[horde] Free Busy URL and self signed SSL cert

Vilius Šumskas vilius at lnk.lt
Tue Mar 20 07:41:09 UTC 2012 

Sveiki,

Tuesday, March 20, 2012, 12:59:43 AM, you wrote:

> ----- Message from Vilius Šumskas <vilius at lnk.lt> ---------
>     Date: Mon, 19 Mar 2012 23:29:04 +0200
>     From: Vilius Šumskas <vilius at lnk.lt>
> Subject: Re: [horde] Free Busy URL and self signed SSL cert
>       To: horde at lists.horde.org
>>
>> Probably others will fill in more, but I assume that the error message
>> you experience is returned by Kronolith, so the client in this case is
>> Kronolith,  or  better  to  say,  the  mechanism  underneath  it, e.i.
>> openssl? What and where do you get this error from?
>>

> The entire chain:

> I have a Global address list that contains Free Busy URLs as advised  
> in Kronolith for each user. Creating a new appointment in Kronolith, I
> add an attendee, and type my wife's name. This is then autocompleted  
> by Kronolith from the calendar, which seems to work fine. That, I  
> assume, then draws her Free Busy URL  
> (https://mail.simonandkate.net/kronolith/fb.php?u=katie) from the  
> contact details. At that point, Kronolith returns the error message in
> a Yellow notification box in the bottom right of the screen, saying:

> SSL certificate problem, verify that the CA cert is OK. Details:
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify failed[Mon Mar 19 2012 20:11:29 GMT+1000 (E. Australia Standard Time)]

At  least  for me the link above downloads without any problems except
that  browser  complains  certificate is not valid. If you had installed CA
into  the  browser  you  should  be  fine  here.  I don't believe that
Kronolith  uses  SSL  for  Free  Busy  generation at all, so the error
message must come from the browser.

Maybe  you  are  having  cache  issue?  Try  clearing temporary files on the
browser.

> Running Horde log in debug level appears to present no further useful
> information other than repeating that error.

> The setup:
> https://mail.simonandkate.net is reverse proxied to an internal web  
> server that runs Horde. On both servers (reverse proxy and host) the  
> required certificates are located in /etc/pki/tls/certs - both the  
> self-signed CA cert and the server cert that is generated by that CA.
> On both servers I have used OpenSSL to hash and 'ln' the CA  
> certificate. On both servers running "openssl verify ..." on the CA  
> cert and the server cert is successful. From both servers, running  
> openssl in s_client mode to mail.simonandkate.net:443 is successful,  
> with a verify return code of 0.

> So from where I sit, openssl is happy with, trusts, and can verify  
> both the CA cert and its child.

> On the test PC client - I have imported the CA cert as a "Trusted  
> Certificate Authority". IE and Chrome therefore present the  
> https://mail.simonandkate.net site as "green" and trusted.

> Yet still Kronolith will not verify the cert. I have had a quick  
> search for the kronolith code that is calling the verify but could not
> find it.

> Horde config $conf[openssl][cafile]  is set to /etc/pki/tls/certs. The
> explanatory text for that says: "The location of the root certificates
> bundle, e.g. /etc/ssl/certs." Does this mean that Horde only checks  
> the CA-bundle file located in that folder and installed by the openssl
> package, or does it parse that directory for all valid hashed certs?  
> If the latter, then this should verify without any problem...

AFAIK this should be set to the CA certificate file, not the directory.

> Open to suggestions as to what to try next...

> Simon.




-- 
Best regards,
 Vilius

More information about the horde mailing list