ERROR: Unable to validate certificate chain:

Question

ERROR: Unable to validate certificate chain:

UAnton opened this issue 4 years ago · 8 comments

root@mail:/opt/letsencrypt-zimbra/certbot-zimbra-0.7.10# ./certbot_zimbra.sh -n
certbot-zimbra v0.7.10 - https://github.com/YetOpen/certbot-zimbra
Checking for dependencies...
Detected Zimbra 8.8.15 on UBUNTU16_64
Using zmhostname to detect domain.
Using domain mail.xxx.com (as certificate DN)
Detecting additional public service hostnames... Found 0 zimbraPublicServiceHostnames through auto-detection
Checking zimbra-proxy is running and enabled
Detecting port from zimbraMailProxyPort
Checking if process is listening on port 80 with name "nginx" user "zimbra"
Nginx templates already patched.
Nginx includes already patched, skipping zmproxy restart.
Detecting certbot version...
Detected certbot 0.27.0
Running /usr/bin/certbot certonly  --webroot -w /opt/zimbra/data/nginx/html --cert-name mail.xxx.com -d mail.xxx.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/mail.xxx.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mail.xxx.com
Using the webroot path /opt/zimbra/data/nginx/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mail.xxx.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mail.xxx.com/privkey.pem
   Your cert will expire on 2021-09-20. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Preparing certificates for deployment.
Testing with zmcertmgr.
** Verifying '/run/certbot-zimbra/certs-8cfEov8L/cert.pem' against '/run/certbot-zimbra/certs-8cfEov8L/privkey.pem'
Certificate '/run/certbot-zimbra/certs-8cfEov8L/cert.pem' and private key '/run/certbot-zimbra/certs-8cfEov8L/privkey.pem' match.
** Verifying '/run/certbot-zimbra/certs-8cfEov8L/cert.pem' against '/run/certbot-zimbra/certs-8cfEov8L/zimbra_chain.pem'
ERROR: Unable to validate certificate chain: C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup: unable to get issuer certificate
error /run/certbot-zimbra/certs-8cfEov8L/cert.pem: verification failed

An error seems to have occurred. Please read the output above for clues and try to rectify the situation.
If you believe this is an error with the script, please file an issue at https://github.com/YetOpen/certbot-zimbra.

UAnton commented 4 years ago

Thanks!

Answer 1 · 2021-06-22T14:57:58.000Z

Please update to latest version

Answer 2 · 2021-06-22T15:00:52.000Z

Please update to latest version

I try 0.7.10 and 0.7.11, but the problem is the same :(

Answer 3 · 2021-06-22T15:03:17.000Z

latest is .12

Answer 4 · 2021-10-01T07:27:15.000Z

does not work on latest also.

OS: CentOS 7

Answer 5 · 2021-10-01T09:39:43.000Z

does not work on latest also.

OS: CentOS 7

Are you sure the error is this one and not #140?

Answer 6 · 2021-10-04T05:33:50.000Z

UPDATE

I've recheck my script it's not the latest. I'm update to 0.7.12 and the error has changed. I'll catch on the other post #142

does not work on latest also.
OS: CentOS 7

Are you sure the error is this one and not #140?

I'm on CentOS 7 and it is not #140 for sure.
Here is the output:

`IMPORTANT NOTES:

Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/domain-mask/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/domain-mask/privkey.pem
Your certificate will expire on 2022-01-02. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew all of your
certificates, run "certbot renew"
If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Preparing certificates for deployment.
Testing with zmcertmgr.
** Verifying '/run/certbot-zimbra/certs-FXJNy9gB/cert.pem' against '/run/certbot-zimbra/certs-FXJNy9gB/privkey.pem'
Certificate '/run/certbot-zimbra/certs-FXJNy9gB/cert.pem' and private key '/run/certbot-zimbra/certs-FXJNy9gB/privkey.pem' match.
** Verifying '/run/certbot-zimbra/certs-FXJNy9gB/cert.pem' against '/run/certbot-zimbra/certs-FXJNy9gB/zimbra_chain.pem'
ERROR: Unable to validate certificate chain: /run/certbot-zimbra/certs-FXJNy9gB/cert.pem: C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup:unable to get issuer certificate

An error seems to have occurred. Please read the output above for clues and try to rectify the situation.
If you believe this is an error with the script, please file an issue at https://github.com/YetOpen/certbot-zimbra.`

Answer 7 · 2021-10-04T08:31:36.000Z

Please open a new issue it's useless to revamp a months old one