Zimbra SkillZ: How to use Zimbra with Let’s Encrypt Certificates

,

7 Responses to Zimbra SkillZ: How to use Zimbra with Let’s Encrypt Certificates

  1. admin October 2, 2021 at 3:55 AM #

    Hi, thanks for the post.
    No matter what I do, my certbot (1.10 on CentOS 6) doesn’t want to provide me with certificates from the alternate chain. It has the –preferred-chain option but it only gets certificates that chain up to the expired DST root cert. Zimbra doesn’t verify these and adding the self-signed ISRG root cert anywhere doesn’t help either, because my certificate is signed by the other ISRG X1 root, the one signed by DST.
    So, my two questions are:
    – is the snap version of certbot absolutely essential to get the alternate chain cert?
    – do you know of another sure-fire way of obtaining alternate chain certificates from Letsencrypt? Meaning certificates where there is no trace of any DST root, expired or not.
    Thanks.

  2. Aluisco M. Ricardo October 2, 2021 at 5:34 PM #

    Hi, no matter what I do, always get the same results, this is in Ubuntu 18.04

    zimbra@servidor:~$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live/replaced.com/cert.pem /etc/letsencrypt/live/replaced.com/chain.pem
    ** Verifying ‘/etc/letsencrypt/live/replaced.com/cert.pem’ against ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’
    ERROR: Can’t read file ‘/etc/letsencrypt/live/replaced.com/cert.pem’

    Regards,

    • Barry de Graaff October 4, 2021 at 7:16 AM #

      It probably means zimbra does not have read permission on the /etc/letsencrypt/live/replaced.com/cert.pem. Try chown zimbra:zimbra /etc/letsencrypt/live/replaced.com/cert.pem or chown zimbra:zimbra /etc/letsencrypt -R

  3. AMCS NOC October 4, 2021 at 6:12 AM #

    Dear,

    thank you for the instruction. We following this step-by-step and use _–preferred-chain “ISRG Root X1″_ on Certbot without issues and got a renewal cert.

    In the step of verifying with _/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key cert.pem chain.pem_ we got the message:

    ** Verifying ‘cert.pem’ against ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’
    Certificate ‘cert.pem’ and private key ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’ match.
    ** Verifying ‘cert.pem’ against ‘chain.pem’
    ERROR: Unable to validate certificate chain: C = US, O = Internet Security Research Group, CN = ISRG Root X1
    error 2 at 2 depth lookup: unable to get issuer certificate
    error cert.pem: verification failed

    And can’t proceed on ZCS 8.8.15p21 , CentOS 7.
    Any notes or hints?

    Thanks in advance.

Leave a Reply