[horde] Free Busy URL and self signed SSL cert

Vilius Šumskas vilius at lnk.lt
Mon Mar 19 21:29:04 UTC 2012


Sveiki,

Monday, March 19, 2012, 10:47:24 PM, you wrote:

> On 19/03/2012, at 11:26 PM, Vilius Šumskas <vilius at lnk.lt> wrote:

>>>>>> Am 19.03.2012 11:17, schrieb Simon Wilson:
>>>>>>> I use a self signed SSL cert on my Horde setup. I have a Free Busy URL
>>>>>>> setup, but when it is queried by other Kronolith users, they get:
>>>>>>> 
>>>>>>> SSL certificate problem, verify that the CA cert is OK. Details:
>>>>>>> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
>>>>>>> verify failed[Mon Mar 19 2012 20:11:29 GMT+1000 (E. Australia
>>> Standard
>>>>>>> Time)]
>>>>>>> 
>>>>>>> Is there any way to work around this?
>>>>>>> 
>>>>>>> --
>>>>>>> Simon Wilson
>>>>>>> M: 0400 12 11 16
>>>>>>> 
>>>>>> 
>>>>>> Install the CA cert.
>>>>>> 
>>>>>> --
>>>>> 
>>>>> Where? It's on the server because it's the same cert chain (CA and
>>>>> server) used by it to serve up SSL Horde.
>>>>> 
>>>>> I have imported it into the PC's Certificates where it went into
>>>>> "Other People", but no difference. I have a permanent exception for
>>>>> the cert in Firefox, and it still gives the error also - so I can't
>>>>> see that it is the client end?
>>>>> 
>>>>> Do I need to do something to get Kronolith to "Install the CA cert"?
>>>>> 
>>>>> Thanks Ralf.
>>>>> 
>>>>> SImon.
>>>>> 
>>>>> --
>>>> 
>>>> OK, it was in /etc/pki/tls but not installed as trusted. Having now
>>>> imported the CACert in OpenSSL on both the Apache reverse proxy host
>>>> and the Horde target web server I have the following:
>>>> 
>>>> lrwxrwxrwx 1 root root       10 Mar 19 20:46 d2982e5c.0 -> cacert.pem
>>>> 
>>>> I have not installed the server pem as trusted, because it leads up
>>>> to the now-trusted CA cert.
>>>> 
>>>> Verifying the CA cert and the server cert returns (on both servers):
>>>> 
>>>> [root at server06 certs]# openssl verify cacert.pem
>>>> cacert.pem: OK
>>>> [root at server06 certs]# openssl verify simonandkate.net-cert.pem
>>>> simonandkate.net-cert.pem: OK
>>>> 
>>>> Yet still Kronolith returns:
>>>> 
>>>> SSL certificate problem, verify that the CA cert is OK. Details:
>>>> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
>>>> verify failed[Monday, 19 March 2012 8:50:19 PM]
>>>> 
>>>> Any advice? Does Kronolith cache that Verify call? I have restarted
>>>> httpd on both reverse proxy and horde web server.
>>>> 
>>>> Simon
>>>> 
>>> 
>>> Running "openssl s_client -host mail.simonandkate.net -port 443" on
>>> the server that hosts Horde and on reverse proxy server is on returns:
>>> 
>>>     Verify return code: 0 (ok)
>>> 
>>> Running it on another server where the cert is NOT installed as
>>> trusted returns:
>>> 
>>>     Verify return code: 21 (unable to verify the first certificate)
>> 
>> This is how self-signed certificates are supposed to work. Generally speaking if the client doesn't have an ability to retrieve CA certificate from the server along with the "server" certificate, client *will* fail. Most browsers works this way.
>> 
>> You have two options here. Either install CA certificate on all clients or use certificate signed by trusted authority.
>> 
>> -- 
>>    

> Thanks Vilius. 

> Only thing is that as I have posted, even when the client trusts
> the certificate, and the servers trust the certificate, Kronolith
> still fails to accept it, and free busy fails.  So are you saying
> that my only option is to buy trusted certs? 

> Where does the Kronolith certificate verification happen - client or server?

> Simon

Probably others will fill in more, but I assume that the error message
you experience is returned by Kronolith, so the client in this case is
Kronolith,  or  better  to  say,  the  mechanism  underneath  it, e.i.
openssl? What and where do you get this error from?

-- 
Best regards,
 Vilius



More information about the horde mailing list