I'm desperately trying to get Zimbra up and running again after our old cert expired, and the new cert doesn't seem to be taking hold.

I swear I've replaced every single SSL cert and keystore I can find, and Tomcat still dies claiming the certificate expired yesterday.

I've followed the instructions here (Commercial Certificates - ZimbraWiki) to the letter.

I've replaced the following with my new cert and key:

/opt/zimbra/conf/smtpd.crt
/opt/zimbra/conf/smtpd.key
/opt/zimbra/conf/slapd.crt
/opt/zimbra/conf/slapd.key
/opt/zimbra/conf/perdition.pem
/opt/zimbra/conf/perdition.key
/opt/zimbra/ssl/ssl/server/tomcat.crt
/opt/zimbra/ssl/ssl/server/tomcat.key
/opt/zimbra/ssl/ssl/server/server.crt
/opt/zimbra/ssl/ssl/server/server.key

I've generated a new keystore from my cert and key, and replaced /opt/zimbra/tomcat/conf/keystore with it.

If I go to the admin console (https://servername:7071), and have firefox show me the certificate information, the expiration date is in 2008, like it should be.

I can log in to the admin console.

Users cannot log in to the web interface, IMAP(S), or POP3(S) at all. Postfix fails LMTP deliveries. Basically, any network connection to anything that runs in tomcat still dies, with the root error (in mailbox.log) being:

Caused by: java.security.cert.CertificateExpiredException: NotAfter: Thu Sep 06 16:59:59 PDT 2007

Checking the certificate file I used for everything (with "openssl x509 -in cert.pem -text"), I get:

HTML Code:
        Validity
            Not Before: Aug 13 00:00:00 2007 GMT
            Not After : Sep  9 23:59:59 2008 GMT
What am I missing? Where the hell is tomcat getting the old cert from?