Zimbra Let's Encrypt certificate installation stops working

by administrator | 01 Jul 2024 | random, technology | 0 comments

Zimbra Let’s Encrypt certificate installation stops working

This month my renewal of my Let’s Encrypt certificate and upload to Zimbra stopped working, giving me the following error code:

“error 20 at 0 depth lookup: unable to get local issuer certificate”

Per this URL from Let’s Encrypt, there appears to be a new intermediate certificate, in my case for R10:

https://letsencrypt.org/certificates/

This would mean this needs to be added to the certification chain.

My new script to install the certificate is as follows:

#!/bin/bash -x

# Set the domain and paths for the Zimbra and LetsEncrypt certificates
domain="foo.bar"
zimbra_cert_path="/opt/zimbra/ssl/zimbra/commercial"
letsencrypt_cert_path="/etc/letsencrypt/live/${domain}"

# Check if the LetsEncrypt certificate is newer than the Zimbra one
echo "LetsEncrypt cert - ${letsencrypt_cert_path}/cert.pem"
echo  "Zimbra cert - ${zimbra_cert_path}/commercial.crt"

if [[ $(date -d "$(openssl x509 -enddate -noout -in ${letsencrypt_cert_path}/cert.pem |cut -d= -f 2)" +%s) -gt $(date -d "$(openssl x509 -enddate -noout -in ${zimbra_cert_path}/commercial.crt |cut -d= -f 2)" +%s) ]]; then
  echo "LetsEncrypt certificate is newer. Uploading to Zimbra..."

  # Stop Zimbra services
  su zimbra -c "/opt/zimbra/bin/zmcontrol stop"

  cp "${letsencrypt_cert_path}/privkey.pem" "${zimbra_cert_path}/commercial.key"
  chown zimbra:zimbra "${zimbra_cert_path}/commercial.key"
  wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem
  wget -O /tmp/r10.pem https://letsencrypt.org/certs/2024/r10.pem

  cp "${letsencrypt_cert_path}/chain.pem" "${zimbra_cert_path}/chain1.pem"
  chown zimbra:zimbra "${zimbra_cert_path}/chain1.pem"
  su - -c "openssl x509 < ${zimbra_cert_path}/chain1.pem > ${zimbra_cert_path}/chain.pem"  "${zimbra_cert_path}/chain.pem" #remove expired X3 cert
  cat /tmp/r10.pem >> "${zimbra_cert_path}/chain.pem" #append X1 cert
  cat /tmp/ISRG-X1.pem >> "${zimbra_cert_path}/chain.pem" #append X1 cert

  cd /tmp
  su zimbra -c "/opt/zimbra/bin/zmcertmgr deploycrt comm ${letsencrypt_cert_path}/cert.pem ${zimbra_cert_path}/chain.pem"

  # Restart Zimbra services
  su zimbra -c "/opt/zimbra/bin/zmcontrol start"
else
  echo "Zimbra certificate is up to date."
fi

Address

Recent tracks

Follow

Subscribe

Success!

Share this:

Success!