Hi,
I am in the totally same situation as you with zimbra.
I am a little bit lost with the cert I got from letsencrypy and the chain what and how I should provide.
I use similar script for cert renewal what you pasted. May I ask help how you could modify to still provide valid cert and chain for zimbra? Thanks!
I could solve it.
So I needed to update the ca cert file and since I have R10 and X1 in the chain I needed to download the X1 and add in the end of the ca cert file. https://letsencrypt.org/certs/isrgrootx1.pem.txt
Before: /opt/zimbra/common/bin/openssl verify -CAfile commercial_ca.crt commercial.crt
C = US, O = Let's Encrypt, CN = R10
error 2 at 1 depth lookup: unable to get issuer certificate
error commercial.crt: verification failed
After:
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
** Verifying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
Valid certificate chain: /opt/zimbra/ssl/zimbra/commercial/commercial.crt: OK
For future reference, I just learned that Zimbra added support for ECDSA certs:
Support for ECDSA TLS (elliptic curve cryptography ECC) certificates has been added to Zimbra zmcertmgr from Zimbra versions 10.0.6, Joule-8.8.15-Patch-45, Kepler-9.0.0-Patch-38.
To recap about the chain, the default chain from Let's Encrypt for both RSA and ECDSA certs is to X1. This is its most widely trusted root. See here: https://letsencrypt.org/certificates/#chains