Giters

YetOpen / certbot-zimbra

Automated letsencrypt/certbot certificate request and deploy script for Zimbra hosts

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Can't find "DSTRootCAX3" in "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" on latest version

WEBudoGT opened this issue · comments

commented

I get the following error:

Error: Can't find "DSTRootCAX3" in "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem". Exiting

Centos 7
certbot 1.11.0
certbot-zimbra 0.7.12

Command executed:

/usr/src/certbot-zimbra/certbot_zimbra.sh -d -j -z -H mail.domain.tld

Command executed after getting fresh certificates using the following:

/usr/bin/certbot certonly  --webroot -w /opt/zimbra/data/nginx/html --cert-name mail.domain.tld -d mail.domain.tld

Which successfully returned:

Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You are updating certificate mail.grupobodegas.com.gt to include new domain(s):
+ mail.grupobodegas.com.gt

You are also removing previously included domain(s):
- R3

Did you intend to make this change?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(U)pdate certificate/(C)ancel: U
Renewing an existing certificate for mail.domain.tld

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
 /etc/letsencrypt/live/mail.domain.tld/fullchain.pem
 Your key file has been saved at:
 /etc/letsencrypt/live/mail.domain.tld/privkey.pem
 Your certificate will expire on 2022-01-04. To obtain a new or
 tweaked version of this certificate in the future, simply run
 certbot again. To non-interactively renew *all* of your
 certificates, run "certbot renew"
commented

Duplicate of #140. What worked for others is in the replies. Also read the readme troubleshooting section. It's not a certbot-zimbra issue, but a certbot issue.

commented

Posting this here as well, since its the first URL shown in Google if you search that error:
For those, who are on CentOS 7:
If you are getting error Error: Can't find "DSTRootCAX3" in "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem". Exiting. when trying to deploy the certificates when using the certbot_zimbra.sh, you need to use explicitly the ISRG Root X1 chain.
Since the -L '--preffered-chain "ISRG Root X1"' does NOT work, you need to create /etc/letsencrypt/cli.ini , with contents preferred-chain = ISRG Root X1.
After that, re-issue the certificate.

For some reason, even if the DSTRootCAX3 has been removed from the /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem, it does not get removed from /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt.
Manually removing it from there does not work, since it gets re-added again, when using update-ca-certs.
In other words, CentOS 7 is absolutely terrible when using Certbot.

Also, do not bother with snap on CentOS. Its even more terrible.

Instead, use the pip3 certbot module.

1. Remove the certbot package provided by CentOS repositories.
2. Install python3-pip
3. Run pip3 install --upgrade pip
4. Install dependancies: pip3 install wheel setuptools_rust
5. Install certbot : pip3 install certbot
6. Run the certbot_zimbra.sh (before that, apply the cli.ini).