Unable to renew my LetsEncrypt Certificate for Zimbra

Hello,
I have zimbra & letsencrypt since more than 5 years and have never meet any problem but today, I'm unable to apply the new certificat to my Zimbra server.

I launch:
/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem

And obtain:
** Verifying 'cert.pem' against 'privkey.pem'
Certificate 'cert.pem' and private key 'privkey.pem' match.
** Verifying 'cert.pem' against 'chain.pem'
ERROR: Unable to validate certificate chain: O = Digital Signature Trust Co., CN = DST Root CA X3
error 10 at 3 depth lookup: certificate has expired
error cert.pem: verification failed

I always followed the documentation of Zimbra which are the same than ubuntu, here (and also some script from mysel and found on internet - with the same result):
https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate

I read a lot of quantity of article, try some 10e of solution proposed but I think that my problem come from of the new letsencrypt architecture with the ISRG Root X1 for the chain. So my question and how generate that ? I couldn't find the option --preferred-chain on letsencrypt or certbot :unamused:

Could you please help me ?

HI @DWD and welcome to the LE community forum :slight_smile:

Which ACME client are you using?
What OS and version are you using?
What version of OpenSSL are you using?

Sorry that I don't have any answers for you (yet).

2 Likes

Hi @rg305 and thank you for your answer.
I use Ubuntu 18.04.6 LTS
I use OpenSSL 1.1.1 11 Sep 2018
And about LetsEncrypt, it's certbot 0.27.0

1 Like

Step #1: Update certbot
See: https://certbot.eff.org/
[which may allow you to use the --preferred-chain parameter]

1 Like

Hello @rg305 and thank new about this new answer.
I'm successfully upgrade certbot to the last version (1.21).
I restart my setup with generate new certificate:

certbot --force-renewal --preferred-chain "ISRG Root X1" -d mx.domain.eu

But after when I try to setup this, I obtain the following ERROR:

zimbra@mx:~/ssl/letsencrypt$ /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
** Verifying 'cert.pem' against 'privkey.pem'
Certificate 'cert.pem' and private key 'privkey.pem' match.
** Verifying 'cert.pem' against 'chain.pem'
ERROR: Unable to validate certificate chain: C = US, O = Let's Encrypt, CN = R3
error 2 at 1 depth lookup: unable to get issuer certificate
error cert.pem: verification failed

I continue to search but if somebody have an idea, it's welcome

Thanks. Regards

2 Likes

I'm unable to reach your site to verify the chain file.
Please show the chain.pem file.
and the output of this folder:
ls -ltr ~/ssl/letsencrypt

1 Like

Sure, this is my chain.pem file:

-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----

It has been generated successfully with command:

certbot --force-renewal --preferred-chain "ISRG Root X1" -d mx.inkmail.eu

And the content of my ssl/letsencrypt folder on Zimbra

zimbra@mx:~/ssl/letsencrypt$ ls -ltr ~/ssl/letsencrypt
total 20
drwxr-xr-x 2 zimbra zimbra 4096 Dec 16  2019 old
-rw-r----- 1 zimbra zimbra 1704 Nov 23 09:56 privkey.pem
-rw-r----- 1 zimbra zimbra 3664 Nov 23 09:56 fullchain.pem
-rw-r----- 1 zimbra zimbra 1838 Nov 23 09:56 cert.pem
-rw-r----- 1 zimbra zimbra 3026 Nov 23 09:56 chain.pem
1 Like

Your chain shown is:


Which is incorrect/incomplete.
It is missing the connection between "R3" and "DST Root CA X3".
[where is the "ISRG Root X1" cert?]

Please show:
cat ~/ssl/letsencrypt/chain.pem

1 Like

It's always my chain file. The first part is the chain.pem generated with my command and the second the zimbra commercial chain which I should to add (it's maybe this is who is expired)

1 Like

Ok I understood, it's the second part of my chain who is expired
So I re-read the Zimbra documentation about letsencrypt and replace this second part of the chain (than I recopy each 3 month from Zimbra installation's) by : https://letsencrypt.org/certs/isrgrootx1.pem.txt

Now it seems to be OK. A big thanks to you for your help, I love you :sweat_smile:

2 Likes