Unable to validate certificate chain with Zimbra

Hi,

I'm installing Zimbra, and using acme.sh to deploy my cert:

acme.sh --install-cert -d example.com \
--cert-file     /opt/zimbra/ssl/letsencrypt/cert.pem  \
--key-file       /opt/zimbra/ssl/letsencrypt/privkey.pem  \
--fullchain-file /opt/zimbra/ssl/letsencrypt/chain.pem

So far, so good.

Zimbra explains here how to deploy the LE cert, but it fails the validation:

# su - zimbra -c '/opt/zimbra/bin/zmcertmgr verifycrt comm \
/opt/zimbra/ssl/letsencrypt/privkey.pem \
/opt/zimbra/ssl/letsencrypt/cert.pem \
/opt/zimbra/ssl/letsencrypt/chain.pem'

** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/privkey.pem'
Certificate '/opt/zimbra/ssl/letsencrypt/cert.pem' and private key '/opt/zimbra/ssl/letsencrypt/privkey.pem' match.

** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/chain.pem'
ERROR: Unable to validate certificate chain: C = US, O = Internet Security Research Group, CN = ISRG Root X1

error 2 at 2 depth lookup: unable to get issuer certificate
error /opt/zimbra/ssl/letsencrypt/cert.pem: verification failed

What am I doing wrong here? :thinking:

Thanks.

1 Like

You don't use fullchain if you use cert as well.

Either fullchain alone, or cert and chain. See the acme.sh options on this, there is one.

1 Like

Cert needs to be issued with the --preferred-chain "ISRG Root X1" option.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.