Sins begin of 206 you can get free ssl certificates from letsencrypt. These certificates can also be used for Zimbra OSC mail server. By using this you no longer need the selfsigned certificates.

Installing letsencrypt on Ubunutu

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install letsencrypt

Generating new certificates

sudo systemctl stop apache2
sudo letsencrypt certonly -d <fqdn>
sudo systemctl start apache2

# for renewal of the certificate run
sudo letsencrypt renew

Installing ssl certificate in Zimbra

sudo -s
cd /opt/zimbra/ssl
cp /etc/letsencrypt/live/<fqdn>/* .
touch dts-root-ca-x3.pem

Normaly Letsencrypt works “out-of-the-box” but with Zimbra you need to get the “DST ROOT CA X3” certificate. You can copy and past this in the file dst-root-ca-x3.pem.

Deployment of ssl in Zimbra

cat chain.pem dst-root-ca-x3.pem > chain-zimbra.pem
chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt

su - zimbra
cd ssl/letsencrypt
zmcertmgr verifycrt comm privkey.pem cert.pem chain-zimbra.pem
cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date +"%Y%m%d")
cp privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
zmcertmgr deploycrt comm cert.pem chain-zimbra.pem
zmcontrol restart

After this your certificate is installed in Zimbra. Only be aware that these certificates are only 3 months valid.