Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:gw2.network1.ca
I ran this command:zmcontrol restart
It produced this output:
Host gw2.network1.ca
Stopping zmconfigd...Done.
Stopping zimlet webapp...Done.
Stopping zimbraAdmin webapp...Done.
Stopping zimbra webapp...Done.
Stopping service webapp...Done.
Stopping stats...Done.
Stopping mta...Done.
Stopping spell...Done.
Stopping snmp...Done.
Stopping cbpolicyd...Done.
Stopping archiving...Done.
Stopping opendkim...Done.
Stopping amavis...Done.
Stopping antivirus...Done.
Stopping antispam...Done.
Stopping proxy...Done.
Stopping memcached...Done.
Stopping mailbox...Done.
Stopping logger...Done.
Stopping dnscache...Done.
Stopping ldap...Done.
Host gw2.network1.ca
Starting ldap...Done.
Unable to start TLS: SSL connect attempt failed error:0A000086:SSL routines::certificate verify failed when connecting to ldap master.
My web server is (include version):dpkg -l |grep apache
ii zimbra-apache 8.8.15.GA.4179.UBUNTU20.64 amd64 Best email money can buy
ii zimbra-apache-base 1.0.0-1zimbra8.7b1.20.04 all Zimbra Apache Base
ii zimbra-apache-components 2.0.11-1zimbra8.8b1.20.04 all Zimbra components for apache package
The operating system my web server runs on is (include version):Ubuntu 20.04.6 LTS
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
from crt.sh log there is a certificate previously signed expired today, and a new certificate after that: it may zimbra is pointed to use old certificate
does your certificate renewal script push new certfificate to location needed? /opt/zimbra/ssl/letsencrypt/cert.pem iirc from your last post
no, I have to manually put the updated certificates ( after renewal) . The renewed certs are usually found in /etc/letsencript/archives or live or on e of the sub directories
Depends on how the certificate was initially validated. Mailservers themselves (SMTP/IMAP/POP3 et cetera) are not a valid method of validating a hostname, but sometimes mailservers also have a built-in webserver. That webserver might be used for validation. But most likely Certbot used some other method, e.g. the standalone authenticator. Without details of your setup we don't know.
Just try to renew and see what happens and share the results here.
I am restoring a vm backup I made a few days ago, as I was fu)__ around with the /etc/letsencrypt/archives folder, and it is screwed , so I am going to restore first then move in a more logical fashion.
here is the output, as requested
root@gw2:/etc/letsencrypt# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/gw2.network1.ca.conf produced an unexpected error: target /etc/letsencrypt/archive/gw2.network1.ca/cert5.pem of symlink /etc/letsencrypt/live/gw2.network1.ca/cert.pem does not exist. Skipping.
The following renewal configurations were invalid:
/etc/letsencrypt/renewal/gw2.network1.ca.conf