Strange issue with access from Thunderbird/Outlook and Certificates

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
kobus.bensch
Posts: 5
Joined: Sat Sep 13, 2014 3:24 am

Strange issue with access from Thunderbird/Outlook and Certificates

Postby kobus.bensch » Wed Jun 17, 2015 7:25 am

Hi All



I have recently set up a new Zimbra Version 8.6.0_GA_1153.FOSS 15 Dec, 2014 server and all seems to be working ok. It is running on a fully patched CentOS release 6.6 (Final) VM.


Everything in the GUI for both admin and normal users are working just fine, but some of the users want to use either Thunderbird or Outlook to read email. When I try to connect one of these clients to the Zimbra server I get the following entries in the log:


Jun 17 09:42:42 dc2mail postfix/smtps/smtpd[13996]: connect from unknown[172.28.30.10]
Jun 17 09:42:42 dc2mail postfix/smtps/smtpd[13996]: Anonymous TLS connection established from unknown[172.28.30.10]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Jun 17 09:42:42 dc2mail postfix/smtps/smtpd[13996]: warning: TLS library problem: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1292:SSL alert number 48:
Jun 17 09:42:42 dc2mail postfix/smtps/smtpd[13996]: lost connection after CONNECT from unknown[172.28.30.10]
Jun 17 09:42:42 dc2mail postfix/smtps/smtpd[13996]: disconnect from unknown[172.28.30.10]
Jun 17 09:42:42 dc2mail postfix/smtps/smtpd[13996]: connect from unknown[172.28.30.10]
Jun 17 09:42:42 dc2mail postfix/smtps/smtpd[13996]: Anonymous TLS connection established from unknown[172.28.30.10]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Jun 17 09:42:42 dc2mail postfix/smtps/smtpd[13996]: warning: TLS library problem: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1292:SSL alert number 48:
Jun 17 09:42:42 dc2mail postfix/smtps/smtpd[13996]: lost connection after CONNECT from unknown[172.28.30.10]
Jun 17 09:42:42 dc2mail postfix/smtps/smtpd[13996]: disconnect from unknown[172.28.30.10]


So I searched around and it was suggested that there might be some certificate issues. So I tried the following:


Via the GUI:


Regenerated the self signed cert. This seems to be successful, but the only thing that seems to change is the date. None of the Country, State, City, etc details changes.


I then tried to install a Commercial certificate, but I get an error when I confirm the CSR that the subjectAltname is invalid. I trid to set this to both nothing and the same as the common name. Same error.


I then tried via the CLI:


This is what I did and the result:


/opt/zimbra/bin/zmcertmgr createca -new
** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.
[root@dc2mail ~]# /opt/zimbra/bin/zmcertmgr createcrt -new -days 730
Validation days: 730
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20150617124848
** Generating a server csr for download self -new -keysize 2048 -digest sha256
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20150617124848
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
[root@dc2mail ~]# /opt/zimbra/bin/zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
[root@dc2mail ~]# /opt/zimbra/bin/zmcertmgr deployca
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
** Saving global config key zimbraCertAuthorityCertSelfSigned...failed.
** Saving global config key zimbraCertAuthorityKeySelfSigned...failed.
** Copying CA to /opt/zimbra/conf/ca...done.


Can anybody help me in sorting this out please?



Kobus



Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 13 guests