We had a problem with commercial certificates the other day (nginx wouldn't start), so I reverted temporarily to self-signed cert.

Redeployed commercial certs again, using zmcertmgr CLI tool and everything went smooth. But nginx would not pick up the new certificates. nginx configuration files refer to /opt/zimbra/ssl/server/server.crt, which is a self-signed certificate, although /opt/zimbra/ssl/commercial/commercial.crt is the right one to use.

Mailbox servers all have the correct certificates deployed. The zimbra services were restarted several times.

Certificate in the ldap, obtained by zmprov gd domain shows the correct certificate deployed in the LDAP.

So I made a workaround and overwrote the server.crt and server.key with commercial.crt and commercial.key and now everything is working.

I would like to know why this happened and how to fix it 'the right way'? Is there a command I could use to force redeploy certs and keys from ldap?