"Certificates does not conform to algorithm constraints" after replacing to Microsoft CA signed certificate

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Andrey
Posts: 4
Joined: Tue Dec 12, 2017 11:11 am

"Certificates does not conform to algorithm constraints" after replacing to Microsoft CA signed certificate

Postby Andrey » Tue Dec 12, 2017 11:53 am

Hello

Zimbra 8.6.0 Open Source is installed.
I had self signed certificate and it expired. I decided to use new one from intranet corporate CA (Microsoft) to not populate self-signed via GPO again.
I have successfully done certificate and root CA deployment and everything seems work well, like web-interface via https in browsers, imap and smtp with ssl but i noticed that shared folders stopped working and I see this error if I try run zmprov

Code: Select all

ERROR: zclient.IO_ERROR (invoke java.security.cert.CertificateException: Certificates does not conform to algorithm constraints, server: localhost) (cause: javax.net.ssl.SSLHandshakeException java.security.cert.CertificateException: Certificates does not conform to algorithm constraints)


Server certificate has:

Code: Select all

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384


All certificates in chain also have `Signature Algorithm: sha256WithRSAEncryption`

I commented #jdk.certpath.disabledAlgorithms= in /opt/zimbra/java/jre/lib/security/java.security but with no luck.

The cipher is modern and one of the most strong, what is causing such error?


Andrey
Posts: 4
Joined: Tue Dec 12, 2017 11:11 am

Re: "Certificates does not conform to algorithm constraints" after replacing to Microsoft CA signed certificate

Postby Andrey » Tue Dec 12, 2017 5:04 pm

Enabled debug and find out next:
Root CA and intermediate CA has next lines

Code: Select all

Signature Algorithm: 1.2.840.113549.1.1.10, params unparsed, OID = 1.2.840.113549.1.1.10


it is RSASSA-PSS and it is looks like not supported in java :(
Unfortunately I have to back to self-signed certificate or renew root certificates with other algorithm.
phoenix
Ambassador
Ambassador
Posts: 25209
Joined: Fri Sep 12, 2014 9:56 pm

Re: "Certificates does not conform to algorithm constraints" after replacing to Microsoft CA signed certificate

Postby phoenix » Tue Dec 12, 2017 6:51 pm

You could always use a LetsEncrypt certificate: viewtopic.php?f=15&t=60781
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
Andrey
Posts: 4
Joined: Tue Dec 12, 2017 11:11 am

Re: "Certificates does not conform to algorithm constraints" after replacing to Microsoft CA signed certificate

Postby Andrey » Wed Dec 13, 2017 3:49 am

phoenix wrote:You could always use a LetsEncrypt certificate

I already use it for external access (via apache proxy) could I have subjectAltNames with internal domain? like mail.domain.local inside LetsEncrypt certificate?
phoenix
Ambassador
Ambassador
Posts: 25209
Joined: Fri Sep 12, 2014 9:56 pm

Re: "Certificates does not conform to algorithm constraints" after replacing to Microsoft CA signed certificate

Postby phoenix » Wed Dec 13, 2017 10:03 am

Andrey wrote:
phoenix wrote:You could always use a LetsEncrypt certificate

I already use it for external access (via apache proxy) could I have subjectAltNames with internal domain? like mail.domain.local inside LetsEncrypt certificate?
Yes, I believe you can, it's mentioned in this blog post: https://scotthelme.co.uk/setting-up-le/
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
Andrey
Posts: 4
Joined: Tue Dec 12, 2017 11:11 am

Re: "Certificates does not conform to algorithm constraints" after replacing to Microsoft CA signed certificate

Postby Andrey » Wed Dec 13, 2017 11:10 am

phoenix wrote:Yes, I believe you can

I'm afraid I'm not. Domain must be publicity resolvable

Code: Select all

An unexpected error occurred:                                                                                                                                                                                                                                                 
The request message was malformed :: Error creating new authz :: Name does not end in a public suffix


Anyway, I found out that CA certificates was already renewed with correct Signature Algorithm some time ago. I have applied them and everything work OK now.
The problem is solved.

Return to “Administrators”

Who is online

Users browsing this forum: Baidu [Spider] and 13 guests