See also Zimbra Self-Signed SSL Certs

Howto: https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate

If you have trouble reissuing a new cert, or if Zimbra won't start, recreate and deploy a new self-signed cert to get Zimbra 'working' again. Then re-implement a LetsEncrypt cert.

If a cert is expired, you must reissue a new cert.

If a certificate renewal fails, try reissuing a new cert instead.

#!/bin/bash
# Modification to suppress e-mailed cron job notifications every day
MAILTO=""
#
/usr/local/sbin/certbot certonly --cert-name zimbra3.virtualarchitects.com -d zimbra3.virtualarchitects.com -d zimbra.virtualarchitects.com --standalone --manual-public-ip-logging-ok -n --preferred-chain  "ISRG Root X1" --agree-tos --register-unsafely-without-email
#
# Modification to test if cert was changed then exit script
if grep "not yet due for renewal" /var/log/letsencrypt/letsencrypt.log; then
   exit 0
fi
#
cp "/etc/letsencrypt/live/zimbra.yourdomain.tld/privkey.pem" /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt
rm -f "/etc/letsencrypt/live/zimbra.yourdomain.tld/chainZimbra.pem"
cp "/etc/letsencrypt/live/zimbra.yourdomain.tld/chain.pem" "/etc/letsencrypt/live/zimbra.yourdomain.tld/chainZimbra.pem"
cat /tmp/ISRG-X1.pem >> "/etc/letsencrypt/live/zimbra3.virtualarchitects.com/chainZimbra.pem"
chown zimbra:zimbra /etc/letsencrypt -R
cd /tmp
su zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt comm "/etc/letsencrypt/live/zimbra3.virtualarchitects.com/cert.pem" "/etc/letsencrypt/live/zimbra.yourdomain.tld/chainZimbra.pem"'
rm -f "/etc/letsencrypt/live/zimbra.yourdomain.tld/chainZimbra.pem"