OK,
As far as I can understand, for Zimbra on CentOS there is no chance to entirely automate the process of getting the certificates and putting them in the Zimbras SSL repository. Thus a script would include a workaround to download that script from the web, but as soon as the certificate on the web could be wrong, the script might return an error. So, the process is automatic, but should be controlled manually.
I have written a script for this purpose and would like to share it with you. The script will launch certbot, will copy the certificates to a working directory in Zimbra home path, will build a file with certification chain and finally will try to verify the certificates against each other. If successful, a deployment will follow together with restarting Zimbra services and backing up new certificates. Otherwise, the script will issue a warning and will exit without modification of the Zimbras certificates. So, services are not affected by a wrong or missing chain certificate.
#!/bin/bash
#
# Script to update letsencrypt certificates into Zimbra.
# It downloads you certificates then builds a chain certicate containing
# R3 certificate and X1 certificate (in this order).
# It is trying a check for the newly downloaded certificate and the new chain certificate
# If success, these are deployed to Zimbra. Otherwise script ends without changing the system, so your
# server is not affected by failed renewal.
# Thanks to Rudy for his help
#
MYDOMAIN="www.example.com" # change www.example.com with your own domain
ZimbraSSL="/opt/zimbra/ssl/letsencrypt"
certbot certonly --standalone --preferred-chain "ISRG Root X1"
cd $ZimbraSSL/
rm ./*.pem
cp /etc/letsencrypt/live/$MYDOMAIN/*.pem ./
# First version of getting shortchain.pem by downloading both certificates from "certs" on the letsencrypt site
# Uncomment following row if necessary
#wget https://letsencrypt.org/certs/lets-encrypt-r3.pem https://letsencrypt.org/certs/isrgrootx1.pem -O ./shortchain.pem
# Rudys suggestion to acquire shortchain.pem. Unfortunately, not working in my environment.
# Uncomment 3 rows below if necessary [b]instead[/b] of the previous statement.
#openssl x509 -in /etc/letsencrypt/live/$MyDomain/chain.pem > shortchain.pem
#wget https://letsencrypt.org/certs/isrgrootx1.pem -O ./ISRG-X1.pem
#cat ISRG-X1.pem >> shortchain.pem
# Let's check the certificates!
chown zimbra:zimbra ./*
su - zimbra -c "cd $ZimbraSSL/ && /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem shortchain.pem"
if [ $? -ne 0 ]; then # Following statements are terminal oriented designed for CentOS8 and
# might not work with, let's say, Ubuntu.
# All the strings down to "read" or even "exit" can be cut out.
# Let's play a bit with text formatting.
RESET=$(tput sgr0)
CB=$(tput sgr0 && tput setaf 6 && tput bold)
YU=$(tput sgr0 && tput setaf 3 && tput bold && tput smul)
echo $(tput clear)
echo ""
echo ""
echo ""
echo " $CB*****************************************************************"
echo " *****************************************************************"
echo " ** **"
echo " ** **"
echo " ** $YU W A R N I N G !!! $CB **"
echo " ** **"
echo " ** $YU A C H T U N G !!! U W A G A !!! $CB **"
echo " ** **"
echo " ** **"
echo " ** $YU Letsencrypt Certificate could not be verified, thus $CB **"
echo " ** **"
echo " ** $YU it was not applied to your site. Check the output of $CB **"
echo " ** **"
echo " ** $YU the verifycrt command and make necessary corrections $CB **"
echo " ** **"
echo " ** **"
echo " ** $YU Take care of yourself... $CB **"
echo " ** **"
echo " ** **"
echo " ** **"
echo " *****************************************************************"
echo " *****************************************************************$RESET"
echo ""
echo ""
echo ""
read -n 1 -p "Press any key to resume ..."
echo
exit 1
fi
# Here we already checked successfully the certificates, so we are going to deply them further
# Backup Zimbra SSL directory
cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")
# Stop the jetty or nginx service at Zimbra level
runuser -l zimbra -c 'zmproxyctl stop'
runuser -l zimbra -c 'zmmailboxdctl stop'
# Deploy the certificates
\cp ./privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
su - zimbra -c "cd $ZimbraSSL/ && /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem shortchain.pem"
# Get Zimbra back to life
runuser -l zimbra -c 'zmcontrol restart'
Correcting issues in the script is welcome.
I think that it is ok to close this thread as my issue finally was resolved. We could even change the threads title and add the words "CentOS 8.5", "Zimbra 8.8" and "Solved".