Two zimbra servers with different behavior

I have two Zimbra servers both with automated renewal scripts set up. They are identical in function but one works and one does not.

Server that works:
Ubuntu 18.04
Certbot 1.30.0

Server that doesn't
CentOS 8
Certbot 1.9.0

I am unable to run any yum commands on the CentOS 8 box due to the discontinuation of support and the live repos and I have not attempted to fix that yet. I don't know if this is a Certbot version issue or not, but here is what is happening:

I run the command: certbot renew --preferred-chain "ISRG Root X1"
on BOTH servers and it gets the renewal certs and places them in the /etc/live// directory.

On the one that is working my chain.pem file contains only ONE cert (not sure which one just that it has only one)

On the one that is not working my chain.pem file contains TWO certs.

Part of deploying my certificate with Zimbra is concatenating the root certificate onto the end of the chain file and then running Zimbra's deploy command. If I do that as-is the deploy fails but if I delete the SECOND certificate in the chain file before adding the root certificate to it then it will deploy successfully.

So the million dollar question is why does one server get only a single cert in chain.pem while the other gets two when running the same renewal command on BOTH?


Because Certbot v1.12 is required to support the preferred-chain option. You might try replacing the yum distro version with the Certbot snap. See certbot link here

Or, use the Certbot deploy-hook option to run your own script to remove the last intermediate.

Let me know how to collect my million dollars :slight_smile:


Since I posted this I updated the repos with the vaulted versions and ran yum upgrade to see what was going to get upgraded. It will upgrade certbot to 1.22.0 which should do the trick based on your answer!

I will start a gofundme for the million dollars.. I'm sure people will want to contribute to a great cause! :smile:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.