Using the snap certbot in combination with the --preferred-chain 'ISRG Root X1' option (as suggested by @rg305) fixed our issue. In order to automatize the renew process - for hopefully another five years - we use the Github project letsencrypt-zimbra (GitHub - VojtechMyslivec/letsencrypt-zimbra: Files to automate the deploy of letsencrypt certificates to Zimbra). Maybe the repo owner will update the script in order to adopt to the certificate chain changes - maybe not. Here is what we did:
- install snap (see Installing snapd | Snapcraft documentation)
- uninstall CentOS 7 EPEL
certbotpackage - install
certbotwith snap - manually download the ISRG-X1.pem (see Zimbra renewal - Problems with R3 - #5 by georged) and copied it to the
root_certsdirectory of the letsencrypt-zimbra repository. - change the path to point to the ISRG-X1.pem:
root_CA_file="${letsencrypt_zimbra_dir}/root_certs/ISRG-X1.pem" - add the option
--preferred-chain 'ISRG Root X1'to the"$letsencrypt" certonlycommand in the bash scriptobtain-and-deploy-letsencrypt-cert.sh
The requirements of Zimbra in regards to the certificate chain is a challenge. In order to fulfill those the script appends the ISRG X1 certificate to the intermediate certificate chain. This step is static and will fail if the root certificate changes again.
br,
nh