Unfortunately, I can't reach the blog site to read the instructions you followed.
But, basically, you have to ensure the chain being used is the correct one.
There are also updates available if you are using OpenSSL (less than version 1.1).
I was hoping to be able to use certbot to fix the the chain (e.g. force --preferred-chain, etc). Is the answer to nuke the existing certificate and issue a brand new one?
My openssl is v.1.0.2g so I can update it although I don't quite understand how the chain issue would be related.
Thank you!
In the very first block of the instructions to which you've linked, they have you run this command: cat /tmp/ISRG-X1.pem >> /etc/letsencrypt/live/barrydegraaff.tk/chain.pem
This chain.pem is where your R3 is coming from. It also should already have X1 within it, so the additional concatenate is weird (no, sorry, was thinking of fullchain.pem).
Either way, please check the contents of the newchain.pem - be sure you're not using an old one! Run these within your live/mymailserver.com directory and let us know what the output looks like:
This is great - this confirms that your chain.pem contains the still-valid version of R3 issued by X1.
That tells me that our API and certbot have provided you with a good cert and chain that can be used for TLS. It looks likely that Zimbra did not import the chain correctly. Hopefully you've opened some conversations with the Zimbra community?
Looking over the rest of the zmcertmgr instructions, the output line here: ** Appending ca chain '/etc/letsencrypt/live/barrydegraaff.tk/chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' looks like the stage where it actually imports the chain.
So, you can also verify the version of R3 in that commercial.crt chain file.
Thank you, it is encouraging that certbot provided a good cert+chain. Does this mean that once the chain issue is resolved I can just run certbot renew without any flags ( flags, e.g.--force-renewal --preferred-chain "ISRG Root X1")?
I will take up the chain and loading on Zimbra with the Zimbra folks then, thank you!
Zimbra is crazy picky (unnecessarily).
The problem isn't in certbot, it is in the requirements Zimbra imposes on cert verification.
Which usually require it to include the root cert.
In this case, that would be two root certs.
The "broken step" is where Zimbra tries to validate the chain.
Let me hit my test servers with this problem and get back to you.