Ok, I'm at my wits end and it looks like there have been a number of the issues with this. I can't seem to find any real solution, hopefully someone can help here.

Before the upgrade everything had been working fine with a 2 year GoDaddy commercial certificate.

After I did the upgrade, everything looked fine, then I saw these errors in the log file:

Dec 30 13:18:44 webmail postfix/trivial-rewrite[12042]: error: dict_ldap_connect: Unable to set STARTTLS: -11: Connect error
Dec 30 13:18:44 webmail last message repeated 2 times
Dec 30 13:18:44 webmail postfix/trivial-rewrite[12042]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem
Dec 30 13:18:45 webmail postfix/master[12029]: warning: process /opt/zimbra/postfix-2.4.3.3z/libexec/trivial-rewrite pid 12042 exit status 1
Dec 30 13:18:45 webmail postfix/master[12029]: warning: /opt/zimbra/postfix-2.4.3.3z/libexec/trivial-rewrite: bad command startup -- throttling


I found in bugzilla or another message to regenerate a self-signed certificate by doing:
[root@webmail ssl]# /opt/zimbra/bin/zmcertmgr createca
** Creating directory /opt/zimbra/ssl/zimbra
** Creating directory /opt/zimbra/ssl/zimbra/ca
** Creating directory /opt/zimbra/ssl/zimbra/server
** Creating directory /opt/zimbra/ssl/zimbra/commercial
** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
** Retrieving CA private key from ldap...done.
** Retrieving CA cert from ldap...done.
[root@webmail ssl]# /opt/zimbra/bin/zmcertmgr deployca
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
** Saving CA in ldap...done.
** Copying CA to /opt/zimbra/conf/ca...done.
[root@webmail ssl]# /opt/zimbra/bin/zmcertmgr install self -new


This worked fine in getting things working, the SSL webpage still had the correct commercial certificate installed so no errors there, however, while the SSL Cert was installed on the MTA now, it was the self-signed which prompts up a warning box the first time you try and send an email out through a fat mail client. I need it to use the purchased commercial cert.

So I did the following:
[root@webmail ssl]# /opt/zimbra/bin/zmcertmgr install com -new

I looked at what files it was looking for:
1) Default is /opt/zimbra/ssl/zimbra/server/server.crt for server and /opt/zimbra/ssl/zimbra/commercial/commercial.crt for commercial
2) Default is "/C=US/ST=N_A/L=N_A/O=Zimbra Collaboration Suite/CN=webmail.intotheoven.com"
3) Default is 365.
4) install self is to install the certificates using self signed csr is in /opt/zimbra/ssl/zimbra/server
5) install comm is to install the certificates using commercially signed certificate in /opt/zimbra/ssl/zimbra/commercial
6) default is
7) for verifycrt, by default for self priv_key is /opt/zimbra/ssl/zimbra/server/server.key and the certfile is /opt/zimbra/ssl/zimbra/server/server.crt, for comm priv_key is /opt/zimbra/ssl/zimbra/commercial/commercial.key and the certfile is /opt/zimbra/ssl/zimbra/commercial/commercial.crt


I found the back-up of those files, copied them into the appropriate directory, then ran the:
[root@webmail ssl]# /opt/zimbra/bin/zmcertmgr install com -new

It failed with an error, so I re-ran it with '-x' to see the output, here is where it failed:
+ '[' '!' -f /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt ']'
+ echo 'XXXXX ERROR: /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt does not exist.'
XXXXX ERROR: /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt does not exist.


So I copied my .crt to the temp dir and it ran fine:
[root@webmail commercial]# sh /opt/zimbra/bin/zmcertmgr install comm -new
** Installing Certificates from /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20071230130845
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Installing CA to /opt/zimbra/conf/ca...done.


Hopes were setup high here, but then again same error as above:

Dec 30 13:18:44 webmail postfix/trivial-rewrite[12042]: error: dict_ldap_connect: Unable to set STARTTLS: -11: Connect error
Dec 30 13:18:44 webmail last message repeated 2 times
Dec 30 13:18:44 webmail postfix/trivial-rewrite[12042]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem
Dec 30 13:18:45 webmail postfix/master[12029]: warning: process /opt/zimbra/postfix-2.4.3.3z/libexec/trivial-rewrite pid 12042 exit status 1
Dec 30 13:18:45 webmail postfix/master[12029]: warning: /opt/zimbra/postfix-2.4.3.3z/libexec/trivial-rewrite: bad command startup -- throttling


This is very irritating as I can not send mail through the server on my iPhone with a self-signed cert.

Any assistance would GREATLY be appreciated!

Here is the result of a:
/opt/zimbra/bin/zmcertmgr viewdeployedcrt all
::service mta::
notBefore=Jul 30 20:25:48 2007 GMT
notAfter=Jul 29 20:25:48 2009 GMT
subject= /O=webmail.intotheoven.com/OU=Domain Validated/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/CN=webmail.intotheoven.com
issuer= /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Server CA/emailAddress=server-certs@thawte.com
SubjectAltName=
::service proxy::
notBefore=Jul 30 20:25:48 2007 GMT
notAfter=Jul 29 20:25:48 2009 GMT
subject= /O=webmail.intotheoven.com/OU=Domain Validated/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/CN=webmail.intotheoven.com
issuer= /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Server CA/emailAddress=server-certs@thawte.com
SubjectAltName=
::service mailboxd::
notBefore=Jul 30 20:25:48 2007 GMT
notAfter=Jul 29 20:25:48 2009 GMT
subject= /O=webmail.intotheoven.com/OU=Domain Validated/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/CN=webmail.intotheoven.com
issuer= /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Server CA/emailAddress=server-certs@thawte.com
SubjectAltName=
::service ldap::
notBefore=Jul 30 20:25:48 2007 GMT
notAfter=Jul 29 20:25:48 2009 GMT
subject= /O=webmail.intotheoven.com/OU=Domain Validated/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/CN=webmail.intotheoven.com
issuer= /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Server CA/emailAddress=server-certs@thawte.com
SubjectAltName=


HELP!