How to install and update Let’s encrypt for Zimbra

Using certificates to secure your data and mail traffic is something that is extremely important. We have seen, in the ” Zimbra SSL/TLS Commercial Certificate ” article, how they work and what the security protocols and certificates are. In this article, however, we’re going to see specifically how to install and renew Let’s Enrcypt.

Let’s Encrypt is a CA that provides free X.509 cryptographic certificates for TLS encryption (HTTPS). The process of issuing certificates is fully automated.

Let’s Encrypt Issuance

We recommend making a Let’s Encrypt request on a server with Zimbra in order to obtain an SSL certificate, CA Intermediate and Private Key. To do this, you need to stop the mail server service (ports 80 and 443):

zmproxyctl stop
zmmailboxdctl stop

Then you can download the Let’s Encrypt package and go to the letsencrypt directory: 

git clone
cd letsencrypt

 Now you can run the automatic Let’s Encrypt script, using the certonly parameter. 

./letsencrypt-auto certonly --standalone

Please note that it doesn’t work on Ubuntu, returning the following error: “Skipping bootstrap because certbot-auto is deprecated on this system. Your system is not supported by certbot-auto anymore. Certbot cannot be installed. Please visit Certbot website to check for other alternatives.”

The script will set up a temporary WEB server for checking and issuing a certificate, if necessary, agreeing with the license and notifying an e-mail.
If you need to have multiple hostnames on the same SSL, then you should instead use Multi-SAN, SSL, where “-d” is your domains:

./letsencrypt-auto certonly --standalone -d -d

If everything goes well with verification, then the certificate (certificate + public key + chain) will be issued in the following format: /etc/letencrypt/live/address/ 

Now it’s time to restart the service and begin installing the signed certificate. To implement the certificate in Zimbra you need to add the “root CA” chain. Create a file with “root CA” and the lines of the file “fullchain1.pem“)

root CA: (

When the file has been created, check the files with the following command:

/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem FULL_CHAIN.pem

After that, we recommend you to backup your current certificates and then copy the private key, named “commercial.key” to the “/opt/zimbra/ssl/zimbra/commercial” directory:

cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d") 2cp privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key

 Install the certificate and restart the services to verify Deployment

/opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem

Restart the service

zmcontrol restart

Renewing certificates

To renew a certificate, you need to follow these steps:

Stop Zimbra:

/etc/init.d/zimbra stop

We receive new certificates and start the mail server 

certbot certonly --standalone -d
/etc/init.d/zimbra start

Received certificates will need to be uploaded to Zimbra. Copy the certificates: 

cp /etc/letsencrypt/live/* /opt/zimbra/ssl/letsencrypt/
chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/
cd /opt/zimbra/ssl/letsencrypt/

Add the Let’s encrypt intermediate certificate to the end of the chain.pem file.

If you don’t add the intermediate certificate, you will get an error at the verification stage: ERROR: Unable to validate certificate chain: cert.pem: C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
error 2 at 1 depth lookup:unable to get issuer certificate

Check the installed keys and certificates: 

su - zimbra
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem

If the verification was successful, then install the updated certificates : 

/opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem

To apply the installed certificate, restart all Zimbra services: 

/etc/init.d/zimbra restart

That’s all. You’re done! 


Those who wish to automate the process of installing new certificates can use a special script published on the GitHub site .
For everything to work, you need to:

  • Install the Certbot utility using command: yum -y install certbot
  • Clone the specified branch using the command: git clone
  • Edit the letsencrypt-zimbra.conf file, so that it matches your system
  • Go to the folder with the script and use it: ./

Please note that the script will not only renew the certificate itself, but also restart all services that are required. The use of a script can be fully automated by configuring its execution after a certain time interval.

Post your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Zimbra Collaboration Suite and Anti-Phishing
How to setup External Active Directory Authentication