Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: ZD untrusted Verisign SSL cert

  1. #1
    JaymeH is offline Intermediate Member
    Join Date
    Apr 2008
    Posts
    16
    Rep Power
    7

    Default ZD untrusted Verisign SSL cert

    6.0.8_GA_2661.RHEL5_64_20100820052503 CentOS5_64 FOSS edition

    Zimbra Desktop 1.0(build 1593)

    Background:
    Yesterday I updated my Verisign SSL cert to a VeriSign Class 3 Secure Server CA - G3. First I grabbed my old CSR from /opt/zimbra/ssl/zimbra/commercial/commercial.csr and sent it to VeriSign. VeriSign sent me back my new cert which I just called commercial.crt. I then went back to VeriSign and got their new root.ca, primary_intermediate.ca, and seconday_intermediate.ca. Next I concatenated the three ca files together into commercial_ca.crt. I edited commercial_ca.crt and made sure there were no gaps and each cert had a -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- on separate lines. Then I ran, as root,
    Code:
    zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key commercial.crt commercial_ca.crt
    and everything came back as valid. Passing that test I decided to deploy with
    Code:
    zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
    which seemed to install without error so I
    Code:
    su - zimbra
    zmcontrol stop
    zmcontrol start
    The Zimbra service came back up fine. I checked the new SSL cert out in a few different browsers and all behaved as should be expected.

    Problem:
    ZD pukes with "Invalid or Untrusted SSL Certificate". Now I know I can just except the "untrusted" cert and carry on but I would prefer this to work properly. Below is the attached log.

    Code:
    2010-11-19 09:18:33,937 ERROR [sync-timer-dir] [] offline - sync failure: example@example.com
    com.zimbra.common.service.RemoteServiceException: d2:CN19:mail.example.com1:O20:Example Laboratories2:OU42:Terms of use at www.verisign.com/rpa (c)056:accept4:true5:alias51:mail.example.com:C4D68D7A4D237818BC7A89275BB3EB84:fromi1289865600000e4:host19:mail.examle.com3:icn38:VeriSign Class 3 Secure Server CA - G32:io9:"VeriSign3:iou50:Terms of use at https://www.verisign.com/rpa (c)103:md532:CE4BA9F5B0E7D8CD4FCEABCB1C23EF598:mismatch5:false1:s31:C4D68D7A4D237818BC7A89275BB3EB84:sha140:220414C6AC6CAC3C4DF9FBF6BF8CE077D27304192:toi1353369599000ee
    ExceptionId:sync-timer-dir:1290183513937:c83e5e50d2c41cbf
    Code:remote.SSLCERT_ERROR
    	at com.zimbra.common.service.RemoteServiceException.SSLCERT_ERROR(RemoteServiceException.java:74)
    	at com.zimbra.common.service.RemoteServiceException.doSSLFailures(RemoteServiceException.java:154)
    	at com.zimbra.cs.zclient.ZMailbox.invoke(ZMailbox.java:520)
    	at com.zimbra.cs.zclient.ZMailbox.invoke(ZMailbox.java:508)
    	at com.zimbra.cs.zclient.ZMailbox.getAccountInfo(ZMailbox.java:895)
    	at com.zimbra.cs.account.offline.DirectorySync.syncAccount(DirectorySync.java:210)
    	at com.zimbra.cs.account.offline.DirectorySync.sync(DirectorySync.java:175)
    	at com.zimbra.cs.account.offline.DirectorySync.syncAllAccounts(DirectorySync.java:137)
    	at com.zimbra.cs.account.offline.DirectorySync.access$000(DirectorySync.java:55)
    	at com.zimbra.cs.account.offline.DirectorySync$1.run(DirectorySync.java:70)
    	at java.util.TimerThread.mainLoop(Unknown Source)
    	at java.util.TimerThread.run(Unknown Source)
    Caused by: java.security.cert.CertificateException: d2:CN19:mail.example.com1:O20:Example Laboratories2:OU42:Terms of use at www.verisign.com/rpa (c)056:accept4:true5:alias51:mail.example.com:C4D68D7A4D237818BC7A89275BB3EB84:fromi1289865600000e4:host19:mail.example.com3:icn38:VeriSign Class 3 Secure Server CA - G32:io9:"VeriSign3:iou50:Terms of use at https://www.verisign.com/rpa (c)103:md532:CE4BA9F5B0E7D8CD4FCEABCB1C23EF598:mismatch5:false1:s31:C4D68D7A4D237818BC7A89275BB3EB84:sha140:220414C6AC6CAC3C4DF9FBF6BF8CE077D27304192:toi1353369599000ee
    	at com.zimbra.common.util.CustomTrustManager.checkServerTrusted(CustomTrustManager.java:91)
    	at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(Unknown Source)
    	at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
    	at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
    	at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
    	at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
    	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
    	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
    	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    	at com.zimbra.common.util.CustomSSLSocket.startHandshake(CustomSSLSocket.java:197)
    	at com.zimbra.common.util.CustomSSLSocket.getInputStream(CustomSSLSocket.java:331)
    	at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:744)
    	at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:386)
    	at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
    	at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
    	at com.zimbra.common.soap.SoapHttpTransport.invoke(SoapHttpTransport.java:276)
    	at com.zimbra.common.soap.SoapHttpTransport.invoke(SoapHttpTransport.java:230)
    	at com.zimbra.common.soap.SoapTransport.invoke(SoapTransport.java:318)
    	at com.zimbra.cs.zclient.ZMailbox.invoke(ZMailbox.java:514)
    	... 9 more
    The error message is vague to me. Did I create my cert chain file wrong? Did I miss a step somewhere? Do I need to restart the whole server and not just the Zimbra service? Should I have generated a brand new CSR for my cert request? Do I need a newer version of ZD? Why are the web browsers fine with the new cert but ZD is having a heart attack? Any help or insight will be much appreciated.

  2. #2
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,586
    Rep Power
    57

    Default

    You really should use ZD 2.x, details on the download are in the Zimbra Desktop forums - please make sure you read the installation documentation and the FAQ before installing it.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    JaymeH is offline Intermediate Member
    Join Date
    Apr 2008
    Posts
    16
    Rep Power
    7

    Default

    Thanks for the reply!

    I un-installed my ZD 1.0 completely and then installed a fresh ZD 2.0(build 10580). However, I get an "untrusted" certificate when trying to establish my account. I wish that error message was a little more clear.

  4. #4
    Join Date
    Dec 2010
    Location
    Rochester NY
    Posts
    5
    Rep Power
    4

    Default

    We are experiencing the same problem after a cert upgrade this past weekend.

    Our cert is also "Verisign SSL cert to a VeriSign Class 3 Secure Server CA - G3", and our zDesktop users are having the same issue. All our users who use zDesktop are currently using Zimbra Desktop 2.0 (build 10580).

    Our users who use IE or Firefox are not experiencing this problem. We haven't had any of our Outlook Connector users report problems yet, but it's still early Monday morning, so time will tell.

    I use zDesktop myself, same build as our user-base, and I was presented with the cert error myself.

    JaymeH - Are you still experiencing this problem, or have you somehow resolved it? (...and how?)

    Zimbra Folks - Any suggestions?

    Thanks much,

    --
    Chris Wilson
    University IT / DC
    _______________________________________

  5. #5
    Join Date
    Dec 2010
    Location
    Rochester NY
    Posts
    5
    Rep Power
    4

    Default

    Just an FYI; Upgrading to zDesktop 2.0.1 build 10659 has not resolved the problem.

  6. #6
    JaymeH is offline Intermediate Member
    Join Date
    Apr 2008
    Posts
    16
    Rep Power
    7

    Default

    Confirmed! ZD 2.0.1 build 10659 fixes this problem. Thanks for the awesome work guys.

  7. #7
    Join Date
    Dec 2010
    Location
    Rochester NY
    Posts
    5
    Rep Power
    4

    Default

    Hrm... Too bad for me, it did _not_ fix my problems. I've tested browsers as old as Safari 3.0 and no cert problems. Right now it's _just_ zDesktop that complains, and I'm not sure what to look at.

    Zimbra folks - is there anything I can collect from the client that would help determine what ZD is complaining about (logs/output files/etc.)?

    I had to tell ZD to "accept the invalid cert" during the "Validate and Save" process instead.

  8. #8
    JaymeH is offline Intermediate Member
    Join Date
    Apr 2008
    Posts
    16
    Rep Power
    7

    Default

    Hmm. Maybe I missed something then. I did a complete uninstall of ZD before I installed 2.0.1. I setup my account, it didn't bark at me this time, and is currently syncing. Your comment however, makes me wander if the uninstall removed everything or if it conveniently left behind the previously accepted chain in some ZD directory. I will re-test.

    I must say I feel like an ass now. For whatever reason my brain did not read the "not" part of your comment. Reading comprehension for the win! Anyways, hopefully I will have time to try this again in the next hour or two and then I will post my findings here.

  9. #9
    Join Date
    Dec 2010
    Location
    Rochester NY
    Posts
    5
    Rep Power
    4

    Default

    JaymeH - no worries. That's a very good possibility about the previous "accept" being left-over somewhere within your AppData/Profile area, as opposed to the installation area.

    I hadn't done the manual "accept" until after I tried the upgrade to ZD v2.0.1, at-which point I basically just needed to get things to work.

    I've had to relay to our organization's IT Helpdesk to walk our end-users through the same "accept the invalid cert" process as well, unfortunately. Folks who use ZD in our environment have gotten very addicted to the "offline" capabilities, especially with the "Local Folders" area for holding older data.

    It's a shame that, as far as I can tell so far, it's _just_ ZD complaining about things at the moment. It's almost as if it's completely ignoring the cert-chain, which even browsers as old as Safari 3.0 are properly accepting.

  10. #10
    JaymeH is offline Intermediate Member
    Join Date
    Apr 2008
    Posts
    16
    Rep Power
    7

    Default

    Yup. I was hasty. After I uninstalled ZD I also deleted all Zimbra related folders in Application Data and Local Settings land. Upon reinstalling ZD I again received the beloved warning about the cert being untrusted. But you're right, young and old browsers alike are OK with this chain.

    Time to do some more poking around.

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. [SOLVED] possible self signed SSL cert issues.
    By pclyne in forum Administrators
    Replies: 5
    Last Post: 11-12-2010, 10:26 AM
  2. SSL Cert Questions
    By playnada in forum Administrators
    Replies: 3
    Last Post: 05-06-2008, 10:22 AM
  3. [SOLVED] SSL Cert Import IE/windows broken?
    By raj in forum Installation
    Replies: 4
    Last Post: 01-28-2008, 07:48 PM
  4. [SOLVED] Tomcat ignoring new SSL cert?
    By gkra in forum Administrators
    Replies: 1
    Last Post: 09-07-2007, 10:44 AM
  5. Replies: 2
    Last Post: 03-25-2007, 09:40 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •