Zimbra offers Open Source email server software and shared calendar for Linux and the Mac
Go Back   Zimbra :: Forums > Zimbra Collaboration Suite > Administrators
Reload this Page javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

Welcome to the Zimbra :: Forums!
Welcome, if you would like to post a comment please register. We also encourage you to explore all things Zimbra with our team and members of the community.

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 04-28-2010, 01:14 PM
Loyal Member
  
Posts: 89
Default javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
I've just noticed repeated entries in one of my logs:

Code:
$ grep certificate_unknown /opt/zimbra/log/mailbox.log
2010-04-28 14:46:03,665 WARN  [btpool0-8] [] log - javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
After a brief jaunt around Google it seems that all related topics were From developers To developers. I am NOT a programmer and I really didn't get much out of those searches.

These messages are being generated in the log about 1 every minute. The server is sending and receiving fine. I'm not sure what the cause could be.

I've scripted the process for a yearly auto-renewal of the self-signed cert. So, certificate generation is consistent. It seems to be working in the test lab. I'm not sure what's different in production.

These are the cert details:
Code:
# zmcertmgr viewdeployedcrt
::service mta::
notBefore=Apr 21 02:47:06 2010 GMT
notAfter=May 21 02:47:06 2011 GMT
subject= /C=US/ST=IA/O=familiesfirstinc/OU=OFFICE/CN=*.domain.tld
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.domain.tld
SubjectAltName= 
::service proxy::
notBefore=Apr 21 02:47:06 2010 GMT
notAfter=May 21 02:47:06 2011 GMT
subject= /C=US/ST=IA/O=familiesfirstinc/OU=OFFICE/CN=*.domain.tld
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.domain.tld
SubjectAltName= 
::service mailboxd::
notBefore=Apr 21 02:47:06 2010 GMT
notAfter=May 21 02:47:06 2011 GMT
subject= /C=US/ST=IA/O=familiesfirstinc/OU=OFFICE/CN=*.domain.tld
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.domain.tld
SubjectAltName= 
::service ldap::
notBefore=Apr 21 02:47:06 2010 GMT
notAfter=May 21 02:47:06 2011 GMT
subject= /C=US/ST=IA/O=familiesfirstinc/OU=OFFICE/CN=*.domain.tld
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.domain.tld
SubjectAltName=
Code:
$ hostname
zerver.domain.tld

$ nslookup zerver.domain.tld
Name:	zerver.domain.tld
Address: 10.0.0.14

$ nslookup mail.domain.tld
Name:	mail.domain.tld
Address: 10.0.0.14

$ nslookup 10.0.0.14
14.0.0.10.in-addr.arpa	name = mail.domain.tld.
Again, this is the same process I use when testing and these messages do not appear in the logs on the test boxes. What's gone wrong here?

Thanks in advance,
todd_dsm

Don't forget to Vote for this RFE:
RFE: A place To Display the contents of 'My Documents'
Reasoning: It's new, bold, and cool.
Last edited by todd_dsm; 10-08-2010 at 09:26 AM..
Reply With Quote
  #2 (permalink)  
Old 04-28-2010, 01:26 PM
Moderator
  
Posts: 1,554
Default
have you seen this?

Trouble connecting Cingular/Samsung Blackjack to Zimbra Open Source Edition

it might suggest that the error is coming from a client app trying to connect and constantly erroring on the ssl. as far as you can tell is everything working correctly even though you see this error?
Reply With Quote
  #3 (permalink)  
Old 04-28-2010, 02:59 PM
Loyal Member
  
Posts: 89
Default
bdial, Yes - everything is smooth as you could expect.

I know there are users at the client site that have blackberries, androids, and iphones that maybe trying to connect. I will look into the link you left above and get root-cause back when I find something.

Thanks for the reply,

TT
Reply With Quote
  #4 (permalink)  
Old 05-01-2010, 05:27 PM
Loyal Member
  
Posts: 89
Default
@bdial

The link you posted doesn't seem to be relevant to this scenario. Here's why:

1) I checked the logs. The error occurred before delivering to the client's site. It was there from the beginning of the first day. At this point I was the only one accessing the box.

2) I found a post that links btpool errors to Apache.
I guess I don't get the 'solved' part. To me it just seems to trail off...

3) Certificate says 'Unknown'
  • Connect to server via https://mail.domain.tld
  • Click on the cert to the left of the webb address. It says:
    You are connected to domain.tld
    Which is run by (unknown)

After a little more testing I've determined that 2 things cause this:
1) It definitely happens when in Firefox and confirming a certificate exception.
2) Something else :P There must be other reasons for generating this error. I have ga-jillions of them in my logs and only 57 users creating a 1-time cert exception.

I'll just be explicit here. I'm not so well versed with apache's relationship with Certs. It seems a matter of filling in that 'unknown' entry in the cert but that's just a thin, thin theory.

I used the self-signed cert info from the wiki.

Any theories/ideas?

Thanks in advance,
todd_dsm

Don't forget to Vote for this RFE:
RFE: A place To Display the contents of 'My Documents'
Reasoning: It's new, bold, and cool.
Last edited by todd_dsm; 10-08-2010 at 09:26 AM..
Reply With Quote
Reply

« Previous Thread | Today's Posts or Week's Posts | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode


Similar Threads

Product Information

Why Join?

Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.

blog.zimbra.com


Home - Blog - Contact Us - Archive - Top


 

SEO by vBSEO ©2011, Crawlability, Inc.