How to Install Zimbra Talk with Self Signed SSL Certificate


How to Install Zimbra Talk with Self Signed SSL Certificate

   KB 22625        Last updated on 09/20/2016  




0.00
(0 votes)

This steps are highly not recommended neither Supported by Zimbra

Zimbra Talk heavily relies on DNS resource records and TLS. The certificates used at the Talk server must be valid and cover all required names. We recommend using a wildcard certificate here. This Wiki it's intended to cover how to use a Self-Signed SSL certificate generated on the Zimbra Collaboration Server.

Below are the required domains that need to be included in the TLS certificate.

  • yourdomain.tld
  • xmpp.yourdomain.tld
  • conference.yourdomain.tld
  • external.yourdomain.tld
  • auth.yourdomain.tld
  • jitsi-videobridge.yourdomain.tld
  • focus.yourdomain.tld

For better certificate management, put the key and crt files under /etc/ssl/owncerts. You need to provide the TLS key and the TLS certificate. The certificate must also include the complete CA chain!

  • Note 1: Do not use this path /etc/ssl/yourdomain.tld to store the TLS certificates, because this path is used exclusively by the Talk installer script! Any files under /etc/ssl/yourdomain.tld will be overwritten.
  • Note 2: Do not use a certificate requiring a password.

Generating the SSL Wildcard in Zimbra Collaboration

Please note this steps will override your actual Zimbra SSL certificates and will install the new Self-Signed SSL. Zimbra do a Backup always of the old SSL certificates, but just in case, please copy the content of the SSL Store to another place: As root

cp /opt/zimbra/ssl /opt/zimbra/ssl/zimbra-BACKUP

Then you can generate the SSL Certificate using a Wildcard for the domain you want to use Zimbra Talk:

root@zimbra:/tmp# /opt/zimbra/bin/zmcertmgr createcrt -new -subject "/C=US/ST=CA/O=Example/CN=*.example.com"
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20160429213237 
** Generating a server csr for download self -new -keysize 2048 -digest sha256
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20160429213237 
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.

Once you have been generated the new CRT, you need to deploy it by using the next command:

root@zimbra:/home/oper/zcs-patch-8.6.0_GA_1194/zmpkg-installer-1.4.4.1# /opt/zimbra/bin/zmcertmgr deploycrt self 
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.

As zimbra user:

zmcontrol restart

And then you can run the next command, or go to your Web Browser and check if your SSL Certificate now says it's for *.example.com

root@zimbra:/tmp# /opt/zimbra/bin/zmcertmgr viewdeployedcrt
::service mta::
notBefore=Apr 29 20:32:38 2016 GMT
notAfter=Apr 28 20:32:38 2021 GMT
subject= /C=US/ST=CA/O=Example/CN=*.example.com
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Server/OU=Zimbra Collaboration Server/CN=zimbra.example.com
SubjectAltName= 
::service proxy::
notBefore=Apr 29 20:32:38 2016 GMT
notAfter=Apr 28 20:32:38 2021 GMT
subject= /C=US/ST=CA/O=Example/CN=*.example.com
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Server/OU=Zimbra Collaboration Server/CN=zimbra.example.com
SubjectAltName= 
::service mailboxd::
notBefore=Apr 29 20:32:38 2016 GMT
notAfter=Apr 28 20:32:38 2021 GMT
subject= /C=US/ST=CA/O=Example/CN=*.example.com
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Server/OU=Zimbra Collaboration Server/CN=zimbra.example.com
SubjectAltName= 
::service ldap::
notBefore=Apr 29 20:32:38 2016 GMT
notAfter=Apr 28 20:32:38 2021 GMT
subject= /C=US/ST=CA/O=Example/CN=*.example.com
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Server/OU=Zimbra Collaboration Server/CN=zimbra.example.com
SubjectAltName= 

Zimbra-talk-self-signed-002.png

Zimbra self-signed Wildcard SSL path

You can find the new self-signed SSL Certificate under the next path:

/opt/zimbra/ssl/zimbra/server/

Where you will find the:

  • server.crt # The SSL Certificate itself
  • server.key # The Private Key you must use for install it in other servers who need to serve the SSL Certificiate, like Zimbra Talk

Install Zimbra Talk with the Self-Signed SSL

Import the Certificate Authority (CA) in the Zimbra Talk Server as a trusted one

Before install zimbra Talk, we need to install the CA we have in our Zimbra Collaboration Server, so Zimbra Talk will take it as a trusted, as a "commercial" one.

