ERROR: Unable to validate certificate chain: /run/certbot-zimbra/certs-k1IwpQa5/cert.pem: O = Digital Signature Trust Co., CN = DST Root CA X3 error 10 at 3 depth lookup:certificate has expired OK
ccasalicchio opened this issue · comments
I'm getting this error with Zimbra 8.8.8_GA_2009.FOSS:
Preparing certificates for deployment.
Testing with zmcertmgr.
** Verifying '/run/certbot-zimbra/certs-k1IwpQa5/cert.pem' against '/run/certbot-zimbra/certs-k1IwpQa5/privkey.pem'
Certificate '/run/certbot-zimbra/certs-k1IwpQa5/cert.pem' and private key '/run/certbot-zimbra/certs-k1IwpQa5/privkey.pem' match.
** Verifying '/run/certbot-zimbra/certs-k1IwpQa5/cert.pem' against '/run/certbot-zimbra/certs-k1IwpQa5/zimbra_chain.pem'
ERROR: Unable to validate certificate chain: /run/certbot-zimbra/certs-k1IwpQa5/cert.pem: O = Digital Signature Trust Co., CN = DST Root CA X3
error 10 at 3 depth lookup:certificate has expired
OK
An error seems to have occurred. Please read the output above for clues and try to rectify the situation.
If you believe this is an error with the script, please file an issue at https://github.com/YetOpen/certbot-zimbra.
Is this related to the latest LetsEncrypt Certificate Revokes? https://www.theregister.com/2022/01/26/lets_encrypt_certificates/
How do I resolve this?
Have a look at #140
Since you're running 8.8.8, you're probably on an old OS that doesn't receive updates any more, and probably doesn't have the new "ISRG Root X1" CA that new Letsencrypt-issued certificates use. You need to check if you have "ISRG Root X1" in your system CA store, if you don't, install updates for your OS, or add it manually.
Possible duplicate of #140