renew_certificat_from

Change certificate of no standard port

generate a new one and copy (with root user)

certbot -d mail.domain.tld --force-renewal --preferred-chain "ISRG Root X1" --manual --preferred-challenges dns certonly
cp /etc/letsencrypt/live/domain.tld/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt
cat /tmp/ISRG-X1.pem >> /etc/letsencrypt/live/domain.tld/chain.pem

copy to tmp

/etc/letsencrypt/live/domain.tld/chain.pem /tmp
/etc/letsencrypt/live/domain.tld/cert.pem /tmp

Verify cert

/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/cert.pem /tmp/chain.pem

Deploy cert

/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/cert.pem /tmp/chain.pem

Restart zimbra

zmcontrol restart

Renew certificate with OVH API

Introduction

You need to install certbot with OVH API support described to point 1 and 2 of https://buzut.net/certbot-challenge-dns-ovh-wildcard/ For automatic renewal, you can add to crontab the script bellow. Don't forget to change the $DOMAIN variable and adjust the certbot line if your mail server

| renewLECertZimbra.sh

#!/bin/bash
DOMAIN='mydomain.tld'
HOST='mail'
MAIL_USER='postmaster'
CERTBOT_OUT=""
TMP_CERTBOT="/tmp/certbot.txt"
 
touch $TMP_CERTBOT
 
/usr/local/bin/certbot --preferred-chain "ISRG Root X1" certonly --dns-ovh --dns-ovh-credentials /root/.ovhapi --non-interactive --agree-tos --email $MAIL_USER@$DOMAIN -d $HOST.$DOMAIN > /tmp/certbot.txt
 
#check if renewal is needed
CERTBOT_OUT=`cat $TMP_CERTBOT | grep "Certificate not yet due for renewal; no action taken."`
 
if [ -z "$CERTBOT_OUT" ]
then
  #copy the new cert to zimbra
  cp /etc/letsencrypt/live/mail.$DOMAIN/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
  #ajust ownership
  chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
  #download LE chain certificate
  wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt
  cat /tmp/ISRG-X1.pem >> /etc/letsencrypt/live/mail.$DOMAIN/chain.pem
  #Temp copy of cert and chain for zimbra integration (removed from /tmp after integration)
  cp /etc/letsencrypt/live/mail.$DOMAIN/chain.pem /tmp
  cp /etc/letsencrypt/live/mail.$DOMAIN/cert.pem /tmp
  # verify and deploy the cert on zimbra
  su - zimbra -c "/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/cert.pem /tmp/chain.pem"
  su - zimbra -c "/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/cert.pem /tmp/chain.pem"
  #remove cert copy to tmp
  rm /tmp/chain.pem
  rm /tmp/cert.pem
  #restart zimbra
  su - zimbra -c "zmcontrol restart"
else
  echo $CERTBOT_OUT
fi
 
rm $TMP_CERTBOT