habibzain Just husband, father and enthusiastic men about System Administration. Love to write short article about it. Perhaps can help and be useful for others.

Zimbra Renew Expired Self-Signed Certificate

1 min read

If you are using Zimbra as your email server, you may have encountered the problem of having an expired self-signed certificate. This can cause security warnings and prevent some clients from connecting to your server. In this blog post, we will show you how to renew your self-signed certificate in Zimbra using the command line interface (CLI).

However, if you are using a self-signed certificate for your Zimbra server, you need to be aware that it has an expiration date. By default, Zimbra generates a self-signed certificate that is valid for 365 days. As far i know, Zimbra version 8.x default install certificate valid until 5 years. When it expires, you will see errors like this in your logs:

zmmailboxd.out:javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed

To avoid these errors and ensure your server’s security, you need to renew your self-signed certificate before it expires.

Step By Step Renew Expired Self-Signed Certificate

Here are the steps to do so:

  1. Log in to your Zimbra server as root or sudo user.
  2. Switch to the zimbra user by running the command:
sudo su - zimbra
  1. Generate a new certificate authority (CA)

This step is optional and not required every time you renew your self-signed certificate. However, it is recommended to do so periodically to refresh your CA’s validity and security.

/opt/zimbra/bin/zmcertmgr createca -new
/opt/zimbra/bin/zmcertmgr deployca

4. Generate a new certificate signed by the CA that expires in 3650 days (alias 10 year) or any number of days you prefer. generally best practice to renew certificates on a regular basis (e.g. every 1-3 years) for security reasons. However, if you still want to renew a self-signed certificate in Zimbra for 10 years, you can follow the steps below.

/opt/zimbra/bin/zmcertmgr createcrt -new -days 3650
  1. Deploy the new certificate to your server:
/opt/zimbra/bin/zmcertmgr deploycrt self

Copy the new certificate and key files to the appropriate locations and update the configuration files accordingly.

  1. Verify that the new certificate has been deployed correctly by running the command:
/opt/zimbra/bin/zmcertmgr viewdeployedcrt

Display information about the deployed certificate such as its subject, issuer, validity dates, and subject alternative name.

  1. Restart your Zimbra services by running the command:
zmcontrol restart

Stop and start all the Zimbra services and load the new certificate.

See also  Zimbra Cannot start TLS: handshake failure

Testing After Renewal

After all steps done, testing sending mail or access webmail via browser.

Conclusion

That’s it! We have successfully renewal your self-signed certificate in Zimbra. Next check server’s status by accessing the administration console or sending a test email.

We hope this blog post was helpful for you. If you have any questions or feedback, please leave a comment below.


habibzain Just husband, father and enthusiastic men about System Administration. Love to write short article about it. Perhaps can help and be useful for others.

Centos Failed Update Kernel

Today I did a kernel update on my server with Centos 7 OS. At the end of the update process, I found a kernel...
habibzain
1 min read

Easy Fix Missing mirrorlist http://mirrorlist.centos.org on CentOS 7

When running yum update or command that utilize the yum system, errors similar to the following are produced: If you’re encountering issues with the...
habibzain
1 min read

Easy Create Laravel Project with Composer

Requirement Laravel, a popular PHP framework, is renowned for its elegant syntax and robust features, making it a top choice for web developers. One...
habibzain
1 min read

Leave a Reply

Your email address will not be published. Required fields are marked *

Never miss good article from us, get weekly updates in your inbox