[horde] Free Busy URL and self signed SSL cert

Vilius Šumskas vilius at lnk.lt
Mon Mar 19 13:26:56 UTC 2012


> >>> Am 19.03.2012 11:17, schrieb Simon Wilson:
> >>>> I use a self signed SSL cert on my Horde setup. I have a Free Busy URL
> >>>> setup, but when it is queried by other Kronolith users, they get:
> >>>>
> >>>> SSL certificate problem, verify that the CA cert is OK. Details:
> >>>> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> >>>> verify failed[Mon Mar 19 2012 20:11:29 GMT+1000 (E. Australia
> Standard
> >>>> Time)]
> >>>>
> >>>> Is there any way to work around this?
> >>>>
> >>>> --
> >>>> Simon Wilson
> >>>> M: 0400 12 11 16
> >>>>
> >>>
> >>> Install the CA cert.
> >>>
> >>> --
> >>
> >> Where? It's on the server because it's the same cert chain (CA and
> >> server) used by it to serve up SSL Horde.
> >>
> >> I have imported it into the PC's Certificates where it went into
> >> "Other People", but no difference. I have a permanent exception for
> >> the cert in Firefox, and it still gives the error also - so I can't
> >> see that it is the client end?
> >>
> >> Do I need to do something to get Kronolith to "Install the CA cert"?
> >>
> >> Thanks Ralf.
> >>
> >> SImon.
> >>
> >> --
> >
> > OK, it was in /etc/pki/tls but not installed as trusted. Having now
> > imported the CACert in OpenSSL on both the Apache reverse proxy host
> > and the Horde target web server I have the following:
> >
> > lrwxrwxrwx 1 root root       10 Mar 19 20:46 d2982e5c.0 -> cacert.pem
> >
> > I have not installed the server pem as trusted, because it leads up
> > to the now-trusted CA cert.
> >
> > Verifying the CA cert and the server cert returns (on both servers):
> >
> > [root at server06 certs]# openssl verify cacert.pem
> > cacert.pem: OK
> > [root at server06 certs]# openssl verify simonandkate.net-cert.pem
> > simonandkate.net-cert.pem: OK
> >
> > Yet still Kronolith returns:
> >
> > SSL certificate problem, verify that the CA cert is OK. Details:
> > error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> > verify failed[Monday, 19 March 2012 8:50:19 PM]
> >
> > Any advice? Does Kronolith cache that Verify call? I have restarted
> > httpd on both reverse proxy and horde web server.
> >
> > Simon
> >
> 
> Running "openssl s_client -host mail.simonandkate.net -port 443" on
> the server that hosts Horde and on reverse proxy server is on returns:
> 
>      Verify return code: 0 (ok)
> 
> Running it on another server where the cert is NOT installed as
> trusted returns:
> 
>      Verify return code: 21 (unable to verify the first certificate)

This is how self-signed certificates are supposed to work. Generally speaking if the client doesn't have an ability to retrieve CA certificate from the server along with the "server" certificate, client *will* fail. Most browsers works this way.

You have two options here. Either install CA certificate on all clients or use certificate signed by trusted authority.

-- 
   Vilius



More information about the horde mailing list