Unable to validate certificate chain with Zimbra

acsfer · March 3, 2022, 8:26pm

Hi,

I'm installing Zimbra, and using acme.sh to deploy my cert:

acme.sh --install-cert -d example.com \
--cert-file     /opt/zimbra/ssl/letsencrypt/cert.pem  \
--key-file       /opt/zimbra/ssl/letsencrypt/privkey.pem  \
--fullchain-file /opt/zimbra/ssl/letsencrypt/chain.pem

So far, so good.

Zimbra explains here how to deploy the LE cert, but it fails the validation:

# su - zimbra -c '/opt/zimbra/bin/zmcertmgr verifycrt comm \
/opt/zimbra/ssl/letsencrypt/privkey.pem \
/opt/zimbra/ssl/letsencrypt/cert.pem \
/opt/zimbra/ssl/letsencrypt/chain.pem'

** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/privkey.pem'
Certificate '/opt/zimbra/ssl/letsencrypt/cert.pem' and private key '/opt/zimbra/ssl/letsencrypt/privkey.pem' match.

** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/chain.pem'
ERROR: Unable to validate certificate chain: C = US, O = Internet Security Research Group, CN = ISRG Root X1

error 2 at 2 depth lookup: unable to get issuer certificate
error /opt/zimbra/ssl/letsencrypt/cert.pem: verification failed

What am I doing wrong here?

Thanks.

9peppe · March 3, 2022, 8:31pm

You don't use fullchain if you use cert as well.

Either fullchain alone, or cert and chain. See the acme.sh options on this, there is one.

acsfer · March 3, 2022, 10:39pm

Cert needs to be issued with the --preferred-chain "ISRG Root X1" option.

Topic		Replies	Views
Problem with Zimbra Help	3	878	January 9, 2022
Problem validation certificate in Zimbra Help	4	1069	March 6, 2022
Can't validate cert in Zimbra Help	4	1675	January 18, 2022
ERROR: Unable to validate certificate chain Help	20	13225	December 16, 2021
Problem validating cert on Zimbra Aide (en français)	11	1377	October 29, 2023

Unable to validate certificate chain with Zimbra

Related topics