DNS Requirements and SSL Wildcard Cert

Working with Zimbra Talk? This is your Forum, drop here your questions with the Installation, Configuration, etc.
mrgus
Posts: 6
Joined: Fri Jun 13, 2014 11:22 am

DNS Requirements and SSL Wildcard Cert

Postby mrgus » Wed Mar 30, 2016 7:28 pm

The install guide seems to suggest a commercial wildcard cert. It stops short of outright saying this, but gives instructions for creating a CSR with cn=*.zimbra.io as the example. However, here are the list of subdomains that are required to be in the cert:

• yourdomain.tld
• xmpp.yourdomain.tld
• conference.yourdomain.tld
• external.yourdomain.tld
• conference.external.yourdomain.tld
• auth.yourdomain.tld
• jitsi-videobridge.yourdomain.tld
• focus.yourdomain.tld

This seems a bit excessive, for starters (it would be nice if we could do just one subdomain for the server or as close to that as reasonably possible), but the conference.external.yourdomain.tld is a second-level subdomain. A wildcard cert covers *.yourdomain.tld, but does not cover *.*.yourdomain.tld. The proper way to cover all subdomains including the second level one would be with a SAN cert. Either with all of the subdomains as SANs, or a wildcard cert with conference.external as a SAN.


User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2773
Joined: Thu May 22, 2014 4:47 pm

Re: DNS Requirements and SSL Wildcard Cert

Postby jorgedlcruz » Mon Apr 11, 2016 1:59 pm

Hi mrgus,
You can try with a self-signed SSL as well, when the installation ask you for a SSL, you might select [No], you don't need to worry about the conference.external.yourdomain.tld as it's not necessary to be covered by the SSL certificate, I will correct the document.

You can bought a Wildcard for less than 85 Euros/year -

Code: Select all

https://www.namecheap.com/security/ssl-certificates/comodo.aspx
which will help you not only for this, as well for your Website, Zimbra server, and all the other web services you might have, if you are considering to purchase Zimbra Talk, I think 85 euros per year it's not a big deal on pricing terms.

Best regards
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
User avatar
John from XMission
Posts: 36
Joined: Thu Oct 03, 2013 6:33 pm
Location: USA
ZCS/ZD Version: 8.6 patch 6
Contact:

Re: DNS Requirements and SSL Wildcard Cert

Postby John from XMission » Mon Apr 11, 2016 6:58 pm

Zimbra Talk domain naming is difficult in the service provider environment. For example, we already have xmpp.ourdomain.com for a long standing XMPP server and cannot dedicate this address to Zimbra Talk. Fortunately we are allowed to rename Zimbra Talk subdomains. The sheer number of subdomains required is surprising.
- John
john@xmission.com
xmission.com/zimbra - hosting / licensing / infrastructure
Zimbra Gold Partner since 2008
User avatar
sensor
Posts: 37
Joined: Tue Apr 12, 2016 7:52 am

Re: DNS Requirements and SSL Wildcard Cert

Postby sensor » Tue Apr 12, 2016 8:28 am

Hi All,
I have to admit that the documentation can be improved here (and will be done very soon). Basically it comes down to:
  • "xmpp.yourdomain.tld" is based on the assumption that this is the hostname of your talk server. If you use another hostname, replace it.
  • as of now you should use a hostname that is in the domain you are using for your zimbra users. Multi-Domain setup will be covered very soon, as of now the installer supports only a single domain and all adjustments required for multi-domain require a lot of manual work.
  • all subdomains are basically virtual XMPP domains. If they are not covered by the certificate, using external clients (i.e. using talk not in zimbra webclient) will lead to errors.
  • If you only want to use zimbra webclient a certificate covering the domain and the hostname will be sufficient - although it will give some warnings during installation.

Hope that helps,

Sensor
User avatar
sensor
Posts: 37
Joined: Tue Apr 12, 2016 7:52 am

Re: DNS Requirements and SSL Wildcard Cert

Postby sensor » Tue Apr 12, 2016 8:41 am

Hi All,

I have to admit that the docuemntation has to be improved. It basically comes down to:
  • "xmpp.yourdomain.com" is only the default setting for the talk server, it has to be changed to the actual hostname
  • you really should use the domain you want to use in zimbra - as of now multi-domain support is not suppoorted by the installer and will require a lot of manual config adjustments. This will change very soon.
  • the certificate has to cover the hostname and the domain. All others are virtual xmpp domains and only have to be covered by the certificate if you want to use other clients than zimbra webclient.
  • you will see a warning when the certificate does only cover hostname and domain. It is safe to ignore the warning as long as you don't want to use external clients.

Return to “Zimbra Talk”

Who is online

Users browsing this forum: No registered users and 3 guests