Renewing your Zimbra SSL Certification

Posted on by Ultrageek

An annual administrative task that can be a headache is renewing your SSL cert for Zimbra’s web interfaces and service ports. In my previous post “Zimbra SSL Certicication Renewal with Godaddy” I listed out the steps. Having referred to that page I thought I would update the steps and share places that threw me for a loop.

  1. Certification Renewal – I complete the purchase, login to Godaddy, and under the “Products” tab click “SSL Certificates” to launch the Certificate Management website. It has for many years been its own beast so navigation to it is not always intuitive. Plus you cannot find your SSL certs under the ‘Renewals’ tab.
  2. Use Previous CSR, leave the defaults (SHA-2, GoDaddy)
  3. Download the Cert for ‘Apache’ web servers
  4. Rename the file in your archive from the random file name of 2fj30wdjw0f.crt to your domain_year.crt. It really doesn’t matter except if for some reason you need to go back, it will be hard to understand what cert and domain the random file name is for. So for my domain I go with ultrageek_2014.crt and use that.
  5. As before, stick the 2 crt files on an ftp server, login as root, and pull them down preferably in a separate directory. You can use ‘pwd’ to show you your current path and ‘cd ~’ if you need to return to the home directory.
  6. Tip: Use the tab key to auto complete directories and file names by typing a few of the letters and then hitting tab. Hit multiple times to cycle through all names/options as needed.
  7. Run the command from the directory where the 2 certs are located:  /opt/zimbra/bin/zmcertmgr deploycrt comm example.com.crt gd_bundle.crt so for my domain it was:
    •  /opt/zimbra/bin/zmcertmgr deploycrt comm ultrageek_2014.crt gd_bundle-g2-g1.crt
    • Got the following errors:
    • ** Saving server config key zimbraSSLCertificate…failed.
      ** Saving server config key zimbraSSLPrivateKey…failed.
  8. Restart Zimbra!

So this years renewal went off without too much fuss. I picked ‘Other’ for the web server type when downloading the CRT and that seemed to have issue but other than that it was flawless.

Leave a Reply

Your email address will not be published. Required fields are marked *