SSL connect problem, most likely untrusted certificate

[eteno]

I am new to Linux and other open source distributions, so please be patient with me.

I am using external LDAP authentication with Red Hat Directory Server. I can authenticate to RHDS via port 389 with no problems, the test is successful.

However, I have switched my RHDS system over to SSL using port 636 LDAPS.

When I use the authetication wizard in Zimbra and choose port 636 and check the checkbox to enable SSL, I get an error at the end of my test.

Here is what I see:

Authentication failed:
SSL connect problem, most likely untrusted certificate

javax.naming.CommunicationException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target]; remaining name 'dc=servername,dc=com'
at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:19 65)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1 810)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:17 35)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_sea rch(ComponentDirContext.java:368)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContex t.search(PartialCompositeDirContext.java:338)
at javax.naming.directory.InitialDirContext.search(In itialDirContext.java:257)
at com.zimbra.cs.account.ldap.LdapUtil.searchDir(Ldap Util.java:1210)
at com.zimbra.cs.account.ldap.LdapUtil.ldapAuthentica te(LdapUtil.java:317)
at com.zimbra.cs.account.ldap.Check.checkAuthConfig(C heck.java:146)
at com.zimbra.cs.service.admin.CheckAuthConfig.handle (CheckAuthConfig.java:46)
at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEng ine.java:342)
at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.jav a:208)
at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.jav a:113)
at com.zimbra.soap.SoapServlet.doPost(SoapServlet.jav a:272)
at javax.servlet.http.HttpServlet.service(HttpServlet .java:727)
at com.zimbra.cs.servlet.ZimbraServlet.service(Zimbra Servlet.java:174)
at javax.servlet.http.HttpServlet.service(HttpServlet .java:820)
at org.mortbay.jetty.servlet.ServletHolder.handle(Ser vletHolder.java:487)
at org.mortbay.jetty.servlet.ServletHandler$CachedCha in.doFilter(ServletHandler.java:1093)
at org.mortbay.servlet.UserAgentFilter.doFilter(UserA gentFilter.java:81)
at org.mortbay.servlet.GzipFilter.doFilter(GzipFilter .java:132)
at org.mortbay.jetty.servlet.ServletHandler$CachedCha in.doFilter(ServletHandler.java:1084)
at org.mortbay.jetty.servlet.ServletHandler.handle(Se rvletHandler.java:360)
at org.mortbay.jetty.security.SecurityHandler.handle( SecurityHandler.java:216)
at org.mortbay.jetty.servlet.SessionHandler.handle(Se ssionHandler.java:181)
at org.mortbay.jetty.handler.ContextHandler.handle(Co ntextHandler.java:716)
at org.mortbay.jetty.webapp.WebAppContext.handle(WebA ppContext.java:406)
at org.mortbay.jetty.handler.ContextHandlerCollection .handle(ContextHandlerCollection.java:211)
at org.mortbay.jetty.handler.HandlerCollection.handle (HandlerCollection.java:114)
at org.mortbay.jetty.handler.HandlerWrapper.handle(Ha ndlerWrapper.java:139)
at org.mortbay.jetty.handler.RewriteHandler.handle(Re writeHandler.java:176)
at org.mortbay.jetty.handler.HandlerWrapper.handle(Ha ndlerWrapper.java:139)
at org.mortbay.jetty.Server.handle(Server.java:313)
at org.mortbay.jetty.HttpConnection.handleRequest(Htt pConnection.java:506)
at org.mortbay.jetty.HttpConnection$RequestHandler.co ntent(HttpConnection.java:844)
at org.mortbay.jetty.HttpParser.parseNext(HttpParser. java:644)
at org.mortbay.jetty.HttpParser.parseAvailable(HttpPa rser.java:205)
at org.mortbay.jetty.HttpConnection.handle(HttpConnec tion.java:381)
at org.mortbay.io.nio.SelectChannelEndPoint.run(Selec tChannelEndPoint.java:396)
at org.mortbay.thread.BoundedThreadPool$PoolThread.ru n(BoundedThreadPool.java:442)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLExceptio n(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(S SLSocketImpl.java:1591)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Ha ndshaker.java:187)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Ha ndshaker.java:181)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serv erCertificate(ClientHandshaker.java:975)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.proc essMessage(ClientHandshaker.java:123)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoo p(Handshaker.java:516)
at com.sun.net.ssl.internal.ssl.Handshaker.process_re cord(Handshaker.java:454)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRec ord(SSLSocketImpl.java:884)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.perform InitialHandshake(SSLSocketImpl.java:1096)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRe cord(SSLSocketImpl.java:623)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write (AppOutputStream.java:59)
at java.io.BufferedOutputStream.flushBuffer(BufferedO utputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputS tream.java:123)
at com.sun.jndi.ldap.Connection.writeRequest(Connecti on.java:393)
at com.sun.jndi.ldap.Connection.writeRequest(Connecti on.java:367)
at com.sun.jndi.ldap.LdapClient.search(LdapClient.jav a:528)
at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:19 48)
... 39 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXV alidator.java:285)
at sun.security.validator.PKIXValidator.engineValidat e(PKIXValidator.java:191)
at sun.security.validator.Validator.validate(Validato r.java:218)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl. validate(X509TrustManagerImpl.java:126)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl. checkServerTrusted(X509TrustManagerImpl.java:209)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl. checkServerTrusted(X509TrustManagerImpl.java:249)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serv erCertificate(ClientHandshaker.java:954)
... 52 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder. engineBuild(SunCertPathBuilder.java:174)
at java.security.cert.CertPathBuilder.build(CertPathB uilder.java:238)
at sun.security.validator.PKIXValidator.doBuild(PKIXV alidator.java:280)
... 58 more


What do I need to do to fix this?

[mmorse]

It's along the lines of:

keytool -import -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -alias <alias> -file <certfile>

[eteno]

Thank you for your reply.

I am 100% sure this will help me, but I am not sure what the alias and certfile should be. Where do I get the cert from? Do I get it from my Red Hat Directory Server or do I generate this or get this my Zimbra server?

I saw this same command elsewhere, but I think I got confused on what file I should be importing.

My RHDS server requires 2 server certificates and a ca certificate. All are self signed, but I am not sure it generates an actual file specifically for each certificate.

Also, if I actually try the cert wizard in zimbra, there is a self signed cert and a comercially signed cert. We pretty much self sign all of our certs. Are we required to get a comercially signed cert?

I'm just a little confused, but I know this will get resolved if you remain patient with me.

[eteno]

By the way, I am the administrator, so I have no one else to ask here.

[eteno]

This thread can be resolved.

Here is what I did to fix it and this is what I would expect to see in future forum threads:

Generate a self signed certificate on the RHDS Server. Import the certificate into Zimbra using the following command:

sudo /opt/zimbra/java/bin/keytool -import -alias <alias> -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file <certfile>

In the previous versions of Zimbra it required the user to restart Tomcat, but I believe Tomcat has been replaced with mailboxd. So I did the following as Zimbra user:

zmmailboxdctl stop
zmmailboxdctl start

zmcontrol stop
zmcontrol start

Just a side note, the certfile that is used to import can be of any file type. I found it easy to just copy the cert file into a text file and import it in.

It may not be necessary, but I imported in the RHDS Admin Server Cert, the RHDS Directory Server Cert and the CA Cert.