When I tried to install let's encrypt SSL, it shows the below error
"** Verifying 'cert.pem' against 'fullchain.pem'
ERROR: Unable to validate certificate chain: cert.pem: C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup:unable to get issuer certificate"
Actually, I am not very familiar with the Zimbra server management, i am trying to install ssl on the zimra installed domain. But whe i used my cloudflare SSL on it, it didn't work. So i have used the Let's encrypt SSL on the domain using the below command
"/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem"
ERROR: Can't read file '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
and
"/opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem"
ERROR: Unable to validate certificate chain: cert.pem: C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup:unable to get issuer certificate
yes, but my cert and ca verification do not matches
"** Verifying 'cert.pem' against 'chain.pem'
ERROR: Unable to validate certificate chain: cert.pem: C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup:unable to get issuer certificate
[zimbra@mail letsencrypt]$
"
Look here is what I have so far:
[I really need to get some sleep now - best of luck to you]
To update ZIMBRA
Save the following as file: update.ZIMBRA.LE-cert.sh
[make it executable and run it as root (not as zimbra user)]
#!/bin/bash
# zimbra user may not have access to LE files, so we copy them
cp /etc/letsencrpyt/live/YOUR.SITE/* /opt/zimbra/ssl/letsencrypt/
# verify the cert
su - zimbra -c "/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/LE.CA.pem"
# deploy the cert
# zimbra needs the private key to be at a specific location and name
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
su - zimbra -c "/opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/LE.CA.pem"
Once you get it to work, you can trigger that file from certbot with a --deploy-hook
The cron job itself need only call: certbot renew
Yes, essentially "LE.CA.pem" is "fullchain.pem" minus the first ("cert.pem") and containing the root cert.
So, in more explicit terms, it's really a "complete-fullchain-only.pem" or "chain-plus-root-only.pem".
Needed certs:
(1) = leaf cert (cert.pem)
(2) & (3) = intermediates (chain.pem)
(4) = root cert (not provided by ACME clients; as it should be in the root store - but ZIMBRA still requires it)
ZIMBRA requires them in ALL in two files:
[which are not fully provided in that exact format by certbot (or any other ACME client)]
(1) in cert.pem
(2) & (3) & (4) in our created LE.CA.pem
If ZIMBRA could get their... coding straight, we wouldn't need to do any of this.