/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/ssl/letsencrypt/cert.pem
It produced this output:
** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
139684204856640:error:0607907F:digital envelope routines:EVP_PKEY_get0_RSA:expecting an rsa key:crypto/evp/p_lib.c:474:
ERROR: Certificate '/opt/zimbra/ssl/letsencrypt/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' do not match.
My web server is (include version): n/a
The operating system my web server runs on is (include version): Ubuntu Server 20.04
My hosting provider, if applicable, is: n/a
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.0.0
Even though that site will expose my private key (re-ran the certificate issuance later) that site indicates my certificate and private key match so I believe, possibly, the error from certbot is misleading and/or mistaken.
Which error from Certbot exactly? I only see a Zimbra command, not Certbot.
Also, could you please elaborate on how /opt/zimbra/ssl/zimbra/commercial/commercial.key and /opt/zimbra/ssl/letsencrypt/cert.pem were generated to begin with?
Googling this lead me to a thread mentioning ECDSA keys. If I look at your certificate history at crt.sh | mail.avdenterprises.com your most recent certificates indeed have an ECDSA key, which has become the default for Certbot 2.0.0. I'm pretty certain your current cert and private key are ECDSA too.
I guess Zimbra doesn't like ECDSA keys. Please open a bug report at Zimbra for this
Also note that you've issued many identical certificates already, which would lead to hitting a rate limit soon. Please be more careful.