Zimbra - LetsEncprypt

Hi,
Cant get through this Error any help please ?

** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/privkey.pem'
Certificate '/opt/zimbra/ssl/letsencrypt/cert.pem' and private key '/opt/zimbra/ssl/letsencrypt/privkey.pem' match.
** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem'
ERROR: Unable to validate certificate chain: /opt/zimbra/ssl/letsencrypt/cert.pem: C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup:unable to get issuer certificate

1 Like

Hi @TaraJura and welcome to the LE community forum :slight_smile:

It's likely that your ca-certificates need an update.

Installing a LetsEncrypt SSL Certificate - Zimbra :: Tech Center

4 Likes

What version of OpenSSL?
openssl version

3 Likes

OpenSSL 1.0.2t-fips 10 Sep 2019

1 Like

Can that be updated?
sudo apt update && sudo apt install openssl

Ubuntu 18.04.6 shows:
openssl is already the newest version (1.1.1-1ubuntu2.1~18.04.13).

If not, see:
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/

3 Likes

Perfect, now its updated. so you think thats the problem ?
OpenSSL 1.1.1 11 Sep 2018

Still the same problem

1 Like

Try following their guide:
https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate

3 Likes

Zimbra ships their own versions of all those packages: zimbra-openssl-libs (not the issue) and zimbra-openjdk-cacerts (only very recently upgraded to include ISRG Root X1). But it seems their zimbra-perl-mozilla-ca, used for perl scripts, is also very out of date (2015), and does not yet contain ISRG Root X1. :frowning:

3 Likes
3 Likes

Looks like my snap is not supporting this command : - -preferred-chain "ISRG Root X1"
:confused:

1 Like

Please show:
which certbot
certbot --version

3 Likes

Finally upload to 1.21. from 0.31 ... but still not working
photo_2021-11-20_15-14-54

Please show:
which certbot

AND
The command you ran.

AND
The error it produced.

2 Likes

Please show:
which certbot :

image
i used this command to install it: sudo snap install --classic certbot

The command you ran. :
sudo su - zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem'

1 Like

The error it produced. :

FINALLY new error ... usually it responding like " unable to get issuer certificate "

1 Like

Please focus on that statement only.

Please show:
ls -l /usr/bin/certbot

3 Likes

image
Ill focus on the statement and then will see.

1 Like

We'll get to all the problems (one at a time).

Now show the command you ran that didn't like "ISRG Root X1".
It could have been a simple TYPO.
certbot v1.21.0 definitely supports --preferred-chain
[weird how discourse displays the two consecutive dashes as dash space dash]

2 Likes

image

OK that is not something you "install"
It gets used in the certbot command line.
Like:
certbot certonly -d EXAMPLE.com --preferred-chain "ISRG Root X1"
It tells certbot to request a cert with that chain.

[progress - one less problem]

3 Likes