SSL Zimbra

sudo snap install --classic certbot

sudo ln -s /snap/bin/certbot /usr/bin/certbot

1.  sudo certbot certonly --preferred-chain "ISRG Root X1"

** change to root (use: su) **

2.  cp /etc/letsencrypt/live/mail.avdenterprises.com/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key

3.  chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key

4.  wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt

5.  cat /tmp/ISRG-X1.pem >> /etc/letsencrypt/live/mail.avdenterprises.com/chain.pem

6.  cp /etc/letsencrypt/live/mail.avdenterprises.com/* /opt/zimbra/ssl/letsencrypt/

7.  chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*

NOTE: Step 6/7 is necessary for proper permissions, otherwise it fails saying unable to read

** exit to zimbraadmin **

8.  ls -al /opt/zimbra/ssl/letsencrypt/   NOTE: Verify permissions

9. sudo /opt/zimbra/libexec/zmfixperms

** change to zimbra mail (use: sudo su zimbra -)

10. cd ~

11. /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/chain.pem

NOTE:  Currently step 11 fails saying they do NOT match

12. /opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/chain.pem

 

13. zmcontrol restart 

Source:
https://community.letsencrypt.org/t/zimbra-certbot-letsencrypt-certificate-and-private-key-do-not-match/188530/2
https://forums.zimbra.org/viewtopic.php?t=69645
https://inguide.in/how-to-install-free-ssl-certificate-on-zimbra-mail-server/