Fix depth lookup:unable to get issuer certificate: Difference between revisions
No edit summary |
|||
(2 intermediate revisions by 2 users not shown) | |||
Line 3: | Line 3: | ||
<div class="col-md-12 ibox-content"> | <div class="col-md-12 ibox-content"> | ||
=Fix depth lookup:unable to get issuer certificate= | =Fix depth lookup:unable to get issuer certificate= | ||
{{KB|{{ZC}}|{{ZCS 8. | {{KB|{{ZC}}|{{ZCS 8.8}}|{{ZCS 9.0}}|{{ZCS 10.0}}|}} | ||
{{WIP}} | {{WIP}} | ||
See also: | |||
* [[Certificate_Chain]] practical how to on creating the certificate chain file. | |||
==Purpose== | ==Purpose== | ||
Line 33: | Line 36: | ||
==Additional Content== | ==Additional Content== | ||
* | * Sometimes it's difficult to get correct CA chain, in such situations, using server certificate file CA chain can be downloaded from below third party website. | ||
* https://whatsmychaincert.com/ | |||
{{Article Footer|Zimbra Collaboration 8.5, 8. | {{Article Footer|Zimbra Collaboration 8.5, 8.8, 9, 10|02/20/2015}} | ||
{{NeedSME|Fred|Phil|Jenny}} | {{NeedSME|Fred|Phil|Jenny}} |
Latest revision as of 11:58, 16 January 2024
Fix depth lookup:unable to get issuer certificate
See also:
- Certificate_Chain practical how to on creating the certificate chain file.
Purpose
Solve a common problem, depth lookup:unable to get issuer certificate, with SSL certificates when trying to:
- Install a new SSL certificate.
- Install a wildcard SSL certificate from another server.
- Install an SSL certificate from another server: moved or restored from a backup.
- Renew an SSL certificate, when the intermediate CA was changed from the SSL provider.
Resolution
This error means the certificate path or chain is broken and you are missing certificate files. In most cases, the intermediate cert or root CA is affected. Right now, almost every SSL vendor has 2 or more CA Intermediates - sha1 and sha2 (256).
The best solution is to ask for the most updated root CA and intermediate certificates from the SSL provider. Then place all of them in a file, in order, and try again. Mix the root CA and the Intermediate (Comodo example):
cat ComodoRSAca_ROOT.crt ComodoRSAca_inter1.crt ComodoRSAOrgValidationca_inter2.crt > ca_bundle.crt
Copy the CA Bundle to the proper path:
sudo cp ca_bundle.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
Verify the SSL certificate against the private key:
sudo /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt
Deploy the SSL certificate>
sudo /opt/zimbra/bin/zmcertmgr deploycrt comm star.domain.com.crt ca_bundle.crt
Check the deployed SSL certificate>
sudo /opt/zimbra/bin/zmcertmgr viewdeployedcrt
Additional Content
- Sometimes it's difficult to get correct CA chain, in such situations, using server certificate file CA chain can be downloaded from below third party website.
- https://whatsmychaincert.com/