Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
I ran this command:
I was able to renew my certificate correctly using this:
certbot renew --force-renewal --preferred-chain "ISRG Root X2" --key-type rsa
My web server is (include version):
My zimbra an centos installation are old
The operating system my web server runs on is (include version): CentOS Linux release 7.9.2009 (Core)
I can login to a root shell on my machine (yes or no, or I don't know): yes
So, I have been following this guide for ages and it has always worked.
Basically I download ISRG-X1 and then concatenate with chain.pem, then deploy, that always worked, but now:
** Verifying '/etc/letsencrypt/live/mail.petrotechgroup.com/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/etc/letsencrypt/live/mail.petrotechgroup.com/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/etc/letsencrypt/live/mail.petrotechgroup.com/cert.pem' against '/etc/letsencrypt/live/mail.petrotechgroup.com/chainZimbra.pem'
ERROR: Unable to validate certificate chain: /etc/letsencrypt/live/mail.petrotechgroup.com/cert.pem: C = US, O = Let's Encrypt, CN = R11
error 2 at 1 depth lookup:unable to get issuer certificate
That's a really weird combination, that I don't think can work.
That sounds like a weird, broken guide.
What exactly are you trying to accomplish?
If you're using an RSA key, just not specifying a preferred chain will give you a normal RSA chain, where cert.pem and chain.pem together give the fullchain.pem, and server software will either want the cert.pem and chain.pem separately in two places, or the fullchain.pem in one place.
** Verifying '/etc/letsencrypt/live/mail.petrotechgroup.com/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/etc/letsencrypt/live/mail.petrotechgroup.com/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/etc/letsencrypt/live/mail.petrotechgroup.com/cert.pem' against '/etc/letsencrypt/live/mail.petrotechgroup.com/chainZimbra.pem'
ERROR: Unable to validate certificate chain: /etc/letsencrypt/live/mail.petrotechgroup.com/cert.pem: C = US, O = Let's Encrypt, CN = R10
error 2 at 1 depth lookup:unable to get issuer certificate
You could look at the chain.pem file returned by Certbot (or fullchain.pem). Copy/paste each cert into an SSL Cert Decoder (search online for these). Can also use openssl to decode.
Your current leaf cert was issued by R10 which is an RSA intermediate. That seems right as doesn't Zimbra require RSA?
In any case, there is no alternate chain for RSA leaf. Perhaps Certbot should issue a warning when it cannot match a chain offered by Let's Encrypt to what you requested. You could post a feature request on the Certbot github.
You should also learn about the recent change to the intermediates. This is an excellent reference