Zimbra SkillZ: How to use Zimbra with Let’s Encrypt Certificates (update)


10 Responses to Zimbra SkillZ: How to use Zimbra with Let’s Encrypt Certificates (update)

  1. admin October 2, 2021 at 3:55 AM #

    Hi, thanks for the post.
    No matter what I do, my certbot (1.10 on CentOS 6) doesn’t want to provide me with certificates from the alternate chain. It has the –preferred-chain option but it only gets certificates that chain up to the expired DST root cert. Zimbra doesn’t verify these and adding the self-signed ISRG root cert anywhere doesn’t help either, because my certificate is signed by the other ISRG X1 root, the one signed by DST.
    So, my two questions are:
    – is the snap version of certbot absolutely essential to get the alternate chain cert?
    – do you know of another sure-fire way of obtaining alternate chain certificates from Letsencrypt? Meaning certificates where there is no trace of any DST root, expired or not.

  2. Aluisco M. Ricardo October 2, 2021 at 5:34 PM #

    Hi, no matter what I do, always get the same results, this is in Ubuntu 18.04

    zimbra@servidor:~$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live/replaced.com/cert.pem /etc/letsencrypt/live/replaced.com/chain.pem
    ** Verifying ‘/etc/letsencrypt/live/replaced.com/cert.pem’ against ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’
    ERROR: Can’t read file ‘/etc/letsencrypt/live/replaced.com/cert.pem’


    • Avatar photo
      Barry de Graaff October 4, 2021 at 7:16 AM #

      It probably means zimbra does not have read permission on the /etc/letsencrypt/live/replaced.com/cert.pem. Try chown zimbra:zimbra /etc/letsencrypt/live/replaced.com/cert.pem or chown zimbra:zimbra /etc/letsencrypt -R

  3. AMCS NOC October 4, 2021 at 6:12 AM #


    thank you for the instruction. We following this step-by-step and use _–preferred-chain “ISRG Root X1″_ on Certbot without issues and got a renewal cert.

    In the step of verifying with _/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key cert.pem chain.pem_ we got the message:

    ** Verifying ‘cert.pem’ against ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’
    Certificate ‘cert.pem’ and private key ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’ match.
    ** Verifying ‘cert.pem’ against ‘chain.pem’
    ERROR: Unable to validate certificate chain: C = US, O = Internet Security Research Group, CN = ISRG Root X1
    error 2 at 2 depth lookup: unable to get issuer certificate
    error cert.pem: verification failed

    And can’t proceed on ZCS 8.8.15p21 , CentOS 7.
    Any notes or hints?

    Thanks in advance.

  4. geoff October 30, 2021 at 3:29 PM #

    thank you for your detail here.
    helped me resolve issue with letsencrypt. (after much searching)

  5. diego November 25, 2021 at 1:14 PM #

    Hi, I think this guide should explain how to tell zimbra to use the new certbot (the snap one) and where to add the extra params –preferred-chain “ISRG Root X1”
    Without this info, it makes no sense I believe
    I’m not explaining how to do it because I don’t know, and I am trying to understand how to do it hehe

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures