Self-signed cert. created/deployed but can't connect in browser

[strafford]

Hi

I have created a self-signed cert as per this wiki page.

Everything went fine, w/o error but when trying to connect via the browser, it complains that it is unable to connect. No errors given in broswer. This is internal so no firewall issues. I have restarted zimbra.

Am I missing something? Is the url more than just https://<server_ip> ?

The admin console loads via https just fine. Not sure if this is using same cert.

Regards,
Scott

[phoenix]

Quote:

Originally Posted by strafford

I have created a self-signed cert as per this wiki page.

Everything went fine, w/o error but when trying to connect via the browser, it complains that it is unable to connect. No errors given in broswer. This is internal so no firewall issues. I have restarted zimbra.

You should see a warning about the Certificate, try clearing the browser cache and if that doesn't work the delete the old certificate from your browser and try again.

Quote:

Originally Posted by strafford

Am I missing something? Is the url more than just https://<server_ip> ?

Yes, the format is actually: https://<fqdn.of.yourserver> - you should not be connecting via the IP address.

[strafford]

Bill

Thanks for the reply. I cleared out my cache, but no change. Still get:

Code:

Unable to connect

Firefox can't establish a connection to the server at <local_ip>

Quote:

Originally Posted by phoenix

You should see a warning about the Certificate, try clearing the browser cache and if that doesn't work the delete the old certificate from your browser and try again.

There was one there (probably from the admin console access) but no change.

Quote:

Originally Posted by phoenix

Yes, the format is actually: https://<fqdn.of.yourserver> - you should not be connecting via the IP address.

This is a fake fqdn. I added it to my hosts file but that did not make a difference (I would imagine this would only help get rid of the ssl cert. domian name warnings though I am no expert here).


One thing to note (not sure if its relevant) but in Firefox, under the certificate manager, in the 'Servers' tab, there is a set of certs for 'Zimbra Collaboration Suite', and under that are two certs. First one is for fqdn, and local ip w/ port 443, and expires 12/04/2011 (this is strange since this was a new install last week). Second cert is also for fqdn, local ip and port 7071 for the admin console, with expiry of 15/11/2011 (which is correct, since I recreated it yesterday).

[phoenix]

Quote:

Originally Posted by strafford

Bill

Thanks for the reply. I cleared out my cache, but no change. Still get:

Code:

Unable to connect

Firefox can't establish a connection to the server at <local_ip>

There was one there (probably from the admin console access) but no change.

Can you telnet to the server on port 443?

Quote:

Originally Posted by strafford

This is a fake fqdn. I added it to my hosts file but that did not make a difference (I would imagine this would only help get rid of the ssl cert. domian name warnings though I am no expert here).

You should remove the FQDN from your hosts file and create DNS & A records for the domain and point it to the server.

Quote:

Originally Posted by strafford

One thing to note (not sure if its relevant) but in Firefox, under the certificate manager, in the 'Servers' tab, there is a set of certs for 'Zimbra Collaboration Suite', and under that are two certs. First one is for fqdn, and local ip w/ port 443, and expires 12/04/2011 (this is strange since this was a new install last week). Second cert is also for fqdn, local ip and port 7071 for the admin console, with expiry of 15/11/2011 (which is correct, since I recreated it yesterday).

Just remove all of the certificates and then you should get the request to confirm the certificate when you connect.

[strafford]

Sorry, but I meant my windows hosts file. I have properly setup the fake fqdn. Is resolves, dnslookup works, etc.

I did remove the cert., but there was no change.

-Scott

[strafford]

Quote:

Originally Posted by phoenix

Can you telnet to the server on port 443?

I get a 'Connection refused' response.

[phoenix]

Quote:

Originally Posted by strafford

I get a 'Connection refused' response.

That would indicate that the service isn't available on that port, things to check: firewall; all zimbra services running; other web server running; etc.? Have a look at the services first and also check the log files for problems.

[strafford]

This is internal, so there shouldn't be any firewall issues. In the admin console, under server status there is a check mark beside each service. This machine only runs the zimbra mail suite.

I did see this in the log files from this morning, but it doesn't update (appear again in the log) when I attempt to connect via https:

Quote:

mailbox.log:2010-11-16 08:08:47,907 WARN [btpool0-12] [] log - javax.net.ssl.SSLException: Receiv
ed fatal alert: unknown_ca
mailbox.log:2010-11-16 08:59:06,562 WARN [btpool0-20] [] log - javax.net.ssl.SSLException: Unreco
gnized SSL message, plaintext connection?
mailbox.log:2010-11-16 08:59:11,191 WARN [btpool0-20] [] log - javax.net.ssl.SSLException: Unreco
gnized SSL message, plaintext connection?

[phoenix]

Do the services show as running if you run a 'zmcontrol status'? Don't worry about the error messages, I'd expect them if you're using telnet but it should also show a connection prompt.

[strafford]

Yes, when running as zimbra user, they all show as running. Telnet gives no prompt.

Quote:

zimbra@mailserv:~$ zmcontrol status
Host mailserv.<mydomain>
antispam Running
antivirus Running
ldap Running
logger Running
mailbox Running
mta Running
snmp Running
spell Running
stats Running