live/mail.petrotechgroup.com/chainZimbra.pem"
chown zimbra:zimbra /etc/letsencrypt -R
cd /tmp
su zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt comm "/etc/letsencrypt/live/mail.petrotechgroup.com/cert.pem" "/etc/letsencrypt/live/mail.petrotechgroup.com/chainZimbra.pem"'

this is the output:

** Verifying '/etc/letsencrypt/live/mail.petrotechgroup.com/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/etc/letsencrypt/live/mail.petrotechgroup.com/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/etc/letsencrypt/live/mail.petrotechgroup.com/cert.pem' against '/etc/letsencrypt/live/mail.petrotechgroup.com/chainZimbra.pem'
ERROR: Unable to validate certificate chain: /etc/letsencrypt/live/mail.petrotechgroup.com/cert.pem: C = US, O = Let's Encrypt, CN = R10
error 2 at 1 depth lookup:unable to get issuer certificate

Are you sure that cert was issued by ISRG-X2 ?

2 Likes

Yes, totally

X2 only signs for ecdsa cert : there is no chain from rsa cert to x2

3 Likes

And unless you specifed with prifchain option chain file you got is for usrg x1

2 Likes

please disregard the RSA stuff I already removed that, but it's still not working

What do you mean?

1 Like

image
Which cert are you using?

2 Likes

That was a reply to orangepizza about the RSA stuff

certbot certificates tells me
49727b4b05c7a05b7c2f387127e7e9b8dc6

I had force renewal on my script, I have since removed that

Just show the cert.pem file.

1 Like
-----BEGIN CERTIFICATE-----
MIIFmjCCBIKgAwIBAgISBJcntLBcegW3wvOHEn5+m43GMA0GCSqGSIb3DQEBCwUA
MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
EwNSMTAwHhcNMjQwNjI0MTM1ODQ5WhcNMjQwOTIyMTM1ODQ4WjAjMSEwHwYDVQQD
ExhmaWxlcy5wZXRyb3RlY2hncm91cC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCmjWN/zQXiCp3/u5KVs+POwj6nwgyRM4F6r/XzpQyTd0yx4brd
DLybJGl5B9Sqk2J9vevBH+VUz03oguJdp5BXzxr8u4vNDBMG7XrOSrdaNdmb8lxm
4S8HNMR3FYR3+QL0x0Ott8HP/+J7WnwFErtP4j7XYNzY1Cb6BgqF3hJ9Zauztob7
g9yGYSEhyVHI1trtVWNvutrCFiZBn3g6DHJLoRzxD10ntM59pTDSKc6L9DSKU8nW
WdM7VDNmEgQFu2BcZbCzL1YYF/mqQFuXol6Xl/ZOKOrY69un/fXclZm9gNi+dnVH
UIEb+os0ab5sVAuimnkWqfzT5yr646lTXLlrAgMBAAGjggK2MIICsjAOBgNVHQ8B
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB
/wQCMAAwHQYDVR0OBBYEFDkAXmuGwOI1X2zGRB8gv7bZcGPlMB8GA1UdIwQYMBaA
FLu8w0el5LypxsOkcgwQjaI14cjoMFcGCCsGAQUFBwEBBEswSTAiBggrBgEFBQcw
AYYWaHR0cDovL3IxMC5vLmxlbmNyLm9yZzAjBggrBgEFBQcwAoYXaHR0cDovL3Ix
MC5pLmxlbmNyLm9yZy8wgbsGA1UdEQSBszCBsIIYZmlsZXMucGV0cm90ZWNoZ3Jv
dXAuY29tgh9sZWdhbGl6YWNpb25lcy5wZXRyb3RlY2guY29tLmNvghdtYWlsLnBl
dHJvdGVjaGdyb3VwLmNvbYIScGV0cm90ZWNoZ3JvdXAuY29tghZyZHMucGV0cm90
ZWNoZ3JvdXAuY29tghZzYXAucGV0cm90ZWNoZ3JvdXAuY29tghZ3d3cucGV0cm90
ZWNoZ3JvdXAuY29tMBMGA1UdIAQMMAowCAYGZ4EMAQIBMIIBBQYKKwYBBAHWeQIE
AgSB9gSB8wDxAHYAPxdLT9ciR1iUHWUchL4NEu2QN38fhWrrwb8ohez4ZG4AAAGQ
SsG+swAABAMARzBFAiAHG6SI9hHuUY06Tc2VQO6R45M366iBfa8Th1y9sqABagIh
ANgIiEwbuEtNvggRWPxMQe6EWQwmYKFBR1/DGznFVdaFAHcAdv+IPwq2+5VRwmHM
9Ye6NLSkzbsp3GhCCp/mZ0xaOnQAAAGQSsG+1QAABAMASDBGAiEAoWmrygvbWmxg
CX6ck2LPnr4zRTI3KWFfmu8PiLPcneICIQCF+6smg/og5l3NBHKUyMAQaJAeXtc7
7MczlGjVoPbDEDANBgkqhkiG9w0BAQsFAAOCAQEAn1CLdEqetfmrzhtHJqlBx85L
tP4j2/92XWA45NPLGY2XYQD3i5FfUfazxDGDB/G8OPG1NEsnxSFaun2QhQ2xkfso
I057Nm7BhWZcJSk7ljWrn4D7D+A3TwxLnE3t26zRr1lnOsLwfu72SZGF7zQYguQI
ivw4uRwb7f2Y66vXsF9qB6/Gf1m4Zoq4bP7crI/M9++VH+ZgUsCiBUXEadfsrsGe
iuy/OltDltGmW0uYr0rHyMmG5Q5gsxeNhjgNcYpzfru2nLFZJ8AO+KthFujEuyi8
uYgzS2rl9x9OB/Qqu82mG0dwDiqDWCYsbQvJEb+U1nRqCOxiwMBrEYVZNhQGlg==
-----END CERTIFICATE-----

That chains to ISRG root X1 [NOT X2]:

1 Like

I'm so confused... my history shows me this:
certbot renew --force-renewal --preferred-chain "ISRG Root X2"

That doesn't mean that it was able to do that for you.

You could have typed:
certbot renew --force-renewal --preferred-chain "ISRG Root X9999"
And it would have still done its' best to get you a cert.

3 Likes

how can I check that myself?

You could look at the chain.pem file returned by Certbot (or fullchain.pem). Copy/paste each cert into an SSL Cert Decoder (search online for these). Can also use openssl to decode.

Your current leaf cert was issued by R10 which is an RSA intermediate. That seems right as doesn't Zimbra require RSA?

In any case, there is no alternate chain for RSA leaf. Perhaps Certbot should issue a warning when it cannot match a chain offered by Let's Encrypt to what you requested. You could post a feature request on the Certbot github.

You should also learn about the recent change to the intermediates. This is an excellent reference

3 Likes