Unable to install/renew cert on zimbra

#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:correo.grupomk.com.ar

I ran this command:/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem

It produced this output:ERROR: Unable to validate certificate chain: cert.pem: C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
error 2 at 1 depth lookup:unable to get issuer certificate

My web server is (include version):ngnix (zimbra)

The operating system my web server runs on is (include version):ubuntu 16

I can login to a root shell on my machine (yes or no, or I don’t know):yes

#2

Hi @markab2015

I don’t know enough about Zimbra.

But your error says, that the intermediate certificate is missing.

Isn’t there a file named fullchain that combines cert.pem and chain.pem?

#3

Thanks for your answer
-rw-r–r-- 1 zimbra zimbra 1.9K Mar 17 13:08 cert.pem
-rw-r–r-- 1 zimbra zimbra 1.7K Mar 17 13:08 chain.pem
-rw-r–r-- 1 zimbra zimbra 3.5K Mar 17 13:08 fullchain.pem
-rw-r–r-- 1 zimbra zimbra 1.7K Mar 17 13:08 privkey.pem
all files are there. It seems there it a new chain I cannot install. Any idea?

#4

Please read the documentation.

https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate

Looks you have all you need. But not chain, instead fullchain.

#5

hi juerguen
Yes. I’m always follow that guide. The thing is now using the same instrucctinos, it fails.
Any idea?

#6

this is my fullchain.pem file
root@correo:/etc/letsencrypt/live/correo.grupomk.com.ar-0001# cat fullchain.pem
-----BEGIN CERTIFICATE-----
MIIFYzCCBEugAwIBAgISAyK4i4ajqCMo56dBdc/s8vaLMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTAzMTcxMjA2MjdaFw0x
OTA2MTUxMjA2MjdaMCAxHjAcBgNVBAMTFWNvcnJlby5ncnVwb21rLmNvbS5hcjCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALHK8vfUfP+aXJywN7j4JWfU
2rZJ2isesFX75RJuzPW2bxdtUXyBSlGWNkRLdz6pY//kRWvV467pH4i213qCLKfP
orcITmqTNChLYvLkLk2CDXzslBcVzeEbXLQVq95r/epMdM9tiXB5fOZhuTakcb2w
NZtb/oob87/tVS0zjEIiAE+j/U3mGjU0C7jrutKQU62SKOVKNb48W+TlY+y4IZwS
gl8IzGagZaaiN6fea3j/5dmMvnvPTZUj34orHbarSLWqyENp1xUQ0RL69+W3WVyT
Mw9Yt3cXnFC8gm5jG2dU5ak91Y4EKJbaB/edhU8XV9eXTv8o6g7eqLF4TydZIPkC
AwEAAaOCAmswggJnMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcD
AQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUHTqRaig+c/l3c6TW
TRdpDoWDkVUwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYB
BQUHAQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2Vu
Y3J5cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2Vu
Y3J5cHQub3JnLzAgBgNVHREEGTAXghVjb3JyZW8uZ3J1cG9tay5jb20uYXIwTAYD
VR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYa
aHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEFBgorBgEEAdZ5AgQCBIH2BIHz
APEAdwDiaUuuJujpQAnohhu2O4PUPuf+dIj7pI8okwGd3fHb/gAAAWmLwrYRAAAE
AwBIMEYCIQDsDU2JVz+bPrvsIF5rgSKjWzL33Ssh18xNhrxd2FzlNQIhAIEz1GFp
3yyT1vryrXSUn9vPPelhX+yJIndZAWbwBwhcAHYAY/Lbzeg7zCzPC3KEJ1drM6SN
YXePvXWmOLHHaFRL2I0AAAFpi8K2ZgAABAMARzBFAiEAv+ION+lmvaZ3MbXgdxOj
qot9dbWvh36Zob4qbbxf4QoCIEVSD/FrSGvbOyVDytzy7QquymwDCqDodT8O4zm6
iqDrMA0GCSqGSIb3DQEBCwUAA4IBAQBZcXSva9OxCCjOzIjgu47AFdv4u4PDmX6R
Vbszrp8Pxg1oQOuYWwyo90O6C24Mega9lAgEZNmmDKqyQ1QFVkrho4+WBFSp0mwi
PgeFvfvIc/kpZ2hI7VfhfGMqryUrKxOX3ZIku2jIWUZOgy48e6+DHpUCYRYFIp2S
4dKJZoi+BQX4y2oLfPjzjaBi6QAz+wjkM/nhZ+fS+vaCa0FSmrpFMfcFY0fd+gQX
DUrACm2G3lOfsbNzgwbsmR5biY6XqxBCvXQQu63WaoVwqPvhlMIY4O2BqOqj/mGh
Yb/8jYdLBPtlsQ0u915xc0EfmziKBW38tQxBNnYkgXrA0z7adJp5
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

