ATTENTION: this is old doc for the previous machine hosted by Hivane. We migrated away in june 2025.

This should not have to be done manually, but unfortunately for now the hook that deploys certs on Zimbra does not seem to work.

• This command should do the trick
  • # certbot --apache renew --deploy-hook /usr/local/bin/le_zimbra.sh
  • FIXME: this hook didn't 'work' last time, it didn't do the 12th thing (may 2022)

Full manual renew

This should be used with care

• Turn off apache
  • # systemctl stop apache2.service
• Renew cert
  • # letsencrypt renew
  • (you can also use certbot renew, as letsencrypt is a symling to certbot)
• Restart apache2 so new cert is deployed for the webmail
  • # systemctl restart apache2
• Check if "it works" in your web browser
• Backup and remove current zimbra ssl directory
  • # cd /opt/zimbra/ssl/
  • # mv zimbra zimbra.$(date "+%Y%m%d")
• Create needed folders
  • # mkdir -p zimbra/{commercial,letsencrypt}
• Copy letsencrypt files to the folders we just created
  • # cp /etc/letsencrypt/live/skwotmail.squat.net/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
  • # cp /etc/letsencrypt/live/skwotmail.squat.net/{chain.pem,cert.pem} /opt/zimbra/ssl/zimbra/letsencrypt
• Add Identrust root cert to the chain
  • # cat /root/identrust_root.crt >> /opt/zimbra/ssl/zimbra/letsencrypt/chain.pem
• Chown everything
  • # chown -R zimbra: /opt/zimbra/ssl/zimbra
• Make Zimbra test the new certs
  • # su zimbra
  • $ cd /opt/zimbra/ssl/zimbra/letsencrypt/
  • $ zmcertmgr verifycrt comm ../commercial/commercial.key cert.pem chain.pem
• Deploy (Zimbra will find the private key in commercial/commercial.key by itself)
  • $ zmcertmgr deploycrt comm cert.pem chain.pem
• Restart Zimbra
  • $ zmcontrol restart
• Add a line in /root/Changelog