SSL on Zimbra issue

mazen · November 18, 2023, 10:21pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
/opt/zimbra/bin/zmcertmgr deploycrt comm mail.zimbra-mazen.cloudns.ph.cer fullchain.cer
It produced this output:
** Verifying 'mail.zimbra-mazen.cloudns.ph.cer' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Not an RSA key
ERROR: Certificate 'mail.zimbra-mazen.cloudns.ph.cer' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' do not match.
My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

9peppe · November 18, 2023, 10:44pm

I guess you have an ECDSA key. How did you get your certificate?

mazen · November 18, 2023, 10:46pm

/root/.acme.sh/acme.sh --issue -d mail.zimbra-basem.cloudns.biz --standalone --server letsencrypt --force

thank u for helping if u have any suggestions reply to me please

9peppe · November 18, 2023, 10:53pm

Please don't use --force

I think acme.sh uses this switch to make you select if you want an rsa certificate, just add -k 2048 to your command.

  -k, --keylength <bits>            Specifies the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384, ec-521.

mazen · November 18, 2023, 10:56pm

so generate new certs or is there any way to delete the old one
or no need for that

9peppe · November 18, 2023, 10:56pm

You can keep the old cert.

mazen · November 18, 2023, 10:57pm

I want only to generate cert foe zimbra if u have any doc for that or easy way that would be helpfull also

9peppe · November 18, 2023, 10:58pm

I don't know. Never used zimbra. What does

acme.sh --list

show?

mazen · November 18, 2023, 10:59pm

9peppe · November 18, 2023, 11:01pm

Ok, you do have an ecdsa certificate. You need an RSA one.

What happens if you run this? Do you get a certificate or an error?

/root/.acme.sh/acme.sh --issue --keylength 2048 -d mail.zimbra-basem.cloudns.biz --standalone --server letsencrypt

mazen · November 18, 2023, 11:04pm

i did not try

rg305 · November 18, 2023, 11:53pm

Installing a LetsEncrypt SSL Certificate - Zimbra :: Tech Center
Zimbra with Let’s Encrypt Certificates a step-by-step guide (update) - Zimbra : Blog

ghen · November 19, 2023, 11:22am

Zimbra's zmcertmgr tool currently only works for RSA keys, but you can use this patch to make it accept ECC keys as well:

Zimbra confirmed this fix will be part of the next patch release.

rg305 · November 19, 2023, 12:42pm

Tested working % using OpenSSL 3.0.2 [with RSA and ECC certs]
Thanks @ghen for this much needed improvement!

rg305 · November 20, 2023, 8:18am

Now if they could only figure out how to use anything other than RSA certs for DKIM [RFC 8463]...
[not holding my breath for that]