[horde] Free Busy URL and self signed SSL cert

Simon Wilson simon at simonandkate.net
Mon Mar 19 22:59:43 UTC 2012 

----- Message from Vilius Šumskas <vilius at lnk.lt> ---------
    Date: Mon, 19 Mar 2012 23:29:04 +0200
    From: Vilius Šumskas <vilius at lnk.lt>
Subject: Re: [horde] Free Busy URL and self signed SSL cert
      To: horde at lists.horde.org
>
> Probably others will fill in more, but I assume that the error message
> you experience is returned by Kronolith, so the client in this case is
> Kronolith,  or  better  to  say,  the  mechanism  underneath  it, e.i.
> openssl? What and where do you get this error from?
>

The entire chain:

I have a Global address list that contains Free Busy URLs as advised  
in Kronolith for each user. Creating a new appointment in Kronolith, I  
add an attendee, and type my wife's name. This is then autocompleted  
by Kronolith from the calendar, which seems to work fine. That, I  
assume, then draws her Free Busy URL  
(https://mail.simonandkate.net/kronolith/fb.php?u=katie) from the  
contact details. At that point, Kronolith returns the error message in  
a Yellow notification box in the bottom right of the screen, saying:

SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed[Mon Mar 19 2012 20:11:29 GMT+1000 (E. Australia Standard Time)]

Running Horde log in debug level appears to present no further useful  
information other than repeating that error.

The setup:
https://mail.simonandkate.net is reverse proxied to an internal web  
server that runs Horde. On both servers (reverse proxy and host) the  
required certificates are located in /etc/pki/tls/certs - both the  
self-signed CA cert and the server cert that is generated by that CA.  
On both servers I have used OpenSSL to hash and 'ln' the CA  
certificate. On both servers running "openssl verify ..." on the CA  
cert and the server cert is successful. From both servers, running  
openssl in s_client mode to mail.simonandkate.net:443 is successful,  
with a verify return code of 0.

So from where I sit, openssl is happy with, trusts, and can verify  
both the CA cert and its child.

On the test PC client - I have imported the CA cert as a "Trusted  
Certificate Authority". IE and Chrome therefore present the  
https://mail.simonandkate.net site as "green" and trusted.

Yet still Kronolith will not verify the cert. I have had a quick  
search for the kronolith code that is calling the verify but could not  
find it.

Horde config $conf[openssl][cafile]  is set to /etc/pki/tls/certs. The  
explanatory text for that says: "The location of the root certificates  
bundle, e.g. /etc/ssl/certs." Does this mean that Horde only checks  
the CA-bundle file located in that folder and installed by the openssl  
package, or does it parse that directory for all valid hashed certs?  
If the latter, then this should verify without any problem...

Open to suggestions as to what to try next...

Simon.

More information about the horde mailing list