Results 1 to 5 of 5

Thread: SSL connect problem, most likely untrusted certificate

  1. #1
    eteno is offline Active Member
    Join Date
    Jul 2007
    Posts
    25
    Rep Power
    7

    Default SSL connect problem, most likely untrusted certificate

    I am new to Linux and other open source distributions, so please be patient with me.

    I am using external LDAP authentication with Red Hat Directory Server. I can authenticate to RHDS via port 389 with no problems, the test is successful.

    However, I have switched my RHDS system over to SSL using port 636 LDAPS.

    When I use the authetication wizard in Zimbra and choose port 636 and check the checkbox to enable SSL, I get an error at the end of my test.

    Here is what I see:

    Authentication failed:
    SSL connect problem, most likely untrusted certificate

    javax.naming.CommunicationException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target]; remaining name 'dc=servername,dc=com'
    at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:19 65)
    at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1 810)
    at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:17 35)
    at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_sea rch(ComponentDirContext.java:368)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContex t.search(PartialCompositeDirContext.java:338)
    at javax.naming.directory.InitialDirContext.search(In itialDirContext.java:257)
    at com.zimbra.cs.account.ldap.LdapUtil.searchDir(Ldap Util.java:1210)
    at com.zimbra.cs.account.ldap.LdapUtil.ldapAuthentica te(LdapUtil.java:317)
    at com.zimbra.cs.account.ldap.Check.checkAuthConfig(C heck.java:146)
    at com.zimbra.cs.service.admin.CheckAuthConfig.handle (CheckAuthConfig.java:46)
    at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEng ine.java:342)
    at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.jav a:208)
    at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.jav a:113)
    at com.zimbra.soap.SoapServlet.doPost(SoapServlet.jav a:272)
    at javax.servlet.http.HttpServlet.service(HttpServlet .java:727)
    at com.zimbra.cs.servlet.ZimbraServlet.service(Zimbra Servlet.java:174)
    at javax.servlet.http.HttpServlet.service(HttpServlet .java:820)
    at org.mortbay.jetty.servlet.ServletHolder.handle(Ser vletHolder.java:487)
    at org.mortbay.jetty.servlet.ServletHandler$CachedCha in.doFilter(ServletHandler.java:1093)
    at org.mortbay.servlet.UserAgentFilter.doFilter(UserA gentFilter.java:81)
    at org.mortbay.servlet.GzipFilter.doFilter(GzipFilter .java:132)
    at org.mortbay.jetty.servlet.ServletHandler$CachedCha in.doFilter(ServletHandler.java:1084)
    at org.mortbay.jetty.servlet.ServletHandler.handle(Se rvletHandler.java:360)
    at org.mortbay.jetty.security.SecurityHandler.handle( SecurityHandler.java:216)
    at org.mortbay.jetty.servlet.SessionHandler.handle(Se ssionHandler.java:181)
    at org.mortbay.jetty.handler.ContextHandler.handle(Co ntextHandler.java:716)
    at org.mortbay.jetty.webapp.WebAppContext.handle(WebA ppContext.java:406)
    at org.mortbay.jetty.handler.ContextHandlerCollection .handle(ContextHandlerCollection.java:211)
    at org.mortbay.jetty.handler.HandlerCollection.handle (HandlerCollection.java:114)
    at org.mortbay.jetty.handler.HandlerWrapper.handle(Ha ndlerWrapper.java:139)
    at org.mortbay.jetty.handler.RewriteHandler.handle(Re writeHandler.java:176)
    at org.mortbay.jetty.handler.HandlerWrapper.handle(Ha ndlerWrapper.java:139)
    at org.mortbay.jetty.Server.handle(Server.java:313)
    at org.mortbay.jetty.HttpConnection.handleRequest(Htt pConnection.java:506)
    at org.mortbay.jetty.HttpConnection$RequestHandler.co ntent(HttpConnection.java:844)
    at org.mortbay.jetty.HttpParser.parseNext(HttpParser. java:644)
    at org.mortbay.jetty.HttpParser.parseAvailable(HttpPa rser.java:205)
    at org.mortbay.jetty.HttpConnection.handle(HttpConnec tion.java:381)
    at org.mortbay.io.nio.SelectChannelEndPoint.run(Selec tChannelEndPoint.java:396)
    at org.mortbay.thread.BoundedThreadPool$PoolThread.ru n(BoundedThreadPool.java:442)
    Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLExceptio n(Alerts.java:174)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(S SLSocketImpl.java:1591)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Ha ndshaker.java:187)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Ha ndshaker.java:181)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serv erCertificate(ClientHandshaker.java:975)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.proc essMessage(ClientHandshaker.java:123)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoo p(Handshaker.java:516)
    at com.sun.net.ssl.internal.ssl.Handshaker.process_re cord(Handshaker.java:454)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRec ord(SSLSocketImpl.java:884)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.perform InitialHandshake(SSLSocketImpl.java:1096)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRe cord(SSLSocketImpl.java:623)
    at com.sun.net.ssl.internal.ssl.AppOutputStream.write (AppOutputStream.java:59)
    at java.io.BufferedOutputStream.flushBuffer(BufferedO utputStream.java:65)
    at java.io.BufferedOutputStream.flush(BufferedOutputS tream.java:123)
    at com.sun.jndi.ldap.Connection.writeRequest(Connecti on.java:393)
    at com.sun.jndi.ldap.Connection.writeRequest(Connecti on.java:367)
    at com.sun.jndi.ldap.LdapClient.search(LdapClient.jav a:528)
    at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:19 48)
    ... 39 more
    Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXV alidator.java:285)
    at sun.security.validator.PKIXValidator.engineValidat e(PKIXValidator.java:191)
    at sun.security.validator.Validator.validate(Validato r.java:218)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl. validate(X509TrustManagerImpl.java:126)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl. checkServerTrusted(X509TrustManagerImpl.java:209)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl. checkServerTrusted(X509TrustManagerImpl.java:249)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serv erCertificate(ClientHandshaker.java:954)
    ... 52 more
    Caused by: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder. engineBuild(SunCertPathBuilder.java:174)
    at java.security.cert.CertPathBuilder.build(CertPathB uilder.java:238)
    at sun.security.validator.PKIXValidator.doBuild(PKIXV alidator.java:280)
    ... 58 more


    What do I need to do to fix this?

  2. #2
    mmorse's Avatar
    mmorse is offline Moderator
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    It's along the lines of:
    keytool -import -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -alias <alias> -file <certfile>

  3. #3
    eteno is offline Active Member
    Join Date
    Jul 2007
    Posts
    25
    Rep Power
    7

    Default

    Thank you for your reply.

    I am 100% sure this will help me, but I am not sure what the alias and certfile should be. Where do I get the cert from? Do I get it from my Red Hat Directory Server or do I generate this or get this my Zimbra server?

    I saw this same command elsewhere, but I think I got confused on what file I should be importing.

    My RHDS server requires 2 server certificates and a ca certificate. All are self signed, but I am not sure it generates an actual file specifically for each certificate.

    Also, if I actually try the cert wizard in zimbra, there is a self signed cert and a comercially signed cert. We pretty much self sign all of our certs. Are we required to get a comercially signed cert?

    I'm just a little confused, but I know this will get resolved if you remain patient with me.

  4. #4
    eteno is offline Active Member
    Join Date
    Jul 2007
    Posts
    25
    Rep Power
    7

    Default

    By the way, I am the administrator, so I have no one else to ask here.

  5. #5
    eteno is offline Active Member
    Join Date
    Jul 2007
    Posts
    25
    Rep Power
    7

    Default

    This thread can be resolved.

    Here is what I did to fix it and this is what I would expect to see in future forum threads:

    Generate a self signed certificate on the RHDS Server. Import the certificate into Zimbra using the following command:

    sudo /opt/zimbra/java/bin/keytool -import -alias <alias> -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file <certfile>

    In the previous versions of Zimbra it required the user to restart Tomcat, but I believe Tomcat has been replaced with mailboxd. So I did the following as Zimbra user:

    zmmailboxdctl stop
    zmmailboxdctl start

    zmcontrol stop
    zmcontrol start

    Just a side note, the certfile that is used to import can be of any file type. I found it easy to just copy the cert file into a text file and import it in.

    It may not be necessary, but I imported in the RHDS Admin Server Cert, the RHDS Directory Server Cert and the CA Cert.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. zmclamdctl is not running after upgrade
    By Darren in forum Installation
    Replies: 24
    Last Post: 10-10-2008, 09:10 AM
  2. Zimbra fails after working for 2 weeks
    By Linsys in forum Administrators
    Replies: 10
    Last Post: 10-07-2008, 12:42 AM
  3. [SOLVED] Upgraded to 5.0 OSS - Sendmail Problem
    By Chewie71 in forum Installation
    Replies: 11
    Last Post: 12-28-2007, 07:07 PM
  4. Is it started or not
    By kwelipatton in forum Installation
    Replies: 10
    Last Post: 03-28-2006, 11:11 PM
  5. Can't send or receive mails from Zimbra
    By ppurama in forum Administrators
    Replies: 4
    Last Post: 11-14-2005, 10:17 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •