Results 1 to 8 of 8

Thread: Setting up iPhones with self-signed SSL certificates

  1. #1
    Join Date
    Aug 2008
    Location
    St Pete FL USA
    Posts
    392
    Rep Power
    7

    Default Setting up iPhones with self-signed SSL certificates

    So I'm trying to get Zimbra Mobile working.

    And I'm about to be hoist on my own petard; I can see it coming.

    My server is named benjamin.mycompany.com. That's the server's actual name, so that's what I created the self-signed cert pointed to.

    But of course, that's not what anyone actually *calls* it. Most people call it zmail.mycompany.com, and that name resolves to two different addresses; the address of my firewall in my public DNS zone, and the actual address of the server in my internal zone.

    So, even if I recreated the certificate so that it's name was zmail, the error I'm getting when I try to set up the Exchange account on the iPhone isn't going to go away... because all the doco says that you have to have the EAS server name be the same IP address from both sides of your firewall, or everything will blow to hell... and zmail *has* to resolve to 2 different addresses, because apparently my firewall setup won't permit packets to the public address from the private LAN to get NATted back inside.

    Any ideas other than replacing the firewall (which may be practical...)
    Jay R. Ashworth - ZCS 6.0.9CE/CentOS5 - St Pete FL US - Music - Blog - Photography - IANAL - IAAMA
    Try to Ask Questions The Smart Way -- you'll get better answers.

    Put your product and version in your profile/signature - All opinions strictly my own, even though I have an employer these days.
    If you [SOLVE] something, please tell everyone how for the archives
    And, please... read what people write, and answer the questions they asked, not the ones they didn't.

  2. #2
    Join Date
    Aug 2008
    Location
    St Pete FL USA
    Posts
    392
    Rep Power
    7

    Default

    As it turns out, I will have to replace the firewall -- it's Shorewall, which will only do inside->inside "hairpin" NAT by replacing the source address with that of the Firewall itself.

    I know this can be done properly; Snapgear routers do it out of the box.

    Hopefully Smoothwall will.
    Last edited by Baylink; 03-30-2010 at 06:04 AM.
    Jay R. Ashworth - ZCS 6.0.9CE/CentOS5 - St Pete FL US - Music - Blog - Photography - IANAL - IAAMA
    Try to Ask Questions The Smart Way -- you'll get better answers.

    Put your product and version in your profile/signature - All opinions strictly my own, even though I have an employer these days.
    If you [SOLVE] something, please tell everyone how for the archives
    And, please... read what people write, and answer the questions they asked, not the ones they didn't.

  3. #3
    Join Date
    Aug 2008
    Location
    St Pete FL USA
    Posts
    392
    Rep Power
    7

    Default

    Ok, so to refocus this (admittedly, sorry) somewhat unclear question:

    Once I get my hairpin problems settled, am I going to have to rename my server to the rolename it will play as an ActiveSync server, "async.company.com" and rebuild my self-signed certs, just to get my iPhone clients to play nice with ZMobile?

    Or is there a way to either

    a) make a self-signed wildcard cert that will answer for all 3 names (benjamin, async, zmail) or

    b) put a different cert in on the port 443 apache that will make the iPhones happy?
    Jay R. Ashworth - ZCS 6.0.9CE/CentOS5 - St Pete FL US - Music - Blog - Photography - IANAL - IAAMA
    Try to Ask Questions The Smart Way -- you'll get better answers.

    Put your product and version in your profile/signature - All opinions strictly my own, even though I have an employer these days.
    If you [SOLVE] something, please tell everyone how for the archives
    And, please... read what people write, and answer the questions they asked, not the ones they didn't.

  4. #4
    Join Date
    Aug 2008
    Location
    St Pete FL USA
    Posts
    392
    Rep Power
    7

    Default

    {bumpitty bumpbump bump}
    Jay R. Ashworth - ZCS 6.0.9CE/CentOS5 - St Pete FL US - Music - Blog - Photography - IANAL - IAAMA
    Try to Ask Questions The Smart Way -- you'll get better answers.

    Put your product and version in your profile/signature - All opinions strictly my own, even though I have an employer these days.
    If you [SOLVE] something, please tell everyone how for the archives
    And, please... read what people write, and answer the questions they asked, not the ones they didn't.

