Zimbra Talk - SSL Certificates
Zimbra Talk - SSL Certificates
Zimbra Talk specializes in providing services for real time communication and it includes several components. In minimal installation a Zimbra environment and a single additional server (the Talk server) are required. At the moment the only supported platform for the Talk Server is Ubuntu 14.04 (64bit).
The Zimbra Talk system enables its users to perform text chat, text conference, video chat & video conference as well as online document collaboration between the participants of a Zimbra Talk session, using Zimbra Zimlet technology.
Zimbra Talk heavily relies on DNS resource records and TLS. The certificates used at the Talk server must be valid and cover all required names. We recommend using a wildcard certificate. Below are the needed domains that need to be included in the TLS certificate.
To order a certificate matching the requirements you can create a CSR using this command (replace the subj content with your information) :
$ openssl req -out zimbratalk.csr -new -newkey rsa:2048 -nodes -sha256 -keyout zimbratalk.key -subj '/C=GB/ST=London/L=Londo/O=ZimbraInc/OU=ZimbraTalkServer/CN=*.zimbra.io/emailAddressemail@example.com' Generating a 2048 bit RSA private key ...........+++ ...................................................................+++ writing new private key to ' zimbratalk.key '
For better certificate management, put the key and crt files under /etc/ssl/owncerts. You need to provide the TLS key and the TLS certificate during the Zimbra Talk instalation. The certificate must also include the complete CA chain!
- Note 1: Do not use this path /etc/ssl/yourdomain.tld to store the TLS certificates, because this path is used exclusively by the Talk installer script! Any files under /etc/ssl/yourdomain.tld will be overwritten without asking.
- Note 2: Please do not use a certificate with a password.
- Note 3: For install Zimbra Talk by using a Self-Signed Certificate, please go to the next Wiki Please bear in mind that use Self-Signed SSL Certificate is not supported
- Note 4: You may also order a LetsEncrypt-certificate covering the domains listed above as well. This Zimbra-Wiki article https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate describes, how to install a LetsEncrypt SSL-certificate on Zimbra.
For the talk-server you need to provide the privkey1.pem and fullchain1.pem files when prompted for it during the installation process. Please make sure that you create a dedicated certificate for the talk server.
How to check the Zimbra Talk Server SSL Certificate
Mos of the Zimbra Talk connection errors come from the SSL Certificate configuration while installing Zimbra Talk, as because select Self-Signed option, will return into an Error 500 - Zimbra doesn’t trust the CA. You can do a quick check to see how is your SSL configuration on Zimbra Talk by following one of the following methods
On the Zimbra Talk Server
Starting in Zimbra Talk v184.108.40.206 and above, the SSL files are under the next path /etc/zimbra-talk/ where you can find the .pem and the .key file:
root@zimbratalk:~# ls /etc/zimbra-talk/ -la total 64 drwxr-xr-x 3 root root 4096 Jun 2 05:29 . drwxr-xr-x 128 root root 12288 Jun 1 17:35 .. [...] -r--r--r-- 1 root root 1704 Jun 1 17:29 ztalk-ssl-cert.key -r--r--r-- 1 root root 7515 Jun 1 17:29 ztalk-ssl-cert.pem
You can easily see the content of the .pem file, which must be your own SSL certificate:
openssl x509 -in /etc/zimbra-talk/ztalk-ssl-cert.pem -text -noout
And then you can debug the file, where the CN attribute must contain all the domains we have mentioned on the previous point, or a Wildcard:
Certificate: Data: Version: 3 (0x2) Serial Number: 3f:5e:75:c4:d2:68:58:0b:60:53:91:75:6c:77:03:97 Signature Algorithm: sha256WithRSAEncryption Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA Validity Not Before: Mar 9 00:00:00 2016 GMT Not After : Mar 8 23:59:59 2017 GMT Subject: OU=Domain Control Validated, OU=PositiveSSL Wildcard, CN=*.zimbra.io Subject Public Key Info:
Note: If you have used the default option while installing Zimbra Talk, you will have a self-signed SSL certificate issued to VNC. Please refer to the section How to replace a self-signed SSL to fix the issue.
From the Zimbra Collaboration Infrastructure
If you are not being able to load the Zimbra Talk Tab in Zimbra Collaboration, and in the Browser Debug Tools you see an error 500, you can check from Zimbra Collaboration if your Zimbra Talk Server is serving the proper Commercial Certificate or a self-signed one: If a commercial certificate you will see something like this:
root@mail:~# openssl s_client -connect xmpp.zimbra.io:443 CONNECTED(00000003) depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.zimbra.io i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA 1 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority 3 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root ---
If the command returns a self-signed SSL certificate issued to VNC, please refer to the section How to replace a self-signed SSL to fix the issue.
How to replace a self-signed SSL
If you are already installed Zimbra Talk using the default option for SSL Certificate, so you haven't introduced your SSL key and Certificate, you will not be able to see the Zimbra Talk tab in Zimbra Collaboration.
- 1.- You should have already your Commercial .key and your .crt files
- 2.- Once you have them, you can see the content using vi, or nano, or any other text editor, and copy the content and replace it on the next files:
/etc/zimbra-talk/ ztalk-ssl-cert.key /etc/zimbra-talk/ ztalk-ssl-cert.pem
- 3.- Then you need to restart the nginx and the prosody services:
service nginx restart service prosody restart
4.- Now you can use the previous steps to check that you have a valid Commercial Certificate 5.- Reload the Zimbra Collaboration browser tab, where it should appear the Zimbra Talk Tab