Fix depth lookup:unable to get issuer certificate
Article Information |
---|
This article applies to the following ZCS versions. |
Fix depth lookup:unable to get issuer certificate
Purpose
Solve a common problem, depth lookup:unable to get issuer certificate, with SSL certificates when trying to:
- Install a new SSL certificate.
- Install a wildcard SSL certificate from another server.
- Install an SSL certificate from another server: moved or restored from a backup.
- Renew an SSL certificate, when the intermediate CA was changed from the SSL provider.
Resolution
This error means the certificate path or chain is broken and you are missing certificate files. In most cases, the intermediate cert or root CA is affected. Right now, almost every SSL vendor has 2 or more CA Intermediates - sha1 and sha2 (256).
The best solution is to ask for the most updated root CA and intermediate certificates from the SSL provider. Then place all of them in a file, in order, and try again. Mix the root CA and the Intermediate (Comodo example):
cat ComodoRSAca_ROOT.crt ComodoRSAca_inter1.crt ComodoRSAOrgValidationca_inter2.crt > ca_bundle.crt
Copy the CA Bundle to the proper path:
sudo cp ca_bundle.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
Verify the SSL certificate against the private key:
sudo /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt
Deploy the SSL certificate>
sudo /opt/zimbra/bin/zmcertmgr deploycrt comm star.domain.com.crt ca_bundle.crt
Check the deployed SSL certificate>
sudo /opt/zimbra/bin/zmcertmgr viewdeployedcrt
Additional Content
- No additional content