So there are many posts on these forums for getting trusted certificates to work on Zentyal, and I have written a couple of them. I have been able to get lets encrypt certificates to work on Zentyal 4.2 for postfix, dovecot, and the webadmin, but not the webmail (sogo). The sogo certificate (/etc/ocsmanager/blah.org.pem) gets replaced, but then it gets clobbered again. If I replace the certificate and restart apache it seems to work just fine. I am still going to keep working on this, but any help of suggestions would be greatly appreciated.
First make sure all service certificates are enables in the webadmin, then create the executable file "/etc/zentyal/hooks/ca.postsetconf":
#!/bin/sh
cat /etc/letsencrypt/live/blah.org/privkey.pem /etc/letsencrypt/live/blah.org/cert.pem /etc/letsencrypt/live/blah.org/fullchain.pem > /tmp/temp.pem
cp -f /tmp/temp.pem /etc/dovecot/private/dovecot.pem
cp -f /tmp/temp.pem /etc/postfix/sasl/postfix.pem
cp -f /tmp/temp.pem /etc/ocsmanager/blah.org.pem
cp -f /tmp/temp.pem /var/lib/zentyal/conf/ssl/ssl.pem
rm -f /tmp/temp.pem
chmod 600 /etc/dovecot/private/dovecot.pem
chmod 400 /etc/postfix/sasl/postfix.pem
chmod 644 /etc/ocsmanager/blah.org.pem
chmod 600 /var/lib/zentyal/conf/ssl/ssl.pem
exit 0
Shockingly, Zentyal does serve up arbitrary web pages under /var/www/html, so in order to have a better looking URL to access webmail you can change /var/www/html/index.html to look like this:
<html xmlns="
http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta http-equiv="refresh" content="0; URL='
https://mysrv.blog.org/sogo'" />
<title>Please Wait</title>
</head>
<body>Please Wait...</body>
</html>
That way the URL
https://mail.blah.org will get you to your webmail.