Zimbra Version: Release 8.6.0_GA_1153.RHEL6_64_20141215151155 RHEL6_64 FOSS editio
Change user to zimbra and stop proxy(error if not used, it's ok) and mail box service before renew proccess. It's necesery to stop this two services because letsencrypt and this services are working on the same 443 port.
su zimbra
zmproxyctl stop
zmmailboxdctl stop
Then return to root user(letsencrypt working only under root user) and renew Letsencrypt certificate. Option --no-bootstrap will skip installation of Python and other deps because they are was installed after first usage of Letsencrypt.
exit
letsencrypt renew --no-bootstrap
If you got an error "like -bash: letsencrypt: command not found", then go to the dir where letsencrypt cloned from git is located(usually it's /tmp/letsencrypt) and renew certs
cd /tmp/letsencrypt/
./letsencrypt-auto renew --no-bootstrap
Change directory to Zimbra Letsecnrpyt SSL folder
cd /opt/zimbra/ssl/letsencrypt/
Copy new SSL files to Zimbra Letsencrypt folder then change owner and group to zimbra:zimbra.
At this point change {DomainName} to your domain which is we are working on.
cp /etc/letsencrypt/live/{DomainName}/* .
chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
Add X3 root certificate to our chain.pem. You can take it from old chain.pem at etc/letsencrypt/archive/ {DomainName}/chain1.pem(first part of the key)
nano /opt/zimbra/ssl/letsencrypt/chain.pem
After copying X3 cert to your newly generated chain.pem it will be looked like this:
-----BEGIN CERTIFICATE-----
X3 cert
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
newly generated cert
-----END CERTIFICATE-----
Let's verify our certs via Zimbra certificate manager
/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
Message Valid Certificate: cert.pem: OK means thet process if completed correctly. Now let's create a backup of certificates
cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")
You need to replace your current commercial.key with newly created privkey.pem. If you skip this step you will get an error like this: XXXXX ERROR: Unmatching certificate ... and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) pair.
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
Let's deploy our new certs!
/opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem
su zimbra
zmcontrol restart