We update our SSL sertificate and we have a problem:

root@mail:~# /opt/zimbra/bin/zmcertmgr deploycrt self -allserver
** Saving global config key zimbraSSLCertificate...failed.
** Saving global config key zimbraSSLPrivateKey...failed.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed)

We used this algorithm to update the certificate:

Multi-Node Self-Signed Certificate

1. Begin by generating a new Certificate Authority (CA).
/opt/zimbra/bin/zmcertmgr createca -new

2. Then generate a certificate signed by the CA that expires in 365 days with either wild-card or subject altnames.
/opt/zimbra/bin/zmcertmgr createcrt -new -days 365 -subject "/C=US/ST=CA/L=NVA/O=ZCS/OU=ZCS/CN=*.domain.tld"
/opt/zimbra/bin/zmcertmgr createcrt -new -days 365 -subjectAltNames "host1.domain.tld,host2.domain.tld"

3. Next, deploy the certificate to all nodes in the deployment.
/opt/zimbra/bin/zmcertmgr deploycrt self -allserver

4. To finish, verify the certificate was deployed.
/opt/zimbra/bin/zmcertmgr viewdeployedcrt