Zimbra Talk - SSL Certificates

Zimbra Talk - SSL Certificates

   KB 22749        Last updated on 09/20/2016  

(0 votes)
Article-check.png  - This is certified documentation and is protected for editing by Zimbra Employees & Moderators only.

Zimbra Talk specializes in providing services for real time communication and it includes several components. In minimal installation a Zimbra environment and a single additional server (the Talk server) are required. At the moment the only supported platform for the Talk Server is Ubuntu 14.04 (64bit).

The Zimbra Talk system enables its users to perform text chat, text conference, video chat & video conference as well as online document collaboration between the participants of a Zimbra Talk session, using Zimbra Zimlet technology.

Certificate Requirements

Zimbra Talk heavily relies on DNS resource records and TLS. The certificates used at the Talk server must be valid and cover all required names. We recommend using a wildcard certificate. Below are the needed domains that need to be included in the TLS certificate.

  • yourdomain.tld
  • xmpp.yourdomain.tld
  • conference.yourdomain.tld
  • external.yourdomain.tld
  • conference.external.yourdomain.tld
  • auth.yourdomain.tld
  • jitsi-videobridge.yourdomain.tld
  • focus.yourdomain.tld

To order a certificate matching the requirements you can create a CSR using this command (replace the subj content with your information) :

$ openssl req -out zimbratalk.csr -new -newkey rsa:2048 -nodes -sha256 -keyout zimbratalk.key -subj '/C=GB/ST=London/L=Londo/O=ZimbraInc/OU=ZimbraTalkServer/CN=*.zimbra.io/emailAddress=admin@zimbra.io'														
Generating a 2048 bit RSA private key
...........+++ ...................................................................+++ 				
writing new private key to ' zimbratalk.key ' 	

For better certificate management, put the key and crt files under /etc/ssl/owncerts. You need to provide the TLS key and the TLS certificate during the Zimbra Talk instalation. The certificate must also include the complete CA chain!

  • Note 1: Do not use this path /etc/ssl/yourdomain.tld to store the TLS certificates, because this path is used exclusively by the Talk installer script! Any files under /etc/ssl/yourdomain.tld will be overwritten without asking.
  • Note 2: Please do not use a certificate with a password.
  • Note 3: For install Zimbra Talk by using a Self-Signed Certificate, please go to the next Wiki Please bear in mind that use Self-Signed SSL Certificate is not supported
  • Note 4: You may also order a LetsEncrypt-certificate covering the domains listed above as well. This Zimbra-Wiki article https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate describes, how to install a LetsEncrypt SSL-certificate on Zimbra.

For the talk-server you need to provide the privkey1.pem and fullchain1.pem files when prompted for it during the installation process. Please make sure that you create a dedicated certificate for the talk server.

How to check the Zimbra Talk Server SSL Certificate

Mos of the Zimbra Talk connection errors come from the SSL Certificate configuration while installing Zimbra Talk, as because select Self-Signed option, will return into an Error 500 - Zimbra doesn’t trust the CA. You can do a quick check to see how is your SSL configuration on Zimbra Talk by following one of the following methods

On the Zimbra Talk Server

Starting in Zimbra Talk v2.2.17.2 and above, the SSL files are under the next path /etc/zimbra-talk/ where you can find the .pem and the .key file:

root@zimbratalk:~# ls /etc/zimbra-talk/ -la
total 64
drwxr-xr-x   3 root root  4096 Jun  2 05:29 .
drwxr-xr-x 128 root root 12288 Jun  1 17:35 ..
-r--r--r--   1 root root  1704 Jun  1 17:29 ztalk-ssl-cert.key
-r--r--r--   1 root root  7515 Jun  1 17:29 ztalk-ssl-cert.pem

You can easily see the content of the .pem file, which must be your own SSL certificate:

openssl x509 -in /etc/zimbra-talk/ztalk-ssl-cert.pem  -text -noout

And then you can debug the file, where the CN attribute must contain all the domains we have mentioned on the previous point, or a Wildcard:

        Version: 3 (0x2)
        Serial Number:
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
            Not Before: Mar  9 00:00:00 2016 GMT
            Not After : Mar  8 23:59:59 2017 GMT
        Subject: OU=Domain Control Validated, OU=PositiveSSL Wildcard, CN=*.zimbra.io
        Subject Public Key Info:

Note: If you have used the default option while installing Zimbra Talk, you will have a self-signed SSL certificate issued to VNC. Please refer to the section How to replace a self-signed SSL to fix the issue.

From the Zimbra Collaboration Infrastructure

If you are not being able to load the Zimbra Talk Tab in Zimbra Collaboration, and in the Browser Debug Tools you see an error 500, you can check from Zimbra Collaboration if your Zimbra Talk Server is serving the proper Commercial Certificate or a self-signed one: If a commercial certificate you will see something like this:

root@mail:~# openssl s_client -connect xmpp.zimbra.io:443
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.zimbra.io
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
 1 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
 3 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

If the command returns a self-signed SSL certificate issued to VNC, please refer to the section How to replace a self-signed SSL to fix the issue.

How to replace a self-signed SSL

If you are already installed Zimbra Talk using the default option for SSL Certificate, so you haven't introduced your SSL key and Certificate, you will not be able to see the Zimbra Talk tab in Zimbra Collaboration.

  • 1.- You should have already your Commercial .key and your .crt files
  • 2.- Once you have them, you can see the content using vi, or nano, or any other text editor, and copy the content and replace it on the next files:
/etc/zimbra-talk/ ztalk-ssl-cert.key
/etc/zimbra-talk/ ztalk-ssl-cert.pem
  • 3.- Then you need to restart the nginx and the prosody services:
service nginx restart
service prosody restart

4.- Now you can use the previous steps to check that you have a valid Commercial Certificate 5.- Reload the Zimbra Collaboration browser tab, where it should appear the Zimbra Talk Tab

Zimbra Talk


Latest Version: 2.3

Zimbra Talk Resources

Here you can find useful resources for your Zimbra Talk environment

Verified Against: Zimbra Collaboration Suite 8.6 Date Created: 05/04/2016
Article ID: https://wiki.zimbra.com/index.php?title=Zimbra_Talk_-_SSL_Certificates Date Modified: 09/20/2016

Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Wiki/KB reviewed by Jorge SME2 Copyeditor Last edit by Jorge de la Cruz Mingo
Jump to: navigation, search