[root@mail letsencrypt]# more /opt/zimbra/conf/nginx.conf
working_directory /opt/zimbra;
include /opt/zimbra/conf/nginx/includes/nginx.conf.main;
include /opt/zimbra/conf/nginx/includes/nginx.conf.memcache;
include /opt/zimbra/conf/nginx/includes/nginx.conf.zmlookup;
include /opt/zimbra/conf/nginx/includes/nginx.conf.mail;
include /opt/zimbra/conf/nginx/includes/nginx.conf.web;
#SUCCESS
more /opt/zimbra/conf/nginx/includes/nginx.conf.web
[root@mail letsencrypt]# more /opt/zimbra/conf/nginx/includes/nginx.conf.web
http
{
# disable nginx version on error pages
server_tokens off;
upstream_fair_shm_size 32k;
root /opt/zimbra/data/nginx/html;
# You need to customize these two values by setting local config
# proxy_server_names_hash_max_size and proxy_names_hash_bucket_size
# when too many virtual host names are added
server_names_hash_max_size 512;
server_names_hash_bucket_size 64;
# Define whether nginx will match exact server version against the
# version received in the client request. Defaults to 'on'
# Setting this to off will make nginx compare only the major and minor
# server versions (eg. all 8.5.x will be treated same by nginx)
exact_version_check on;
# Define the collection of upstream HTTP webclient servers to which we will proxy
# Define each server:port against a server directive
#
upstream zimbra_webclient
{
server mail.cebucity.gov.ph:8080 fail_timeout=10s version=8.8.15_GA_3829;
zmauth;
}
# Define the collection of upstream HTTP servers to which we will proxy
# Define each server:port against a server directive
#
upstream zimbra
{
server mail.cebucity.gov.ph:8080 fail_timeout=10s version=8.8.15_GA_3829;
zmauth;
}
# Define the collection of upstream HTTPS webclient servers to which we will proxy
# Define each server:port against a server directivemore /opt/zimbra/conf/nginx/includes/nginx.conf.web.https
more /opt/zimbra/conf/nginx/includes/nginx.conf.web.https.default
[root@mail letsencrypt]# more /opt/zimbra/conf/nginx/includes/nginx.conf.web.https
[root@mail letsencrypt]# more /opt/zimbra/conf/nginx/includes/nginx.conf.web.https.default
#server {
zimbraVirtualIPAddress on each domainzimbraVirtualIPAddress on each domain56:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECD
SA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE
-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
#}
server
{
#listen [::]:443 ipv6only=off;
listen 443;
#listen [::]:443;
server_name mail.cebucity.gov.ph; # add aliases and perhaps public
client_max_body_size 0; ssl_certificate /opt/zimbra/conf/nginx.crt;
ssl_certificate_key /opt/zimbra/conf/nginx.key;
It might be a simple as replacing that with:
ssl_certificate /etc/letsencrypt/live/mail.cebucity.gov.ph/fullchain.pem
ssl_certificate_key /etc/letsencrypt/live/mail.cebucity.gov.ph/privkey.pem
But ZIMBRA seems to want to do things in itsâ own waysâŚ
The documented method is more like:
su zimbra
/opt/zimbra/bin/zmcertmgr verifycrt comm /etc/letsencrypt/live/mail.cebucity.gov.ph/privkey.pem /etc/letsencrypt/live/mail.cebucity.gov.ph/cert.pem
[if that is OK - success]
cp /etc/letsencrypt/live/mail.cebucity.gov.ph/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
/opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/mail.cebucity.gov.ph/cert.pem /etc/letsencrypt/live/mail.cebucity.gov.ph/chain.pem
zmcontrol restart
exit
you mean fullchain.pem copied and paste to nginx.crt ?
privkey.pem to nginx.key ?
yes.
If you want to try that, backup the current files first.
replace them and restart zimbra
su zimbra
zmcontrol restart
zmcontrol status
- if anything failing
zmcontrol start
- if still failing
replace files with backups and restart zimbra and try the other method[zimbra@mail ~]$ cd /opt/zimbra/ssl/letsencrypt/
[zimbra@mail letsencrypt]$ /opt/zimbra/bin/zmcertmgr verifycrt comm /etc/letsencrypt/live/mail.cebucity.gov.ph/privkey.pem /etc/letsencrypt/live/mail.cebucity.gov.ph/cert.pem
** Verifying '/etc/letsencrypt/live/mail.cebucity.gov.ph/cert.pem' against '/etc/letsencrypt/live/mail.cebucity.gov.ph/privkey.pem'
ERROR: Can't read file '/etc/letsencrypt/live/mail.cebucity.gov.ph/privkey.pem'
ERROR: Can't read file '/etc/letsencrypt/live/mail.cebucity.gov.ph/cert.pem'
[zimbra@mail letsencrypt]$ /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
** Verifying 'cert.pem' against 'privkey.pem'
Certificate 'cert.pem' and private key 'privkey.pem' match.
** Verifying 'cert.pem' against 'chain.pem'
Valid certificate chain: cert.pem: OK
i tried your command but its not working and i tried the code from zimbra documentation
source: Installing a LetsEncrypt SSL Certificate - Zimbra :: Tech Center
I assumed the file name:
ls -l /etc/letsencrypt/live/
Please show:
ls -l /etc/letsencrypt/live/
[root@mail ~]# ls -l /etc/letsencrypt/live/
total 4
-rw-râr--. 1 root root 740 Aug 7 04:28 README
drwxr-xr-x. 2 root root 93 Nov 3 22:44 mail.cebucity.gov.ph
It must be a permissions problem - the files are there.
show files with:
ls -l /etc/letsencrypt/live/mail.cebucity.gov.ph/
Zimbra user has no right to read them.
Cert expiration hasnât changed:
yes, thats correct.
so i think i will try the nginx.crt etc... i guess
sadly yes 
if that fails, copy the needed files to another location (like: /opt/zimbra/cert - create path)
then make those files readable by zimbra or all
let zimbra use them then delete them
zimbra cert integration needs a little love
If you only have the one zimbra server that may work.
If you have more (and they operate together) that may fail as zimbra needs to update itself in local ldap for server to server communications.
