Zimbra - LetsEncprypt

TaraJura · November 19, 2021, 10:03am

Hi,
Cant get through this Error any help please ?

** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/privkey.pem'
Certificate '/opt/zimbra/ssl/letsencrypt/cert.pem' and private key '/opt/zimbra/ssl/letsencrypt/privkey.pem' match.
** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem'
ERROR: Unable to validate certificate chain: /opt/zimbra/ssl/letsencrypt/cert.pem: C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup:unable to get issuer certificate

rg305 · November 19, 2021, 4:53pm

Hi @TaraJura and welcome to the LE community forum

It's likely that your ca-certificates need an update.

Installing a LetsEncrypt SSL Certificate - Zimbra :: Tech Center

rg305 · November 19, 2021, 6:10pm

What version of OpenSSL?
openssl version

TaraJura · November 19, 2021, 6:29pm

OpenSSL 1.0.2t-fips 10 Sep 2019

rg305 · November 19, 2021, 6:31pm

Can that be updated?
sudo apt update && sudo apt install openssl

Ubuntu 18.04.6 shows:
openssl is already the newest version (1.1.1-1ubuntu2.1~18.04.13).

If not, see:
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/

TaraJura · November 19, 2021, 7:24pm

Perfect, now its updated. so you think thats the problem ?
OpenSSL 1.1.1 11 Sep 2018

Still the same problem

rg305 · November 19, 2021, 7:46pm

Try following their guide:
https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate

ghen · November 19, 2021, 9:21pm

Zimbra ships their own versions of all those packages: zimbra-openssl-libs (not the issue) and zimbra-openjdk-cacerts (only very recently upgraded to include ISRG Root X1). But it seems their zimbra-perl-mozilla-ca, used for perl scripts, is also very out of date (2015), and does not yet contain ISRG Root X1.

ghen · November 19, 2021, 9:35pm

TaraJura · November 20, 2021, 1:41pm

Looks like my snap is not supporting this command : - -preferred-chain "ISRG Root X1"

rg305 · November 20, 2021, 1:50pm

Please show:
which certbot
certbot --version

TaraJura · November 20, 2021, 2:15pm

Finally upload to 1.21. from 0.31 ... but still not working
photo_2021-11-20_15-14-54

rg305 · November 20, 2021, 2:19pm

Please show:
which certbot

AND
The command you ran.

AND
The error it produced.

TaraJura · November 20, 2021, 3:15pm

Please show:
which certbot :

i used this command to install it: sudo snap install --classic certbot

The command you ran. :
sudo su - zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem'

TaraJura · November 20, 2021, 3:16pm

The error it produced. :

FINALLY new error ... usually it responding like " unable to get issuer certificate "

rg305 · November 20, 2021, 3:40pm

Please focus on that statement only.

Please show:
ls -l /usr/bin/certbot

TaraJura · November 20, 2021, 3:52pm

Ill focus on the statement and then will see.

rg305 · November 20, 2021, 3:53pm

We'll get to all the problems (one at a time).

Now show the command you ran that didn't like "ISRG Root X1".
It could have been a simple TYPO.
certbot v1.21.0 definitely supports --preferred-chain
[weird how discourse displays the two consecutive dashes as dash space dash]

TaraJura · November 20, 2021, 3:56pm

rg305 · November 20, 2021, 3:58pm

OK that is not something you "install"
It gets used in the certbot command line.
Like:
certbot certonly -d EXAMPLE.com --preferred-chain "ISRG Root X1"
It tells certbot to request a cert with that chain.

[progress - one less problem]