Issue sharing Address Books with Tomcat Commercial Cert SSL

Ask questions about your setup or get help installing ZCS server (ZD section below).
airbish
Posts: 12
Joined: Fri Sep 12, 2014 10:17 pm

Issue sharing Address Books with Tomcat Commercial Cert SSL

Postby airbish » Fri Mar 23, 2007 8:56 am

We're seeing an issue with accessing sharing Address Books with commercial cert HTTPS turned on. (self-signed cert works fine)
The self-cert SSL works fine, and HTTP obviously works fine. But With commercial cert HTTP on we get the following error:
A network service error has occurred.
msg - system failure: IOException

code - service.FAILURE

method - ZmCsfeCommand.prototype.invoke

detail - soap:Receiver
If I change my zmtlsctl to allow HTTP, then the existing shared address book(s) works fine.
We are using an SBSInstant cert installed for Tomcat only (for now). The cert requires 3 imports to the keystore (root, intermed1, intermed2, and the server cert). I'd like to say the install was easy, but since there is little to no documentation on this particular cert, it took some digging and trial and error, but the chain finally worked. I do plan on extracting the keys and using the cert for other services as well (but haven't gotten to that yet. In fact, I HOPE that's the issue here.)
From what we can see, everything else works. (Shared Calendars, for example, appear to be fine.)
Any ideas. I'd really like to use HTTPS with the redirect turned off (so that EVERYTHING runs HTTPS...not just the sign-in screen).
Thanks!


jholder
Zimbra Employee
Zimbra Employee
Posts: 4686
Joined: Fri Sep 12, 2014 10:00 pm

Issue sharing Address Books with Tomcat Commercial Cert SSL

Postby jholder » Sat Mar 24, 2007 2:39 pm

Can you post the segment of your /opt/zimbra/log/mailbox.log that occurs at the time that you try to share the address books?
Thanks

john
airbish
Posts: 12
Joined: Fri Sep 12, 2014 10:17 pm

Issue sharing Address Books with Tomcat Commercial Cert SSL

Postby airbish » Sun Mar 25, 2007 11:40 pm

Looks like something is up with the root-->intermediate1->intermediate2 (no documentation whatsoever) enom/sbs cert.
The Strange thing is that all other aspects of the ssl communications (at least login/web and IMAP) with this cert seem to work ok. Firefox for example issues no cert warnings (or store and certs like it does with the self signed cert). Mail.app has no issues with it either. If it truly is an untrusted cert chain (like mail.log) indicates below, would there be other issues/indications?
Any ideas? Anyone else done an SBS (securebusinessservices) cert?
The only docs I could find were here:

I">http://www.securebusinessservices.com/help/install-certificate/ssl-certificate-java.asp
I
did all the instructions (including extracting the key and installing for the other services) from the zimbra commercial cert instructions at:

I">http://wiki.zimbra.com/index.php?title=Commercial_Certificates#Commercial_SSL_Certificate_Procedure
I
hosed it up once because I didn't know there was an intermediate cert (much less two) required. I backed up the certs and ssl info (using the tar commands on the same page above.) I did the backups just AFTER I did the csr request. Perhaps I got the recovery of that information wrong when I restored it to try over. ?
Thanks for your assistance.
---
[root@zimbra log]# tail mailbox.log

at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)

at com.zimbra.soap.SoapHttpTransport.invoke(SoapHttpTransport.java:192)

at com.zimbra.soap.SoapTransport.invokeWithoutSession(SoapTransport.java:254)

at com.zimbra.cs.index.ProxiedQueryResults.bufferNextHits(ProxiedQueryResults.java:307)

... 35 more

Caused by: java.security.cert.CertificateException: Untrusted Server Certificate Chain

at com.sun.net.ssl.X509TrustManagerJavaxWrapper.checkServerTrusted(SSLSecurity.java:600)

at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)

at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:841)

... 55 more


---

(Tried to add output from keytool -list but the forum said I had 'included 5 images in my message' (which I took to read that somehow the output included what the system interpreted as 'smilies')....so I left it out. Chain looks valid to me though...

Return to “Installation and Upgrade”

Who is online

Users browsing this forum: No registered users and 5 guests