How to renew letsencrypt ssl certificate 2023

5
(3)

I recently requested an update to our LetsEncrypt certificates to change the key_type to ecdsa using elliptical-curve secp384r1 which are seen as more secure these days – the certs were generated fine but as soon as I tried to deploy them in zimbra the process failed as zmcertmgr was unable to verify the public key matched the cert.

[root@mail tmp]# su - zimbra -c "/opt/zimbra/bin/zmcertmgr verifycrt comm /tmp/privkey1.pem /tmp/cert16.pem /tmp/zimbra_chain1.pem"
** Verifying '/tmp/cert1.pem' against '/tmp/privkey1.pem'
139741916038976:error:0607907F:digital envelope routines:EVP_PKEY_get0_RSA:expecting an rsa key:crypto/evp/p_lib.c:469:
ERROR: Certificate '/tmp/cert1.pem' and private key '/tmp/privkey1.pem' do not match.

To make sure I did not have a broken system, I force renewed my certificate again changing the key_type back to rsa. This time the certs validated and deployed.

to fix this issue run these script:

#!/bin/sh
#
zmcertmgr=/opt/zimbra/bin/zmcertmgr
cp $zmcertmgr $zmcertmgr.bak
sed -i -e 's/$self->run("$ssl rsa -noout -modulus -in '$keyf'/$self->run("$ssl pkey -pubout -in '$keyf'/g' 
       -e 's/$self->run("$ssl x509 -noout -modulus -in '$crtf'/$self->run("$ssl x509 -noout -pubkey -in '$crtf'/g' $zmcertmgr

With the change in place the certificates verify correctly.

[root@mail tmp]# su - zimbra -c "/opt/zimbra/bin/zmcertmgr verifycrt comm /tmp/privkey1.pem /tmp/cert1.pem /tmp/zimbra_chain1.pem"
** Verifying '/tmp/cert1.pem' against '/tmp/privkey1.pem'
Certificate '/tmp/cert1.pem' and private key '/tmp/privkey1.pem' match.
** Verifying '/tmp/cert1.pem' against '/tmp/zimbra_chain1.pem'
Valid certificate chain: /tmp/cert16.pem: OK

Further, the following error is possible: ldap-daemon does not start

Quick fix:

zmlocalconfig -e ldap_starttls_required=false
zmlocalconfig -e ldap_starttls_supported=0

Similar Posts:

1,188

How useful was this post?

Click on a star to rate it!

Average rating 5 / 5. Vote count: 3

No votes so far! Be the first to rate this post.

5 thoughts on “How to renew letsencrypt ssl certificate 2023”

  1. Thanks, I managed to solve by creating the script and then running the script. Everything’s fine.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top