  5. #5
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Why I use a self signed cert and once I accepted it on my iPhone (at the account creation stage) it carried on syncing quite happily.

  6. #6
    Join Date
    Aug 2008
    Location
    St Pete FL USA
    Posts
    392
    Rep Power
    7

    Default

    Ok; apologies: let me clarify.

    1) I'm told that in order to avoid DNS/caching problems on smart phones with Exchange ActiveSync, the *phone's* idea of the IP for the DNS name you configure must be the same whether you're inside your firewall or out -- that is, both sides of the split-horizon must return for it the public address of your firewall.

    2) I presently have a self-signed cert named after the *real* name of my server, benjamin.mumble, which resolves to the firewall public address in my public zone, but the *actual* address of the server from inside. Therefore, I can't use that name in my EAS client config.

    3) When I try to use the "role" DNS name, "async.mumble", in my client config, the client tosses an SSL error, *even though I've used that name to go to the https webclient and accepted it in Safari on the iPhone*.

    So clearly

    4) The iPhone EAS client *requires* that the SSL cert contain the name *by which it is accessing the server*.

    My question is: must that be the "actual" (or primary) name on the cert? Or can it be an additional name?

    And if it *does* have to be the primary name, does that mean I have to change the name of the server proper? I would much prefer that it remain named benjamin. I don't much like servers with role names as their "true name".
    Jay R. Ashworth - ZCS 6.0.9CE/CentOS5 - St Pete FL US - Music - Blog - Photography - IANAL - IAAMA
    Try to Ask Questions The Smart Way -- you'll get better answers.

    Put your product and version in your profile/signature - All opinions strictly my own, even though I have an employer these days.
    If you [SOLVE] something, please tell everyone how for the archives
    And, please... read what people write, and answer the questions they asked, not the ones they didn't.

  7. #7
    Join Date
    Aug 2008
    Location
    St Pete FL USA
    Posts
    392
    Rep Power
    7

    Default

    This might actually be properly an Apple question; anyone know the best Apple tree to ask it under?

    I would just do a bunch of testing, but both the Zimbra server proper and the iPhones are in production, and I can't.
    Jay R. Ashworth - ZCS 6.0.9CE/CentOS5 - St Pete FL US - Music - Blog - Photography - IANAL - IAAMA
    Try to Ask Questions The Smart Way -- you'll get better answers.

    Put your product and version in your profile/signature - All opinions strictly my own, even though I have an employer these days.
    If you [SOLVE] something, please tell everyone how for the archives
    And, please... read what people write, and answer the questions they asked, not the ones they didn't.

  8. #8
    Join Date
    Aug 2008
    Location
    St Pete FL USA
    Posts
    392
    Rep Power
    7

    Default

    Ok, while Brad in Apple tier 3 support went non-linear about how "we don't support iPhones with any Exchange ActiveSync provider except Genuine Microsoft Exchange", he *did* tell me that the SSL cert placed on the phone needs the *phone's* idea of the server name -- in my case, async.mumble -- as the *primary* name on the certificate -- any other names must apparently be secondary, if they exist at all.

    Now to find out if Zimbra will barf if the primary name isn't the *server's* idea of it's name.
    Jay R. Ashworth - ZCS 6.0.9CE/CentOS5 - St Pete FL US - Music - Blog - Photography - IANAL - IAAMA
    Try to Ask Questions The Smart Way -- you'll get better answers.

    Put your product and version in your profile/signature - All opinions strictly my own, even though I have an employer these days.
    If you [SOLVE] something, please tell everyone how for the archives
    And, please... read what people write, and answer the questions they asked, not the ones they didn't.

Similar Threads

  1. [SOLVED] Installing existing SSL certificates (solved)
    By inigoml in forum Administrators
    Replies: 22
    Last Post: 02-24-2009, 09:32 AM
  2. SSL Certificates for Mobile phones
    By ralph666 in forum Administrators
    Replies: 0
    Last Post: 05-15-2008, 01:59 AM
  3. [SOLVED] Install Problem in Ubuntu 6.06 Server
    By xtimox in forum Installation
    Replies: 16
    Last Post: 03-27-2008, 09:36 AM
  4. Replies: 0
    Last Post: 01-15-2008, 12:33 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •