Certificate reinstallation problem on zimbra

Hi everyone, some time ago I had to rebuild a Zimbra mail server from scratch. Now everything works correctly and I wanted to recreate a certificate with certbot and insert it on zimbra. I followed the same guide:

but i got stuck on command:
sudo su - zimbra -c '/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem'

as it gives me an error that I cannot resolve:

also when I check the certificates, I get the error:
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live/zimbra.adm-srl.it/cert.pem /etc/letsencrypt/live/zimbra.adm-srl.it/chain.pem

I hope someone can help me solve this problem. Thanks in advance

1 Like

Please review their published recommendations:
Installing a LetsEncrypt SSL Certificate - Zimbra :: Tech Center

Also, you should ensure that your system ca-certificates are up-to-date; As well as all TLS related utilities (like: OpenSSL).

1 Like

Hi rudy, thank you for your reply; then I ran the guide you suggested (which would then be the official one), but at the time of the command sudo certbot certonly --standalone, it gives me the error in the picture.
I noticed that the error is on the www suffix which does NOT match my public ip ... but the question is that I don't want a certificate for www ... but rather for zimbra.mydomain.ext
I could modify the dns file of the website, but this would make it unreachable and this is not good ... what do you think?

Are you sure you need to use --standalone?
I see a working Apache server response:

curl -Ii www.adm-srl.it
HTTP/1.1 302 Found
Date: Sat, 04 Dec 2021 07:41:23 GMT
Server: Apache
Upgrade: h2
Connection: Upgrade
Location: http://www.adm-srl.it/impianti/
Content-Type: text/html; charset=UTF-8
1 Like

eh, this is the site that I don't actually manage ... but the provider ... I only manage zimbra. Maybe since there is an existing certificate on the provider it gives me an error .. can it be?

No two services can use the same port on the same IP [without some very sophisticated "trickery"].
If you are using certbot with --standalone, it will need to bind to port 80 (HTTP).
But there is already an Apache server seen there now.

You either:

  • shutdown the Apache server to call certbot (then started it back up afterwards)
  • port forwarded HTTP to some other port (not 80) where Apache runs
  • are behind an Apache proxy
  • are NOT on the right system
    Please show the output of:
    curl -4 ifconfig.co
  • OR some other unexplained (mis)configuration
1 Like

I beg your pardon, I expressed myself badly.
Zimbra is located locally by the customer, and has a public ip 185.52.xx.xx, where I have the http port 80 open vs the local ip

The website, located in the cloud on the provider, already has an https certificate given by the same provider and ip 62.149.xx.xx

Ok, now that is starting to make some sense.

If the email server is at another IP, it will need an FQDN that points to that IP.
An FQDN that should match the EHLO/HELO and pass FCrDNS checks.

TIP: It makes little sense to use a cert for "www.example.com" at service "mail.example.com".

1 Like

Okay, I guess, but I should ask for a wildcard maybe.
However, to solve the problem, I should point zimbra.adm-srl.it to my client's public ip, or where zimbra is, open door 80 to the local zimbra ip and in the certbot request, request it for zimbra.adm-srl.it and NOT for adm-srl.it, is it correct?

1 Like


1 Like

All right! it worked perfectly. A thousand thanks!

At the end of the document you linked to me about zimbra, it mentions:

but does it mean that I have to do this step too? or has it already been done while driving?

1 Like

The driving so far has only issued a cert.
Zimbra cert integration is a very unusual process.
You will likely have to move slowly and test (and write down) all your steps along that way.

1 Like

cd ~ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live/barrydegraaff.tk/cert.pem /etc/letsencrypt/live/barrydegraaff.tk/chain.pem

/opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/barrydegraaff.tk/cert.pem /etc/letsencrypt/live/barrydegraaff.tk/chain.pem

in reality, with these 2 commands (the first verifies and the second execution) you import the certificate in zimbra, restart the services and everything works :+1:

now, i wanted to configure crontab to start it every 3 months, but at the same time, i don't want to stay open port 80 ... how could i do?

If there is nothing listening on port 80, it can "stay open" [and unused].
Then you can safely run certbot in standalone mode.

1 Like

on the 80 there is the zimbra webmail ... sure, I could change the port to the zimbra webmail and let the 80 stay listening ...

Your webmail should be secured (on 443).

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.