Issue with certificate renewal

Hi everyone, I'm having a problem with renewing a let's encrypt certificate on a zimbra server:
the certbot renew command worked fine, returning the renewal to me, but on the zimbra server, it still does not see the renewed one but always the expired one; in a guide that I am following, at the command / opt / zimbra / bin / zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem I get the error:
root @ zimbra: ~ # / opt / zimbra / bin / zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
zmcertmgr: ERROR: no longer runs as root!
root @ zimbra: ~ # su zimbra
zimbra @ zimbra: / root $ / opt / zimbra / bin / zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
** Verifying 'cert.pem' against 'privkey.pem'
ERROR: Can't read file 'privkey.pem'
ERROR: Can't read file 'cert.pem'

What can I check to correct this error? thank you all for your availability

You probably need to run the commands as root or by using sudo.


hello and thanks for the reply ... that command can only be started by the zimbra user

Weird, because the error message: [quote="vettalex, post:1, topic:161512"]
ERROR: no longer runs as root!

..suggests the zmcertmgr expects to be run as root.

Anything else I don't know. No experience with Zimbra luckily.


You made me doubt, and then I ran the command both as zimbra and as root and as sudo ... but nothing unfortunately

It seems you were trying to run the command zimbra@zimbra:/root$ which doesn't work of course. Probably a copy/paste error from the line above the su command.


Hi @vettalex welcome to the LE community forum :slight_smile:

Zimbra is a very... unique beast.
You will need to leave the original files untouched so that the ACME client can proceed with future renewals unaffected.
So you must copy the needed files to another location.
Then chown them to the zimbra user.
Run all zmcertmgr commands as zimbra user referencing only the file copies (not their originals).

You can read more about this process here:
Installing a LetsEncrypt SSL Certificate - Zimbra :: Tech Center


Thanks rg for the answer, I have also seen other threads where you have solved several problems with zim ra .. we hope you can give me an amno on this problem too: D
Having said that, in the folder /etc/letsencrypt/archive/ I have various certificates numbered with the number of renewals carried out, the new ones only the numbers 3. In this case, I copy ONLY the numbers 3 and insert them in a new folder giving it zimbra permissions via chown? then the next command will be / opt / zimbra / bin / zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem but how can I tell it to "check" the files copied to the new folder just created?


1 Like

If it helps, I changed the permissions on the "links" of cert chain fullchain and privkey cp with the command chown -R zimbra: zimbra.
This way I noticed that the error has changed (I believe that for some strange reason, zimbra wants the connections to have the privileges of the zimbra user as well. Place the new error:

Please put those back - that will break renewals.

1 Like

OK... sorry

Where did you copy those files to?
Use that path.

1 Like

Ok, the files to be copied will be the files with the 3 at the end anyway? let's say I create a folder under / opt = / opt / cert
the command will be:
opt/zimbra/bin/zmcertmgr verifycrt comm /opt/cert/privkey3.pem cert3.pem chain3.pem

No that isn't the ideal way to do this.
Next renewal will be #4 and it will keep increasing each time.
(re)Read my instructions.

1 Like

Ok, I created a new folder / opt / cert I copied the links chain.pem cert.pem and privkey.pem from / etc / letsencrypt / archive / to / opt / cert

I gave zimbra permissions with the command chown -R / opt / cert / *

I redid the command correctly, but an error always comes out:

Making progress.
Now the O/S needs to be updated to know about the root cert "ISRG Root X1"
sudo apt update
sudo apt-get update
sudo apt install ca-certificates

1 Like

I've done it all, but the problem persists:

I can't understand where the mistake can actually be ...


1 Like


Now also place the inside of each file ... I would not like there to be known errors in the code: