Since this last month, can't install zimbra certificate

Hi,
I am in the totally same situation as you with zimbra.
I am a little bit lost with the cert I got from letsencrypy and the chain what and how I should provide.

I use similar script for cert renewal what you pasted. May I ask help how you could modify to still provide valid cert and chain for zimbra? Thanks!

1 Like

I could solve it.
So I needed to update the ca cert file and since I have R10 and X1 in the chain I needed to download the X1 and add in the end of the ca cert file. https://letsencrypt.org/certs/isrgrootx1.pem.txt

Before: /opt/zimbra/common/bin/openssl verify -CAfile commercial_ca.crt commercial.crt
C = US, O = Let's Encrypt, CN = R10
error 2 at 1 depth lookup: unable to get issuer certificate
error commercial.crt: verification failed

After:

/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
** Verifying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
Valid certificate chain: /opt/zimbra/ssl/zimbra/commercial/commercial.crt: OK

1 Like

Yup I had to change to x1 too, oddly enough it had been using x2 for a while.
Not sure why this happened but... whatever.

Thank you!

2 Likes

Yep.. I had to switch back to X1 chain as well:

letsencrypt -n --standalone --preferred-chain "ISRG Root ^C" certonly -d $domain

Here is the ISG X1 root to add to chain.pem:

https//letsencrypt.org/certs/isrgrootx1.pem

1 Like

For future reference, I just learned that Zimbra added support for ECDSA certs:

Support for ECDSA TLS (elliptic curve cryptography ECC) certificates has been added to Zimbra zmcertmgr from Zimbra versions 10.0.6, Joule-8.8.15-Patch-45, Kepler-9.0.0-Patch-38.

From this Zimbra wiki article for Installing Let's Encrypt certs
https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate

To recap about the chain, the default chain from Let's Encrypt for both RSA and ECDSA certs is to X1. This is its most widely trusted root. See here: https://letsencrypt.org/certificates/#chains

6 Likes

5 posts were split to a new topic: Zimbra unable to get local issuer cert

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.