I need to renew the SSL certification for my Linux mail server (Zimbra)



I need to renew the SSL certification for my Linux mail server.
Can you please let me know how to do that?
Should I purchase the certificate? if yes, from where?



Did your current cert come from Let’s Encrypt? If so, how did you get it?

If you like, but you shouldn’t need to.


I checked the certificate and it mentioned that it has been issued by Let’s Encrypt.
I don’t know how and where the previous IT guys purchase it from as they are not working here any more.


Letsencrypt-certificates are free.

But you need a client to automate this.

Look, if there is a Certbot installed. Or a directory with the certificates.


I found the directory under name “certbot”, I’m not sure if it’s the one that we are looking for!!!
is there any differece between installing SSL for webserver and mailserver?


There may be a directory like


Look there

Perhaps you can use something like

certbot certificates

to show the current certificates.

Webservers often allow an automatic installation. Mailservers - puh, if they have a config-file or something else.


I found the etc/letsencrypt/live folder and am able to see the current certificate bur somehow the certbot command is not working.

it said that command not found


You have to address certbot complete.

/opt/ or /var/ yourfolder/certbot

And normally, you should use it as root.


It might also be certbot-auto and might have been downloaded into root’s home directory (or elsewhere on the system that’s not part of the default command PATH).


I found certbot-auto in root folder, when I run it, it returns an error on line 208:

ReturnWithArgs() {
“$0” --cb-auto-has-root “0$”
exit 0

it said:

certbot-auto: line 208: certbot-auto: command not found
any idea??


Did you run it with something like export PATH=$PATH:/root; certbot-auto, or ./certbot-auto, or /root/certbot-auto, or some other way?


I run “bash certbot-auto” from root.
it’s not working without bash


In this case you should try to run it as ./certbot-auto instead of bash certbot-auto. Programs in the current directory are not in your PATH by default and so you need to specify what directory they’re in, such as the current directory (.).



it asked me to run as “./certbot-auto certonly” and now I have two options:

1: Spin up a temperoray webserver (Standalone)
2: Place files in webroot directory (webroot)

as I want this cert for my mailserver not the webserver which option should I choose?


Is there a webserver running on port 80 on the same machine as the mail server? If so, use webroot; if not, standalone.

If you choose webroot you’ll need to know what directory the webserver serves its files from.


no, it’s just mailserver


In that case you should choose the standalone option (1).

EDIT: reading back, it might also be worth trying:

./certbot-auto renew

to see if it can just find your existing settings from when you got the original cert and renew it based on the same settings.


I tried ./certbot-auto renew but it failed:

No renewals were attempted.
additionally, the following renewal configuration files were invalid:

/etc/letsencrypt/reneal/mailserver.mydomain.ca-0001.conf (parsefail)
/etc/letsencrypt/reneal/mailserver.mydomain.ca-0002.conf (parsefail)
/etc/letsencrypt/reneal/mailserver.mydomain.ca.conf (parsefail)

it seems the mailserver.mydomain.ca.conf is broken.

then I run ./certbot-auto certonly and after I choose the first option and entered my mailserver address mailserver.maydomain.ca, this is what I got:

Performing the following challenges:
tls-sni-01 challenge for mailserver.mydomain.ca
cleaning up challenges
problem binding to port 443: could not bind to IPv4 or IPv6


Hmm, do you have something else running on port 443?

Maybe try this, which should use port 80:

./certbot-auto certonly --standalone --preferred-challenges http

Are you sure you don’t have a webserver on this machine?

It might be worth having a look at the renewal configuration files too, to see if we can figure out why they couldn’t be parsed.


no there is no webserver on this machine.

you mean mailserver.mydomain.ca-0002.conf file?