Zimbra Certbot LetsEncrypt - certificate and private key do not match

My domain is: mail.avdenterprises.com

I ran this command:

/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/ssl/letsencrypt/cert.pem

It produced this output:

** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
139684204856640:error:0607907F:digital envelope routines:EVP_PKEY_get0_RSA:expecting an rsa key:crypto/evp/p_lib.c:474:
ERROR: Certificate '/opt/zimbra/ssl/letsencrypt/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' do not match.

My web server is (include version): n/a

The operating system my web server runs on is (include version): Ubuntu Server 20.04

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.0.0

I found a site: Certificate Key Matcher - Check whether your private key matches your SSL certificate.

Even though that site will expose my private key (re-ran the certificate issuance later) that site indicates my certificate and private key match so I believe, possibly, the error from certbot is misleading and/or mistaken.

Thanks for your help.

Which error from Certbot exactly? I only see a Zimbra command, not Certbot.

Also, could you please elaborate on how /opt/zimbra/ssl/zimbra/commercial/commercial.key and /opt/zimbra/ssl/letsencrypt/cert.pem were generated to begin with?


Thanks for your reply Osiris. Here are the steps I took:

1.  sudo certbot certonly --preferred-chain "ISRG Root X1"

** change to root (use: su) **

2.  cp /etc/letsencrypt/live/mail.avdenterprises.com/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key

3.  chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key

4.  wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt

5.  cat /tmp/ISRG-X1.pem >> /etc/letsencrypt/live/mail.avdenterprises.com/chain.pem

6.  cp /etc/letsencrypt/live/mail.avdenterprises.com/* /opt/zimbra/ssl/letsencrypt/

7.  chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*

NOTE: Step 6/7 is necessary for proper permissions, otherwise it fails saying unable to read

** exit to zimbraadmin **

8.  ls -al /opt/zimbra/ssl/letsencrypt/   NOTE: Verify permissions

9. sudo /opt/zimbra/libexec/zmfixperms

** change to zimbra mail (use: sudo su zimbra -)

10. cd ~

11. /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/chain.pem

NOTE:  Currently step 11 fails saying they do NOT match

12. /opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/chain.pem

13. zmcontrol restart

On the error, I may have mispoken, it is probably a Zimbra error, not a certbot error. Thanks.

1 Like

Googling this lead me to a thread mentioning ECDSA keys. If I look at your certificate history at crt.sh | mail.avdenterprises.com your most recent certificates indeed have an ECDSA key, which has become the default for Certbot 2.0.0. I'm pretty certain your current cert and private key are ECDSA too.

I guess Zimbra doesn't like ECDSA keys. Please open a bug report at Zimbra for this :slight_smile:

Also note that you've issued many identical certificates already, which would lead to hitting a rate limit soon. Please be more careful.


Unfortunately I cannot get it to work which is why there are so many duplicates. Is there a way to just remove them all and start fresh?

The first one would have worked, as it's the only RSA cert :slight_smile: You might have gotten a different error, but that's in the past :man_shrugging:t2:

That wouldn't fix the problem of Zimbra not being able to handle ECDSA certificates. Check if you still have your old RSA cert around.


No problem. Thanks for finding that thread! :slight_smile: I re-wrote the code in the zmcertmgr and now I am good to go. :slight_smile:

1 Like

Well, that's a solution too, one I like :smiley: Too bad Zimbra is Perl tho :cry:


When it doesn't work, write the code yourself! :smiley: :slight_smile: Thanks!

1 Like

Yup! That's even true for Certbot :slight_smile: I run my own fork which has a few extra features/enhancements :slight_smile:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.