Sccfd ((full)): Zimbra

su - zimbra zmcertmgr viewdeployedcrt # Check current expiry zmcertmgr renewcrt # Force renewal if within threshold Or restart sccfd – it will check on startup:

zmcontrol restart sccfd zmacmedomain list 7. Common Issues & Fixes Issue 1: sccfd not running after upgrade Fix: Re-enable Let's Encrypt integration: zimbra sccfd

zmcontrol stop sccfd zmcontrol start sccfd To trigger sccfd immediately (instead of waiting for next interval): su - zimbra zmcertmgr viewdeployedcrt # Check current

/opt/zimbra/libexec/acme-client -d yourdomain.com -v Cause: Too frequent checks or large cert chain. Fix: Increase ssl_sccfd_check_interval to 172800 (2 days). Issue 4: Certificate renewed but not deployed Fix: Manually reload proxy: Issue 4: Certificate renewed but not deployed Fix:

su - zimbra zmcontrol status | grep sccfd Expected output (if enabled):

su - zimbra zmlocalconfig | grep -i sccfd | Parameter | Default | Description | |-----------|---------|-------------| | ssl_allow_untrusted_certs | false | Allow self-signed (not recommended) | | ssl_sccfd_check_interval | 86400 | Check interval in seconds (1 day) | | ssl_sccfd_renew_threshold | 30 | Renew when days left ≤ this value | | ssl_sccfd_random_delay_max | 3600 | Random delay before check (seconds) | Modify a parameter: zmlocalconfig -e ssl_sccfd_renew_threshold=20 Then restart sccfd :

su - zimbra zmprov modifyServer `zmhostname` -zimbraSSLUseLetSCrypt TRUE zmcontrol stop sccfd zmcontrol disable sccfd # on systemd: systemctl disable zimbra-sccfd To re-enable later: