ERROR: Unable to validate certificate chain: /run/certbot-zimbra/certs-k1IwpQa5/cert.pem: O = Digital Signature Trust Co., CN = DST Root CA X3 error 10 at 3 depth lookup:certificate has expired OK

[ccasalicchio]

I'm getting this error with Zimbra 8.8.8_GA_2009.FOSS: Preparing certificates for deployment. Testing with zmcertmgr. ** Verifying '/run/certbot-zimbra/certs-k1IwpQa5/cert.pem' against '/run/certbot-zimbra/certs-k1IwpQa5/privkey.pem' Certificate '/run/certbot-zimbra/certs-k1IwpQa5/cert.pem' and private key '/run/certbot-zimbra/certs-k1IwpQa5/privkey.pem' match. ** Verifying '/run/certbot-zimbra/certs-k1IwpQa5/cert.pem' against '/run/certbot-zimbra/certs-k1IwpQa5/zimbra_chain.pem' ERROR: Unable to validate certificate chain: /run/certbot-zimbra/certs-k1IwpQa5/cert.pem: O = Digital Signature Trust Co., CN = DST Root CA X3 error 10 at 3 depth lookup:certificate has expired OK

An error seems to have occurred. Please read the output above for clues and try to rectify the situation. If you believe this is an error with the script, please file an issue at https://github.com/YetOpen/certbot-zimbra.

Is this related to the latest LetsEncrypt Certificate Revokes? https://www.theregister.com/2022/01/26/lets_encrypt_certificates/

How do I resolve this?

[maxxer]

Have a look at #140

[jjakob]

Since you're running 8.8.8, you're probably on an old OS that doesn't receive updates any more, and probably doesn't have the new "ISRG Root X1" CA that new Letsencrypt-issued certificates use. You need to check if you have "ISRG Root X1" in your system CA store, if you don't, install updates for your OS, or add it manually.

[jjakob]

Possible duplicate of #140