Page 1 of 1

DNS Requirements and SSL Wildcard Cert

Posted: Wed Mar 30, 2016 7:28 pm
by mrgus
The install guide seems to suggest a commercial wildcard cert. It stops short of outright saying this, but gives instructions for creating a CSR with cn=*.zimbra.io as the example. However, here are the list of subdomains that are required to be in the cert:

• yourdomain.tld
• xmpp.yourdomain.tld
• conference.yourdomain.tld
• external.yourdomain.tld
• conference.external.yourdomain.tld
• auth.yourdomain.tld
• jitsi-videobridge.yourdomain.tld
• focus.yourdomain.tld

This seems a bit excessive, for starters (it would be nice if we could do just one subdomain for the server or as close to that as reasonably possible), but the conference.external.yourdomain.tld is a second-level subdomain. A wildcard cert covers *.yourdomain.tld, but does not cover *.*.yourdomain.tld. The proper way to cover all subdomains including the second level one would be with a SAN cert. Either with all of the subdomains as SANs, or a wildcard cert with conference.external as a SAN.

Re: DNS Requirements and SSL Wildcard Cert

Posted: Mon Apr 11, 2016 1:59 pm
by jorgedlcruz
Hi mrgus,
You can try with a self-signed SSL as well, when the installation ask you for a SSL, you might select [No], you don't need to worry about the conference.external.yourdomain.tld as it's not necessary to be covered by the SSL certificate, I will correct the document.

You can bought a Wildcard for less than 85 Euros/year -

Code: Select all

https://www.namecheap.com/security/ssl-certificates/comodo.aspx
which will help you not only for this, as well for your Website, Zimbra server, and all the other web services you might have, if you are considering to purchase Zimbra Talk, I think 85 euros per year it's not a big deal on pricing terms.

Best regards

Re: DNS Requirements and SSL Wildcard Cert

Posted: Mon Apr 11, 2016 6:58 pm
by John from XMission
Zimbra Talk domain naming is difficult in the service provider environment. For example, we already have xmpp.ourdomain.com for a long standing XMPP server and cannot dedicate this address to Zimbra Talk. Fortunately we are allowed to rename Zimbra Talk subdomains. The sheer number of subdomains required is surprising.

Re: DNS Requirements and SSL Wildcard Cert

Posted: Tue Apr 12, 2016 8:28 am
by sensor
Hi All,
I have to admit that the documentation can be improved here (and will be done very soon). Basically it comes down to:
  • "xmpp.yourdomain.tld" is based on the assumption that this is the hostname of your talk server. If you use another hostname, replace it.
  • as of now you should use a hostname that is in the domain you are using for your zimbra users. Multi-Domain setup will be covered very soon, as of now the installer supports only a single domain and all adjustments required for multi-domain require a lot of manual work.
  • all subdomains are basically virtual XMPP domains. If they are not covered by the certificate, using external clients (i.e. using talk not in zimbra webclient) will lead to errors.
  • If you only want to use zimbra webclient a certificate covering the domain and the hostname will be sufficient - although it will give some warnings during installation.
Hope that helps,

Sensor

Re: DNS Requirements and SSL Wildcard Cert

Posted: Tue Apr 12, 2016 8:41 am
by sensor
Hi All,

I have to admit that the docuemntation has to be improved. It basically comes down to:
  • "xmpp.yourdomain.com" is only the default setting for the talk server, it has to be changed to the actual hostname
  • you really should use the domain you want to use in zimbra - as of now multi-domain support is not suppoorted by the installer and will require a lot of manual config adjustments. This will change very soon.
  • the certificate has to cover the hostname and the domain. All others are virtual xmpp domains and only have to be covered by the certificate if you want to use other clients than zimbra webclient.
  • you will see a warning when the certificate does only cover hostname and domain. It is safe to ignore the warning as long as you don't want to use external clients.