How to install Zimbra Talk using a LetsEncrypt SSL Certificate


How to install Zimbra Talk using a Let's Encrypt SSL Certificate

   KB 22846        Last updated on 09/20/2016  




0.00
(0 votes)
Article-check.png  - This is certified documentation and is protected for editing by Zimbra Employees & Moderators only.

Purpose

Step by Step Wiki/KB article to install Zimbra Talk using a Let's Encrypt Commercial Certificate.

Disclaimer The Let’s Encrypt Client is BETA SOFTWARE. It contains plenty of bugs and rough edges, and it should be tested thoroughly in staging environments before use on production systems. For more information regarding the status of the project, please see https://letsencrypt.org. Be sure to check out the Frequently Asked Questions (FAQ).

Resolution

Let’s Encrypt is a new Certificate Authority: It’s free, automated, and open. It could be an option to protect Zimbra Talk Servers with a valid SSL certificate; however, please be aware that is a Beta for now. Some stuff could not work or have issues, so use it at your own risk.

Installing Let's Encrypt on a Zimbra Talk Server

Let's Encrypt must be installed on one Linux machine to obtain the proper SSL Certificate, CA Intermediate, and Private Key. It is not required that it be on the same Zimbra Talk Server, but it could save time and help to obtain the renewals, etc.

  • First step is to Install git on the Server (apt-get install git/yum install git), and then do a git clone of the project on the folder we want
    • Note: On RedHat/CentOS 6 you will need to enable the EPEL repository before install.
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
  • Let's now run Let's Encrypt in standalone mode and use the -d option, and add all the necessary FQDN or Subject Alternative Names:
./letsencrypt-auto certonly --standalone -d xmpp.example.com -d conference.example.com -d external.example.com -d auth.example.com -d jitsi-videobridge.example.com -d focus.example.com -d turn.example.com
    • (This step only happens the first time. This process will not occur when renewing the SSL Certificate if using the same machine.) The process will download all of the OS dependencies that Let's Encrypt needs, and after a few minutes:
      • The process will ask for an Email Address in case of emergency contact or to recover the lost key.

Letsencrypt-002.png

      • The process will ask if we agree with the ToS.

Letsencrypt-003.png

  • The process will take a few seconds to validate and then will end:
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/xmpp.next.zimbra.io/fullchain.pem. Your cert
   will expire on 2016-10-10. To obtain a new or tweaked version of
   certificate in the future, simply run Let's Encrypt again.
 - If like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Where are the SSL Certificate Files?

You can find all your files under /etc/letsencrypt/live/$domain, where $domain is the fqdn you used during the process:

root@xmpp:~/letsencrypt# ls /etc/letsencrypt/live/xmpp.next.zimbra.io/ -la
total 8
drwxr-xr-x 2 root root 4096 Jul 12 10:05 .
drwx------ 3 root root 4096 Jul 12 10:05 ..
lrwxrwxrwx 1 root root   43 Jul 12 10:05 cert.pem -> ../../archive/xmpp.next.zimbra.io/cert1.pem
lrwxrwxrwx 1 root root   44 Jul 12 10:05 chain.pem -> ../../archive/xmpp.next.zimbra.io/chain1.pem
lrwxrwxrwx 1 root root   48 Jul 12 10:05 fullchain.pem -> ../../archive/xmpp.next.zimbra.io/fullchain1.pem
lrwxrwxrwx 1 root root   46 Jul 12 10:05 privkey.pem -> ../../archive/xmpp.next.zimbra.io/privkey1.pem
  • cert.pem is the certificate
  • chain.pem is the chain
  • fullchain.pem is the concatenation of cert.pem + chain.pem
  • privkey.pem is the private key

Please keep in mind that the private key is only for you, keep it in a safe place.

Install Zimbra Talk and use the new Let's Encrypt SSL certificate

If we have the proper DNS configuration for Zimbra Talk, we can now launch the installer, and when ask if we want to use a Commercial SSL Certificate, say yes:

Zimbratalk-installer-009.png

We need then to introduce the path we have checked before, for the private key. For example /etc/letsencrypt/live/xmpp.next.zimbra.io/privkey.pem Zimbratalk-letsencrypt.png

And our fullchain.pem, that should be on the same Let's Encrypt directory, /etc/letsencrypt/live/xmpp.next.zimbra.io/fullchain.pem

Zimbratalk-letsencrypt-002.png

The system will do then a quick check to see if the private key matches the fullchain.pem

1: CN=xmpp.next.zimbra.io
2: O=Digital Signature Trust Co., CN=DST Root CA X3
Certificate chain complete.
Total 2 certificate(s) found.

Test the new SSL Certificate

The last step, after Zimbra Talk is properly installed, is to go to your Web Browser and open the URL of your Zimbra Talk server where you installed the Let's Encrypt SSL Certificate, expand the Certificate Information to see the new SSL Certificate your server is using:

Zimbratalk-letsencrypt-003.png

Test the new SSL Certificate with OpenSSL

You can use openssl cli tools to check and test the new SSL certificate:

echo QUIT | openssl s_client -connect $domain:443 | openssl x509 -noout -text | less

where $domain is the fqdn you used during the process

Verifying SSL certificate is not expired

SSL certificates issued by let's encrypt are valid for 90 days during the BETA phase. You need to check the expiration of your SSL certificate. We can suggest using monitoring tools like Nagios. With nagios plugins there's a command which can check the expiration:

/usr/lib/nagios/plugins/check_http --sni -H '<FQDN>' -C 30,14

A warning will be issued 30 days before the expiration, a critical will be issued 14 days before the expiration.

Here is a nagios config file excerpt:

define command{
       command_name    check_https_vhost
       command_line    /usr/lib/nagios/plugins/check_http --sni -H '$ARG1$' -C 30,14
}
define service{
       use generic-service
       host_name <FQDN>
       service_description SSL <FQDN>
       check_command check_https_vhost!<FQDN>
}

Additional Content


Zimbra Talk

zimbra-talk-logo.png

Latest Version: 2.3

Zimbra Talk Resources

Here you can find useful resources for your Zimbra Talk environment

Verified Against: Zimbra Talk 8.6 Date Created: 14/07/2016
Article ID: https://wiki.zimbra.com/index.php?title=How_to_install_Zimbra_Talk_using_a_LetsEncrypt_SSL_Certificate Date Modified: 09/20/2016



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Wiki/KB reviewed by Jorge SME2 Copyeditor Last edit by Jorge de la Cruz Mingo
Jump to: navigation, search