Zimbra mail server certificate renewal problem

Help
#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:automarspa.it

I ran this command:
cd /opt/
cd zimbra
cd letsencrypt
./letsencrypt-auto renew
cp /etc/letsencrypt/live/mail.automarspa.it/privkey.pem /opt/zimbra/ssl/letsencrypt/
cp /etc/letsencrypt/live/mail.automarspa.it/cert.pem /opt/zimbra/ssl/letsencrypt/
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
su -c "cd /opt/zimbra/ssl/letsencrypt/; /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem"

It produced this output:
** Verifying cert.pem against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (cert.pem) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
XXXXX ERROR: Invalid Certificate: cert.pem: CN = webmail.automarspa.it
error 20 at 0 depth lookup:unable to get local issuer certificate
XXXXX ERROR: provided cert isn't valid.

My web server is (include version): zimbra 8.5

The operating system my web server runs on is (include version):centos 7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): not use certbot

thanks

1 Like
#2

You missed the step that creates the new combined.pem file needed by this step:

When the intermediate cert changes, the previous combined.pem file will no longer work.

1 Like
#3

forgive me, it is the first time that I am confronted with this type of certificate in zimbra. how can i solve? thanks

1 Like
#4

What guide/documentation are you following?
Where did you get those instructions?

1 Like
#5

i just inherited a zimbra 8.5.0 server on centos. the old manager did not make any handover. I'm proceeding off the cuff to understand how it is combined. it works in kicks. the administration console works badly, from several errors ... today the certificate has expired, I tried to understand cisa had been installed and then I launched the renewal with the commands I already knew.
the certificate is renewed by let's encrypt, but eventually gives the reported error. it never happened to me .. thanks for your attention ..

1 Like
#6

Try finding what was done with:
history | grep combined.pem

1 Like
#7

Otherwise, you should be able to use these two steps to recreate that file:

  1. cat "/etc/letsencrypt/live/{your.domain}/chain.pem" > "/path/to/combined.pem"
  2. cat "/etc/ssl/certs/$(openssl x509 -in /etc/letsencrypt/live/{your.domain}/chain.pem -noout -issuer_hash).0" >> "/path/to/combined.pem"
cat "/etc/letsencrypt/live/mail.automarspa.it/chain.pem" > "/opt/zimbra/ssl/letsencrypt/combined.pem"
cat "/etc/ssl/certs/$(openssl x509 -in /etc/letsencrypt/live/mail.automarspa.it/chain.pem -noout -issuer_hash).0" >> "/opt/zimbra/ssl/letsencrypt/combined.pem"
1 Like
#8

Screenshot_20210123-173859
Screenshot_20210123-1738591200×1920 202 KB

1 Like
#9

Try that as zimbra user also
su zimbra
history | grep combined.pem

1 Like
#10

result from history | grep combined.pem

997 931 su -c "cd /opt/zimbra/ssl/letsencrypt/; /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem"
998 939 /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem
999 942 su -c "cd /opt/zimbra/ssl/letsencrypt/; /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem"
1000 946 /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem
1001 954 su -c "cd /opt/zimbra/ssl/letsencrypt/; /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem"
1002 957 su -c "cd /opt/zimbra/ssl/letsencrypt/; /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem"
1003 966 su -c "cd /opt/zimbra/ssl/letsencrypt/; /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem"
1004 967 su -c "cd /opt/zimbra/ssl/letsencrypt/; /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chani.pem combined.pem"
1005 968 su -c "cd /opt/zimbra/ssl/letsencrypt/; /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem"
1006 981 history | grep combined.pem
1007 984 cat "/etc/letsencrypt/live/mail.automarspa.it/chain.pem" > "/opt/zimbra/ssl/letsencrypt/combined.pem"
1008 985 cat "/etc/ssl/certs/(openssl x509 -in /etc/letsencrypt/live/mail.automarspa.it/chain.pem -noout -issuer_hash).0" > > "/opt/zimbra/ssl/letsencrypt/combined.pem" 1009 986 /combined.pem"ssl/certs/(openssl x509 -in /etc/letsencrypt/live/mail.automarspa.it/chain.pem -noout -issuer_hash). 0" >> "/opt/zi
987 imbra/ssl/letsencrypt/combined.pem"
1010 990 cat "/etc/ssl/certs/(openssl x509 -in /etc/letsencrypt/live/mail.automarspa.it/chain.pem -noout -issuer_hash).0" > > "/opt/zimbra/ssl/letsencrypt/combined.pem" 1011 992 cat "/etc/ssl/certs/(openssl x509 -in /etc/letsencrypt/live/mail.automarspa.it/chain.pem -noout -issuer_hash).0" > > "/opt/zimbra/ssl/letsencrypt/combined.pem"
1012 history | grep combined.pem

1 Like
#11

result from command:
cat "/etc/ssl/certs/$(openssl x509 -in /etc/letsencrypt/live/mail.automarspa.it/chain.pem -noout -issuer_hash).0" >> "/opt/zimbra/ssl/letsencrypt/combined.pem"

No such file or directory

1 Like
#12

OK then perhaps I can build it for you.
Please show:
cat /etc/letsencrypt/live/mail.automarspa.it/chain.pem

Use three backticks above and below your file:
Like:

```
--- begin certificate ---
kljefhgkfdhgfd
dfjhgkdjhfgkf
khfdgldfkjhg
--- end certificate ---
```

1 Like
#13

thank you, you're really kind...

-----BEGIN CERTIFICATE-----
MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFow
MjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT
AlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLs
jVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKp
Tm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnB
U840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7
gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel
/xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1R
oYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
BAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p
ZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE
p7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE
AYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu
Y3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0
LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYf
r52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B
AQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH
ejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8
S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfL
qjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p
O5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw
UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==
-----END CERTIFICATE-----

2 Likes
#14

This is the combined.pem file that you need below:

-----BEGIN CERTIFICATE-----
MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFow
MjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT
AlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLs
jVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKp
Tm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnB
U840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7
gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel
/xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1R
oYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
BAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p
ZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE
p7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE
AYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu
Y3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0
LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYf
r52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B
AQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH
ejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8
S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfL
qjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p
O5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw
UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
2 Likes
#15

Thanks, you were really kind, the problem was solved. I put the good beer in the fridge, I hope one day I can drink it with you.
Bye

3 Likes
#16

That's good to hear :slight_smile:

Cheers from Miami :beers:

2 Likes
#17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.