You can find the CA in the Zimbra server under the next path:

/opt/zimbra/conf/ca/ca.pem

You must copy the content of Zimbra CA, at the end of the file /etc/ssl/certs/ca-certificates.crt on the Zimbra Talk Server, so just edit it and paste ti at the end:

vi /etc/ssl/certs/ca-certificates.crt

Prepare the SSL Certificate on the Zimbra Talk Server

Before install Zimbra Talk, you might want to create as well the two SSL pieces you need for a proper installation, under /etc/ssl please create and copy from the Zimbra server the next files:

  • server.crt # The SSL Certificate itself
  • server.key # The Private Key you must use for install it in other servers who need to serve the SSL Certificiate, like Zimbra Talk

Installing Zimbra Talk and selecting the Self-Signed SSL

During the Zimbra Talk installation, you will go trough all the steps until you see the SSL settings step, then there you need to write yes, in order to select your SSL Certificate files you have been created above:

==== SSL settings ====
Do you want to use your own SSL certificates? [NO]: yes

And select your SSL files, like in this example:

Path to your SSL certificate PRIVATE KEY [(e.g /path/to/your/ssl.key)]: /etc/ssl/zimbrassl.key
Path to your SSL with CA bundle CERTIFICATE [(e.g /path/to/your/ssl_CA_Bundle.crt)]: /etc/ssl/zimbrassl.crt

A known issue during the installation steps it's that you will receive a warning because the self-signed SSL Wildcard doesn't contain conference.external.example.com, but you can dismiss it:

Checking certificates...
Checking certificate for focus.example.com
  Certificate: /etc/ssl/example.com/example.com.crt
Checking certificate for conference.external.example.com
  Certificate: /etc/ssl/example.com/example.com.crt
    Not vaild for server-to-server connections to conference.external.example.com.
Checking certificate for example.com
  Certificate: /etc/ssl/example.com/example.com.crt
    Not vaild for client connections to example.com.
    Not vaild for server-to-server connections to example.com.
Checking certificate for auth.example.com
  Certificate: /etc/ssl/example.com/example.com.crt
Checking certificate for jitsi-videobridge.example.com
  Certificate: /etc/ssl/example.com/example.com.crt
Checking certificate for conference.example.com
  Certificate: /etc/ssl/example.com/example.com.crt
Checking certificate for external.example.com
  Certificate: /etc/ssl/example.com/example.com.crt

After couple of minutes you will see the good result of completion without issues:

Backup VNCtalk Installer config file
‚vnctalk_installer.cfg‚-> ‚./.vnctalk_installer.cfg_2016-04-29_22-53-12‚Äô
Successful installation :)

Install the self-signed Wildcard SSL on the Clients

Follow the common steps of adding a .crt file to your OS, for example, in windows, you might need to import the server.crt and the ZimbraCA.pem on the Trusted Root Certification Authorities/Local Computer: Zimbra-talk-self-signed-003.png

Then your users can navigate to your https://zimbra.example.com and they will see a "commercial and valid" SSL Certificate, and they will be able to use all the Zimbra Talk features without issues: Zimbra-talk-self-signed-004.png

Known issues

If you don't see a Zimbra Talk Tab, please open the Browser Debug Tools (usually pressing F12) and reload your Zimbra, you might see then the error you are facing:

  • Error 500: This error usually means that the SSL Configuration is not correct. So you might want to double check all the steps, and maybe, run the Installation process again if it was something wrong with the Configuration.

Zimbra-talk-self-signed-001.png


Zimbra Talk

zimbra-talk-logo.png

Latest Version: 2.3

Zimbra Talk Resources

Here you can find useful resources for your Zimbra Talk environment

Verified Against: Zimbra Collaboration Suite 8.6 Date Created: 30/04/2016
Article ID: https://wiki.zimbra.com/index.php?title=How_to_Install_Zimbra_Talk_with_Self_Signed_SSL_Certificate Date Modified: 09/20/2016



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Wiki/KB reviewed by Jorge SME2 Copyeditor Last edit by Jorge de la Cruz
Jump to: navigation, search