expiration of the DST Root CA X3

[mpricu]

Hi,
I am using the script on Centos 7 ( certbot version is 1.11.0 and openssl version is 1.0.2k-fips) and the script cannot renew the Zimbra certificate with the following error:

"obtain-and-deploy-letsencrypt-cert.sh error verification of the issued certification failed"

I presume this is because the Letsencrypt's "DST Root CA X3" expired in September 2021 and the script should be updated.

Thank you very much for your work.

[VojtechMyslivec]

Hello.
This is a bit duplicate of #71 (I understand its a chatty discussion there). The solution is prepared in chain branch (#73), so please try to checkout this branch and try to renew the cert with letsencrypt-zimbra (future) version 0.6

Thank you very much for your work.

❤️

[mpricu]

Hi,
I tried the chain branch and I've got the same error.
For Centos 7 the correct path is /usr/bin/certbot in all the configuration files.
Thank you for all your work.

[mpricu]

[mpricu]

[jogerj]

@mpricu the staging certificate still uses the old DST Root CA X3 staging certificate. As mentioned, #71 addresses this. For current version 0.6, production run should validate correctly.

You get 5 chances a week to have Let's Encrypt sign a production certificate, try to run it once and see if it works.

[mpricu]

@jogerj I run letsencrypt-zimbra version 0.6 without -t option but with -f option and it failed again (the 4th try).

[zimico]

@mpricu I have the same result which I mention in #70 . The issue is chain.pem has 3 certs not 2 certs as expected.
Regards.

[mpricu]

@VojtechMyslivec @zimico Reading #70 comments I realized I can see the certbot_extra_args value when I was running the script, but it did not contain "--preferred-chain "ISRG Root X1" (please see the previously attached images). Maybe this is the problem.

[zimico]

In my case, I see --preferred-chain ISRG Root X1 (without double quote "ISRG Root X1").
Could you please share your cerbot version?

[mpricu]

@zimico should be without quotes, so it's good for you.
As I mentioned in my first post, the certbot version is 1.11.0 and the openssl version is 1.0.2k-fips.

[zimico]

I think because of openssl 1.0.2 as stated in the following:

Unfortunately, due to the way certificate paths are built and verified, not all implementations of TLS can successfully verify the cross-sign. This is the case with OpenSSL 1.0.2. Hence, programs running on RHEL/CentOS 7 that use OpenSSL will likely fail to verify the new certificate chain or establish TLS connection. Upgrading to newer Openssl versions on such platforms is not straightforward.

from https://serverfault.com/questions/1075514/how-to-fix-certificate-chain-with-letsencrypt-certbot

[VojtechMyslivec]

-t option for letsencrypt-zimbra would strip the --preferred-chain now, so its expected to be missing in screenshots above. It should be there for production certificate (without -t).

Please double check you are on the chain branch and letsencrypt-zimbra version is 0.6.

OpenSSL version shouldn't be the problem zimbra verify command verify exactly the chain provided and don't care about cert store.

[mpricu]

@VojtechMyslivec As you can see in my second attached image, the version is 0.6.
I downloaded the zip archive from your github for the chain branch.
I used just the options -v and -f for my last try.

[mpricu]

[mpricu]

[mpricu]

@VojtechMyslivec These are the images from the latest run of the script with -v and -f options.

[VojtechMyslivec]

What's the value of letsencrypt_altchain parameter in letsencrypt-zimbra.cfg? It should be unset or set to true.

Please note that I just merged @jogerj #71 patches to make testing/staging environment available. You can test renewal with -t from current chain version. Please pull the changes or download the latest zip and rerun it with -f, -t and -v

sudo -iu zimbra /opt/letsencrypt-zimbra/obtain-and-deploy-letsencrypt-cert.sh -ftv

[mpricu]

@VojtechMyslivec Right now is false, but I tried also with true. It was not clear which value should be. I will download the latest version and I will run it (last try from 5 this week).

[mpricu]

@VojtechMyslivec It failed again. Do you need some extra information for debugging?

[mpricu]

[VojtechMyslivec]

You can leave it unset, the default is true and that is what you want.

Please see #70 (comment), it applies for your case the same – the issue is in the CentOS certbot package.

[mpricu]

Yes, you were right, the certbot version was the problem. For the Centos 7 the last rpm package for certbot is version 1.11, which have some bugs related to the --preferred-chain parameter.
So I installed certbot version 1.20 using snap: https://certbot.eff.org/lets-encrypt/centosrhel7-nginx and I succeeded to update my certificate:

Thank you very much for your work.

[VojtechMyslivec]

perfect 👍

[dhcmega]

Hi, I also installed snap 1.20 and the last script for getting the certificates, but I had to rename the script from obtain-and-deploy-letsencrypt-cert.sh to letsencrypt-zimbra.sh
I also symlinked the old name to the new one, but of course it didn't work.

Every night the certbot runs and fails like this:

obtain-and-deploy-letsencrypt-cert.sh: warning: You are using deprecated script name, change it to 'letsencrypt-zimbra.sh'

I have tried to find the cron that runs it, but somehow there is no cron line.
Any ideas?
Thanks!