Issue sharing Address Books with Tomcat Commercial Cert SSL

[airbish]

We're seeing an issue with accessing sharing Address Books with commercial cert HTTPS turned on. (self-signed cert works fine)
The self-cert SSL works fine, and HTTP obviously works fine. But With commercial cert HTTP on we get the following error:
A network service error has occurred.
msg - system failure: IOException

code - service.FAILURE

method - ZmCsfeCommand.prototype.invoke

detail - soap:Receiver
If I change my zmtlsctl to allow HTTP, then the existing shared address book(s) works fine.
We are using an SBSInstant cert installed for Tomcat only (for now). The cert requires 3 imports to the keystore (root, intermed1, intermed2, and the server cert). I'd like to say the install was easy, but since there is little to no documentation on this particular cert, it took some digging and trial and error, but the chain finally worked. I do plan on extracting the keys and using the cert for other services as well (but haven't gotten to that yet. In fact, I HOPE that's the issue here.)
From what we can see, everything else works. (Shared Calendars, for example, appear to be fine.)
Any ideas. I'd really like to use HTTPS with the redirect turned off (so that EVERYTHING runs HTTPS...not just the sign-in screen).
Thanks!

[jholder]

Can you post the segment of your /opt/zimbra/log/mailbox.log that occurs at the time that you try to share the address books?
Thanks

john

[airbish]

Looks like something is up with the root-->intermediate1->intermediate2 (no documentation whatsoever) enom/sbs cert.
The Strange thing is that all other aspects of the ssl communications (at least login/web and IMAP) with this cert seem to work ok. Firefox for example issues no cert warnings (or store and certs like it does with the self signed cert). Mail.app has no issues with it either. If it truly is an untrusted cert chain (like mail.log) indicates below, would there be other issues/indications?
Any ideas? Anyone else done an SBS (securebusinessservices) cert?
The only docs I could find were here:

I">http://www.securebusinessservices.com/help/install-certificate/ssl-certificate-java.asp
I did all the instructions (including extracting the key and installing for the other services) from the zimbra commercial cert instructions at:

I">http://wiki.zimbra.com/index.php?title=Commercial_Certificates#Commercial_SSL_Certificate_Procedure
I hosed it up once because I didn't know there was an intermediate cert (much less two) required. I backed up the certs and ssl info (using the tar commands on the same page above.) I did the backups just AFTER I did the csr request. Perhaps I got the recovery of that information wrong when I restored it to try over. ?
Thanks for your assistance.
---
[root@zimbra log]# tail mailbox.log

at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)

at com.zimbra.soap.SoapHttpTransport.invoke(SoapHttpTransport.java:192)

at com.zimbra.soap.SoapTransport.invokeWithoutSession(SoapTransport.java:254)

at com.zimbra.cs.index.ProxiedQueryResults.bufferNextHits(ProxiedQueryResults.java:307)

... 35 more

Caused by: java.security.cert.CertificateException: Untrusted Server Certificate Chain

at com.sun.net.ssl.X509TrustManagerJavaxWrapper.checkServerTrusted(SSLSecurity.java:600)

at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)

at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:841)

... 55 more


---

(Tried to add output from keytool -list but the forum said I had 'included 5 images in my message' (which I took to read that somehow the output included what the system interpreted as 'smilies')....so I left it out. Chain looks valid to me though...