so most people who don’t want to pay for ssl certs use letsencrypt which seems to have been added to most normal browsers and operating systems cert CA lists. zimbra is quite a pain to get working as it has to use a particular CA for letsencrypt. the assumption when using this is that you have a properly configured letsencrypt cert for zimbra that automatically downloads. there are probably better ways to do this but this is a quick script for after letsencrypt grabs new certs and you want to add it to zimbra…
#!/bin/sh
# Down and dirty means to renew LetsEncrypt cert with Zimbra
# I copy my LE certs to a dir so I don't totally bork my certs and have to go through certbot tomfoolery.
# Steps: 1. delete old copied certs, 2. copy new certs to zimbra cert staging dir, 3. copy the LE private key
# to commercial.key, 4/5. change ownership of copied files to zimbra, 6. grab the LE root cert, 7. copy the
# contents of the root cert and append it to chain.pem, 8. test things to make sure the commercial.key, cert,
# and chain are working together, 9. deploy to zimbra.
# as root
rm /opt/zimbra/ssl/letsencrypt/*
cp /etc/letsencrypt/live/<directory>/* /opt/zimbra/ssl/letsencrypt/
chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
# as zimbra
su - zimbra -c "wget -O /opt/zimbra/ssl/letsencrypt/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt"
su - zimbra -c "cat /opt/zimbra/ssl/letsencrypt/ISRG-X1.pem >> /opt/zimbra/ssl/letsencrypt/chain.pem"
su - zimbra -c "/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/chain.pem"
su - zimbra -c "/opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/chain.pem"sorry if the formatting here is borked. here is a .txt of what it should look like. click on newcert.txt to take a look at it or download if you want to just download it. i usually call it newcert.sh…
after this you need to zmcontrol restart as zimbra to ensure the certificate gets put into use.
# su - zimbra -c "/opt/zimbra/bin/zmcontrol restart"zimbra should be using the updated cert after this. again. this is assuming that you have already configured letsencrypt and certbot is fetching new certs for you already. there are other steps that need to be done before this if this is your first time using letsencrypt with zimbra.