<rant>
I've been with Zimba since early 5.0 and I've performed regular upgrades as they come out. During this time, installing GoDaddy certificates has ALWAYS resulted in HOURS and HOURS of headaches. Installing certificates via the Admin Console never works.
</rant>

So I successfully performed a migration from 32-bit Debian 5 to 64-bit Ubuntu 8. Everything went perfectly, except I had to install the default self-signed certificates. Since everything's been working fine for a while, now, I decided I should try to get my GoDaddy certificates re-installed. [sigh...]

Here are the steps I took this time:

First I created ~/certs, then downloaded zimbra.crt and gd_bundle.crt (in a ZIP from GoDaddy)

Verified the certificates against the key:
Code:
root@zimbra:~/certs# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key ./zimbra.crt ./gd_bundle.crt
** Verifying ./zimbra.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (./zimbra.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: ./zimbra.crt: OK
Well, yee-haw. So then deployed the certificates:
Code:
root@zimbra:~/certs# /opt/zimbra/bin/zmcertmgr deploycrt comm ./zimbra.crt ./gd_bundle.crt
** Verifying ./zimbra.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (./zimbra.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: ./zimbra.crt: OK
** Copying ./zimbra.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain ./gd_bundle.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
Everything seems fine, right? I could even see that the certificates were installed when I visit the Certificates page in the Admin Console (of course, they aren't active, yet). So I restart zimbra:
Code:
zimbra@zimbra:~$ zmcontrol stop
...
zimbra@zimbra:~$ zmcontrol start
Host zimbra.divergentsystems.net
        Starting ldap...Done.
Unable to determine enabled services from ldap.
Enabled services read from cache. Service list may be inaccurate.
        Starting logger...Failed.
Starting logswatch...ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)
zimbra logger service is not enabled!  failed.


        Starting mailbox...Done.
        Starting memcached...Done.
        Starting imapproxy...Done.
        Starting antispam...Done.
        Starting antivirus...Done.
        Starting snmp...Done.
        Starting spell...Done.
        Starting mta...Done.
        Starting stats...Done.
...and in /var/log/zimbra.log, I see many messages like this:
Code:
<snip>
Jan 18 21:35:43 zimbra zimbramon[16445]: 16445:info: zmmtaconfig: Skipping All Memcached Servers update. 
Jan 18 21:35:43 zimbra zimbramon[16445]: 16445:info: zmmtaconfig: Skipping getAllMemcachedServers ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)  
Jan 18 21:35:47 zimbra zimbramon[16445]: 16445:info: zmmtaconfig: Skipping All MTA Authentication Target URLs update. 
Jan 18 21:35:47 zimbra zimbramon[16445]: 16445:info: zmmtaconfig: Skipping getAllMtaAuthURLs ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)  
</snip>
The Wiki either doesn't apply SPECIFICALLY to 6.0, or what is available (for 5.0) are incomplete or incorrect.

Is there a soul on this planet who can install GoDaddy certificates without breaking a sweat? I would like that person to hook us (the community) up with a new Wiki article.

I just dread when it comes time for certificate renewal, because this is the garbage I go through every time...