How to install SSL certificate carbionio mail server?

Hi guys,
I have tried to put SSL on my mail server without this working correctly, I have gone through the process indicated in Free SSL Certificates Using Let’s Encrypt and Certbot for Carbonio Community Edition | Carbonio CE - Zextras Community several times using-lets-encrypt-and-certbot/ with no good results. Here I detail more information about my structure.

My domain is:

I ran this command: su - zextras -c 'zmcertmgr verifycrt comm /opt/zextras/ssl/carbonio/commercial/commercial.key /tmp/cert.pem /tmp/chain.pem'

It produced this output:** Verifying '/tmp/cert.pem' against '/opt/zextras/ssl/carbonio/commercial/commercial.key'
139818709017920:error:0607907F:digital envelope routines:EVP_PKEY_get0_RSA:expecting an rsa key:crypto/evp/p_lib.c:474:
ERROR: Certificate '/tmp/cert.pem' and private key '/opt/zextras/ssl/carbonio/commercial/commercial.key' do not match.

My web server is (include version): carbonio mail

The operating system my web server runs on is (include version): ubuntu

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 2.5.0

Hi @crackdj, welcome to the LE community forum :slight_smile:

By default, Certbot now issues EC certs.
Zimbra only works with RSA certs.
You will need to issue another cert using:
--key-type rsa

[you only need to do that once - the renewals will renew the last type issued]


Thanks @rg305

Could you help me what would be the process to follow?

1 Like

Let's start with the output of:
certbot certificates


Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name:
Serial Number: 3354d6056c8adf402a0cf1e87e6ea569e99
Key Type: ECDSA
Expiry Date: 2023-07-30 02:50:19+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/
Private Key Path: /etc/letsencrypt/live/


1 Like

Please show the renewal file:


root@mail:~# cat /etc/letsencrypt/renewal/

# renew_before_expiry = 30 days
version = 2.5.0
archive_dir = /etc/letsencrypt/archive/
cert = /etc/letsencrypt/live/
privkey = /etc/letsencrypt/live/
chain = /etc/letsencrypt/live/
fullchain = /etc/letsencrypt/live/

# Options used in the renewal process
account = c738b2c32659490a37fedadf14693b44
authenticator = standalone
server =
key_type = ecdsa
1 Like

Hi @rg305

I understand that your time is valuable and I appreciate your help in solving my problem. I am waiting for any information you require from me to help me.

1 Like

Sorry for the delay and that no one else has chimed in.
[we usually work "as a team" and pickup others slack]

Let's try:

certbot renew --key-type rsa -d --force-renewal

I really appreciate the time you take to analyze my case.

I have done what you tell me and the answer is the following

root@mail:~# certbot renew --key-type rsa -d --force-renewal

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Currently, the renew verb is capable of either renewing all installed certificates that are due to be renewed or renewing a single certificate specified by its name. If you would like to renew specific certificates by their domains, use the certonly command instead. The renew verb may provide other options for selecting certificates to renew in the future.
Ask for help or search for solutions at See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

certbot certonly --key-type rsa -d --force-renewal


now we have this

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

An ECDSA certificate named already exists. Do you want to
update its key type to RSA?



(U)pdate key type/(K)eep existing key type: U
Renewing an existing certificate for

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/
Key is saved at: /etc/letsencrypt/live/
This certificate expires on 2023-08-01.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

If you like Certbot, please consider supporting our work by:


Let's recheck this again now:


now we have this...

root@mail:~# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

I found the following certificates:
Certificate name:
Serial number: 316bba7baa2299878103c5f8821803ef082
Key type: RSA
Expiration date: 2023-08-01 18:45:07+00:00 (VALID: 89 days)
Certificate path: /etc/letsencrypt/live/
Private key path: /etc/letsencrypt/live/

1 Like

There you go!


Hello, it's me, again.

I did the certificate verification and got the same error :frowning:

root@mail:~# su - zextras
zextras@mail:~$ cd /opt/zextras/ssl/carbonio/commercial
zextras@mail:~/ssl/carbonio/commercial$ zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt
** Verifying 'commercial.crt' against 'commercial.key'
140509829821760:error:0607907F:digital envelope routines:EVP_PKEY_get0_RSA:expecting an rsa key:crypto/evp/p_lib.c:474:
ERROR: Certificate 'commercial.crt' and private key 'commercial.key' do not match.

Did you copy the cert files from:




of course

zextras@mail:~/ssl/carbonio/commercial$ ls -l
total 28
-rw-r--r-- 1 zextras zextras 3127 Apr 10 22:25 commercial.crt
-rw-r--r-- 1 root root 1678 Apr 10 22:11 commercial.crt.bak
-rw-r--r-- 1 zextras zextras 241 Apr 30 22:58 commercial.key
-rw-r--r-- 1 zextras zextras 1448 Apr 10 22:25 commercial_ca.crt
-rw-r--r-- 1 root root 5607 May 3 23:50 fullchain.pem
-rw------- 1 root root 1704 May 3 23:50 privkey.pem