[horde] Free Busy URL and self signed SSL cert

Simon Wilson simon at simonandkate.net
Mon Mar 19 11:05:18 UTC 2012 

>>> Am 19.03.2012 11:17, schrieb Simon Wilson:
>>>> I use a self signed SSL cert on my Horde setup. I have a Free Busy URL
>>>> setup, but when it is queried by other Kronolith users, they get:
>>>>
>>>> SSL certificate problem, verify that the CA cert is OK. Details:
>>>> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
>>>> verify failed[Mon Mar 19 2012 20:11:29 GMT+1000 (E. Australia Standard
>>>> Time)]
>>>>
>>>> Is there any way to work around this?
>>>>
>>>> --
>>>> Simon Wilson
>>>> M: 0400 12 11 16
>>>>
>>>
>>> Install the CA cert.
>>>
>>> -- 
>>
>> Where? It's on the server because it's the same cert chain (CA and  
>> server) used by it to serve up SSL Horde.
>>
>> I have imported it into the PC's Certificates where it went into  
>> "Other People", but no difference. I have a permanent exception for  
>> the cert in Firefox, and it still gives the error also - so I can't  
>> see that it is the client end?
>>
>> Do I need to do something to get Kronolith to "Install the CA cert"?
>>
>> Thanks Ralf.
>>
>> SImon.
>>
>> -- 
>
> OK, it was in /etc/pki/tls but not installed as trusted. Having now  
> imported the CACert in OpenSSL on both the Apache reverse proxy host  
> and the Horde target web server I have the following:
>
> lrwxrwxrwx 1 root root       10 Mar 19 20:46 d2982e5c.0 -> cacert.pem
>
> I have not installed the server pem as trusted, because it leads up  
> to the now-trusted CA cert.
>
> Verifying the CA cert and the server cert returns (on both servers):
>
> [root at server06 certs]# openssl verify cacert.pem
> cacert.pem: OK
> [root at server06 certs]# openssl verify simonandkate.net-cert.pem
> simonandkate.net-cert.pem: OK
>
> Yet still Kronolith returns:
>
> SSL certificate problem, verify that the CA cert is OK. Details:  
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate  
> verify failed[Monday, 19 March 2012 8:50:19 PM]
>
> Any advice? Does Kronolith cache that Verify call? I have restarted  
> httpd on both reverse proxy and horde web server.
>
> Simon
>

Running "openssl s_client -host mail.simonandkate.net -port 443" on  
the server that hosts Horde and on reverse proxy server is on returns:

     Verify return code: 0 (ok)

Running it on another server where the cert is NOT installed as  
trusted returns:

     Verify return code: 21 (unable to verify the first certificate)

Simon

More information about the horde mailing list