I have the same problem in 4 servers. (from centos 6.5 to redhat 8) , all of them worked flawlessly with letsencrypt until this week, no changes were made on the servers, no updates, no software installation, no script modifications, etc.
To try to solve the problem I changed from X1 to X2 and back, but the problem persist.
same adding the X1 and X2 pem to the chain file, always the same error
ERROR: Unable to validate certificate chain: /etc/letsencrypt/live/mail.narf.com/cert.pem: CN = mail.narf.com
error 20 at 0 depth lookup:unable to get local issuer certificate
Example Domain
This domain is for use in illustrative examples in documents. You may use this domain in literature without prior coordination or asking for permission.
I moved your posts to a new thread. Often problems that seem the same are very different. We have seen Zimbra often enough to be familiar with it.
Would you please describe more about your problem. Specifically the versions of Zimbra and the exact steps you used to create the cert that is failing validation.
validate the new certs with zimbra su - zimbra -c "/opt/zimbra/bin/zmcertmgr verifycrt comm $DIRECTORY/privkey.pem $DIRECTORY/cert.pem $DIRECTORY/chain.pem"
this step fails with the message
ERROR: Unable to validate certificate chain: CN = mail.appnexit.cl
error 20 at 0 depth lookup: unable to get local issuer certificate
error /etc/letsencrypt/live/mail.appnexit.cl/cert.pem: verification failed
this worked flawlessly until a few days, now it fails in several servers.
yes my friend. cat and redirect the output to the file is the same as copy the file.
I saved the file with other name (just drag from older script), but it's the isrg root X1 pem
UPDATE:
You might miss this as I see you typing but as Bruce pointed out you are overlaying cert.pem from Let's Encrypt. You should be adding the ISRG Root X1 to it. You should use X1 because you have an RSA cert.
The chain.pem returned by Certbot is the chain for the cert.pem also returned. There is no "old" or "new" about it. I don't know what you mean by that. If you were wrongly using your own static copy of some chain file this will cause problems. You must use the chain as provided by Let's Encrypt. This has always been the proper way.
Further, Zimbra requires you to add the Let's Encrypt CA root cert to it.
Currently both RSA and ECDSA certs have a default chain that leads to root ISRG Root X1.
For only ECDSA certs you can use --preferred-chain to select ISRG Root X2. But, only recent Zimbra version supports ECDSA with other dependencies. See those docs.
Yeah, so you hard-coded a static chain file as that is not the one that came from Let's Encrypt for your most recent certs. You should never have been doing that. I explained that prior.
The current Zimbra wiki doesn't say to do that either so I don't know how you ever developed that as a solution. Their wiki says to use the chain.pem that comes with the cert.pem
how could I know, I didn't make that script, it's before my time, that's the script that worked for ages in those servers and it failed just now and I have to understand how and why it worked like that and solve the problem.
what's the matter? it's solved now, there is the answer and the script that works correctly, what else do you need on this thread?