This should not have to be done manually, but unfortunately for now the hook that deploys certs on Zimbra does not seem to work.

• This command should do the trick
  • # certbot --apache renew --deploy-hook /usr/local/bin/le_zimbra.sh
  • FIXME: this hook didn't 'work' last time, it didn't do the 12th thing (may 2022)

Full manual renew

This should be used with care

• Turn off apache
  • # systemctl stop apache2.service
• Renew cert
  • # letsencrypt renew
  • (you can also use certbot renew, as letsencrypt is a symling to certbot)
• Restart apache2 so new cert is deployed for the webmail
  • # systemctl restart apache2
• Check if "it works" in your web browser
• Backup and remove current zimbra ssl directory
  • # cd /opt/zimbra/ssl/
  • # mv zimbra zimbra.$(date "+%Y%m%d")
• Create needed folders
  • # mkdir -p zimbra/{commercial,letsencrypt}
• Copy letsencrypt files to the folders we just created
  • # cp /etc/letsencrypt/live/skwotmail.squat.net/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
  • # cp /etc/letsencrypt/live/skwotmail.squat.net/{chain.pem,cert.pem} /opt/zimbra/ssl/zimbra/letsencrypt
• Add Identrust root cert to the chain
  • # cat /root/identrust_root.crt >> /opt/zimbra/ssl/zimbra/letsencrypt/chain.pem
• Chown everything
  • # chown -R zimbra: /opt/zimbra/ssl/zimbra
• Make Zimbra test the new certs
  • # su zimbra
  • $ cd /opt/zimbra/ssl/zimbra/letsencrypt/
  • $ zmcertmgr verifycrt comm ../commercial/commercial.key cert.pem chain.pem
• Deploy (Zimbra will find the private key in commercial/commercial.key by itself)
  • $ zmcertmgr deploycrt comm cert.pem chain.pem
• Restart Zimbra
  • $ zmcontrol restart
• Add a line in /root/Changelog