[horde] Free Busy URL and self signed SSL cert

Simon Wilson simon at simonandkate.net
Mon Mar 19 10:55:37 UTC 2012 

----- Message from Simon Wilson <simon at simonandkate.net> ---------
    Date: Mon, 19 Mar 2012 20:30:53 +1000
    From: Simon Wilson <simon at simonandkate.net>
Subject: Re: [horde] Free Busy URL and self signed SSL cert
      To: horde at lists.horde.org


> ----- Message from Ralf Lang <lang at b1-systems.de> ---------
>    Date: Mon, 19 Mar 2012 11:22:45 +0100
>    From: Ralf Lang <lang at b1-systems.de>
> Subject: Re: [horde] Free Busy URL and self signed SSL cert
>      To: horde at lists.horde.org
>
>
>> Am 19.03.2012 11:17, schrieb Simon Wilson:
>>> I use a self signed SSL cert on my Horde setup. I have a Free Busy URL
>>> setup, but when it is queried by other Kronolith users, they get:
>>>
>>> SSL certificate problem, verify that the CA cert is OK. Details:
>>> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
>>> verify failed[Mon Mar 19 2012 20:11:29 GMT+1000 (E. Australia Standard
>>> Time)]
>>>
>>> Is there any way to work around this?
>>>
>>> --
>>> Simon Wilson
>>> M: 0400 12 11 16
>>>
>>
>> Install the CA cert.
>>
>> -- 
>
> Where? It's on the server because it's the same cert chain (CA and  
> server) used by it to serve up SSL Horde.
>
> I have imported it into the PC's Certificates where it went into  
> "Other People", but no difference. I have a permanent exception for  
> the cert in Firefox, and it still gives the error also - so I can't  
> see that it is the client end?
>
> Do I need to do something to get Kronolith to "Install the CA cert"?
>
> Thanks Ralf.
>
> SImon.
>
> -- 

OK, it was in /etc/pki/tls but not installed as trusted. Having now  
imported the CACert in OpenSSL on both the Apache reverse proxy host  
and the Horde target web server I have the following:

lrwxrwxrwx 1 root root       10 Mar 19 20:46 d2982e5c.0 -> cacert.pem

I have not installed the server pem as trusted, because it leads up to  
the now-trusted CA cert.

Verifying the CA cert and the server cert returns (on both servers):

[root at server06 certs]# openssl verify cacert.pem
cacert.pem: OK
[root at server06 certs]# openssl verify simonandkate.net-cert.pem
simonandkate.net-cert.pem: OK

Yet still Kronolith returns:

SSL certificate problem, verify that the CA cert is OK. Details:  
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate  
verify failed[Monday, 19 March 2012 8:50:19 PM]

Any advice? Does Kronolith cache that Verify call? I have restarted  
httpd on both reverse proxy and horde web server.

Simon

More information about the horde mailing list