#7

Reading that

https://www.zimbra.com/docs/os/6.0.10/administration_guide/A_app-command-line.13.08.html

your command is wrong.

verifycrt <self comm> [priv_key] [certfile]

The command accepts only two parameters, not three. So cert.pem is checked -> only one certificate.

#8

Try:
/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem fullchain.pem

#9

Hi!
Thath command works, but when I tried to install if fails
zimbra@correo:~/ssl/letsencrypt$ /opt/zimbra/bin/zmcertmgr deploycrt comm privkey.pem fullchain.pem
** Verifying ‘privkey.pem’ against ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’
unable to load certificate
140111281178264:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE
ERROR: Certificate ‘privkey.pem’ and private key ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’ do not match.
zimbra@correo:~/ssl/letsencrypt$ /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem fullchain.pem
** Verifying ‘cert.pem’ against ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’
Certificate ‘cert.pem’ and private key ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’ match.
** Verifying ‘cert.pem’ against ‘fullchain.pem’
ERROR: Unable to validate certificate chain: cert.pem: C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
error 2 at 1 depth lookup:unable to get issuer certificate
zimbra@correo:~/ssl/letsencrypt$

#10

Try:
cp privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key

and then deploycrt

#11

zimbra@correo:~/ssl/letsencrypt$ /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem fullchain.pem
** Verifying ‘cert.pem’ against ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’
Certificate ‘cert.pem’ and private key ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’ match.
** Verifying ‘cert.pem’ against ‘fullchain.pem’
ERROR: Unable to validate certificate chain: cert.pem: C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
error 2 at 1 depth lookup:unable to get issuer certificate
zimbra@correo:~/ssl/letsencrypt$ /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem
** Verifying ‘cert.pem’ against ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’
Certificate ‘cert.pem’ and private key ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’ match.
** Verifying ‘cert.pem’ against ‘chain.pem’
ERROR: Unable to validate certificate chain: cert.pem: C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
error 2 at 1 depth lookup:unable to get issuer certificate

where are near!!

#12

That should be:
/opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem LE.CA.pem

where LE.CA.pem =

-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/MSQwIgYDVQQK
ExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4X
DTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0NlowSjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxl
dCdzIEVuY3J5cHQxIzAhBgNVBAMTGkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4
S0EFq6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8SMx+yk13
EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0Z8h/pZq4UmEUEz9l6YKH
y9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWAa6xK8xuQSXgvopZPKiAlKQTGdMDQMc2P
MTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQAB
o4IBfTCCAXkwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEE
czBxMDIGCCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNvbTA7
BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9kc3Ryb290Y2F4My5w
N2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAwVAYDVR0gBE0wSzAIBgZngQwBAgEw
PwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcCARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNy
eXB0Lm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9P
VENBWDNDUkwuY3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJouM2VcGfl96S8
TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/wApIvJSwtmVi4MFU5aMqrSDE
6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwuX4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPM
TZ+sOPAveyxindmjkW8lGy+QsRlGPfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M
+X+Q7UNKEkROb3N6KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
#13

Your are m new idol!!!

Thanks
It works!!!

1 Like
#14

I’m glad you are happy :slight_smile:

You don’t have too but if you really want to make me happy, buy me a beer!

…but instead of an actual beer, take the money that you would spend on a real beer and donate to LE:
https://letsencrypt.org/donate/

closed #15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.