Zimbra letsencrypt experts/specialists?

pattonb · November 10, 2025, 8:31am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:gw2.network1.ca

I ran this command:/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/chainZimbra.pem

It produced this output:** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/opt/zimbra/ssl/letsencrypt/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/chainZimbra.pem'
ERROR: Unable to validate certificate chain: C = US, O = Let's Encrypt, CN = E8
error 2 at 1 depth lookup: unable to get issuer certificate
error /opt/zimbra/ssl/letsencrypt/cert.pem: verification failed

My web server is (include version):

The operating system my web server runs on is (include version):ubuntu 20.04 LTS Focal Fossa

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no, command line only

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 2.6.0

orangepizza · November 10, 2025, 8:33am

IIRC old version of zimbra wants rsa key.
https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate

Support for ECDSA TLS (elliptic curve cryptography ECC) certificates has been added to Zimbra zmcertmgr from Zimbra versions 10.0.6, Joule-8.8.15-Patch-45, Kepler-9.0.0-Patch-38.

pattonb · November 10, 2025, 8:49am

excellent. you are correct. I used ISRG-X2.pem, I did the chain.pem again with the ISRG-X1.pem certificate, and no issues. Thank you. Thank you ( I know, I intentionally repeated myself)

ghen · November 10, 2025, 3:19pm

If you're on a Zimbra version before 10.1, you can apply ZBUG-3135 directly to /opt/zimbra/bin/zmcertmgr, the fix is straightforward:

pattonb · November 10, 2025, 3:34pm

thank you, I really should be updating this version. I have been negligent in staying current with the nuances.
You saved me a lot of time last evening, I am very grateful for your advice. I intend to look at some of the alternatives to Zimbra going
forward as Syncor fees do not make an upgrade financially viable for me. Do you have any
recommendations ?, thank you again, I will get that patch and add in the very near future.

Blake Patton

system · December 10, 2025, 3:35pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can't validate cert in Zimbra Help	4	1645	January 18, 2022
ERROR: Unable to validate certificate chain Help	20	12977	December 16, 2021
Zimbra 8.6 erro when run /opt/zimbra/bin/zmcertmgr verifycrt comm Help	5	1529	December 16, 2021
Unable to renew my LetsEncrypt Certificate for Zimbra Help	10	4220	December 24, 2021
Problem with Zimbra Help	3	859	January 9, 2022

Zimbra letsencrypt experts/specialists?

Related topics