Zimbra Sccfd — Must Watch

su - zimbra zmcontrol status | grep sccfd Expected output (if enabled):

su - zimbra zmprov modifyServer `zmhostname` -zimbraSSLUseLetSCrypt TRUE zmcontrol stop sccfd zmcontrol disable sccfd # on systemd: systemctl disable zimbra-sccfd To re-enable later: zimbra sccfd

su - zimbra zmlocalconfig | grep -i sccfd | Parameter | Default | Description | |-----------|---------|-------------| | ssl_allow_untrusted_certs | false | Allow self-signed (not recommended) | | ssl_sccfd_check_interval | 86400 | Check interval in seconds (1 day) | | ssl_sccfd_renew_threshold | 30 | Renew when days left ≤ this value | | ssl_sccfd_random_delay_max | 3600 | Random delay before check (seconds) | Modify a parameter: zmlocalconfig -e ssl_sccfd_renew_threshold=20 Then restart sccfd : su - zimbra zmcontrol status | grep sccfd

su - zimbra zmcertmgr viewdeployedcrt # Check current expiry zmcertmgr renewcrt # Force renewal if within threshold Or restart sccfd – it will check on startup: zimbra sccfd

zmproxyctl reload zmmailboxdctl restart # if single-server If you manage certificates manually or via another CA:

/opt/zimbra/libexec/acme-client -d yourdomain.com -v Cause: Too frequent checks or large cert chain. Fix: Increase ssl_sccfd_check_interval to 172800 (2 days). Issue 4: Certificate renewed but not deployed Fix: Manually reload proxy: