hi!

setup:

internet - pfsense(nat) - reverseproxy apache - zimbra

we installed zimbra community edition. we managed to get activy sync and autodiscover working
webmail login is working

so far so good:

now we wanted to test zdesktop.

when we try to connect via apache proxy we get following error:

Ungültiges oder nicht vertrauenswürdiges SSL-Zertifikat des Servers (means invalid or untrusted ssl certificated)
Fehlerdetails anzeigen
com.zimbra.common.soap.SoapFaultException: X.509 Certificate is incomplete: SubjectAlternativeName extension MUST be marked critical when subject field is empty ExceptionId:com.zimbra.common.service.RemoteServic eException: X.509 Certificate is incomplete: SubjectAlternativeName extension MUST be marked critical when subject field is empty ExceptionId:btpool0-103:1385329406103:a709e0963edf4cfc Code:remote.SSLCERT_ERROR at com.zimbra.common.service.RemoteServiceException.S SLCERT_ERROR(RemoteServiceException.java:88) at com.zimbra.common.service.RemoteServiceException.d oSSLFailures(RemoteServiceException.java:168) at com.zimbra.cs.zclient.ZMailbox.invoke(ZMailbox.jav a:568) at com.zimbra.cs.zclient.ZMailbox.invoke(ZMailbox.jav a:555) at com.zimbra.cs.zclient.ZMailbox.invokeJaxb(ZMailbox .java:550) at com.zimbra.cs.zclient.ZMailbox.authByPassword(ZMai lbox.java:496) at com.zimbra.cs.zclient.ZMailbox.(ZMailbox.java:411) at com.zimbra.cs.zclient.ZMailbox.getMailbox(ZMailbox .java:348) at com.zimbra.cs.account.offline.OfflineProvisioning. newZMailbox(OfflineProvisioning.java:287) at com.zimbra.cs.account.offline.OfflineProvisioning. newZMailbox(OfflineProvisioning.java:279) at com.zimbra.cs.account.offline.OfflineProvisioning. createSyncAccount(OfflineProvisioning.java:670) at com.zimbra.cs.account.offline.OfflineProvisioning. createAccount(OfflineProvisioning.java:643) at com.zimbra.cs.service.admin.CreateAccount.handle(C reateAccount.java:64) at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEng ine.java:412) at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.jav a:287) at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.jav a:158) at com.zimbra.soap.SoapServlet.doWork(SoapServlet.jav a:303) at com.zimbra.soap.SoapServlet.doPost(SoapServlet.jav a:217) at javax.servlet.http.HttpServlet.service(HttpServlet .java:725) at com.zimbra.cs.servlet.ZimbraServlet.service(Zimbra Servlet.java:206) at javax.servlet.http.HttpServlet.service(HttpServlet .java:814) at org.mortbay.jetty.servlet.ServletHolder.handle(Ser vletHolder.java:511) at org.mortbay.jetty.servlet.ServletHandler.handle(Se rvletHandler.java:390) at org.mortbay.jetty.security.SecurityHandler.handle( SecurityHandler.java:218) at org.mortbay.jetty.servlet.SessionHandler.handle(Se ssionHandler.java:182) at org.mortbay.jetty.handler.ContextHandler.handle(Co ntextHandler.java:765) at org.mortbay.jetty.webapp.WebAppContext.handle(WebA ppContext.java:422) at org.mortbay.jetty.handler.ContextHandlerCollection .handle(ContextHandlerCollection.java:230) at org.mortbay.jetty.handler.HandlerCollection.handle (HandlerCollection.java:114) at org.mortbay.jetty.handler.HandlerWrapper.handle(Ha ndlerWrapper.java:152) at org.mortbay.jetty.handler.rewrite.RewriteHandler.h andle(RewriteHandler.java:230) at org.mortbay.jetty.handler.HandlerWrapper.handle(Ha ndlerWrapper.java:152) at org.mortbay.jetty.Server.handle(Server.java:326) at org.mortbay.jetty.HttpConnection.handleRequest(Htt pConnection.java:585) at org.mortbay.jetty.HttpConnection$RequestHandler.co ntent(HttpConnection.java:988) at org.mortbay.jetty.HttpParser.parseNext(HttpParser. java:756) at org.mortbay.jetty.HttpParser.parseAvailable(HttpPa rser.java:218) at org.mortbay.jetty.HttpConnection.handle(HttpConnec tion.java:415) at org.mortbay.io.nio.SelectChannelEndPoint.run(Selec tChannelEndPoint.java:429) at org.mortbay.thread.BoundedThreadPool$PoolThread.ru n(BoundedThreadPool.java:451) Caused by: java.security.cert.CertificateParsingException: X.509 Certificate is incomplete: SubjectAlternativeName extension MUST be marked critical when subject field is empty at sun.security.x509.X509CertInfo.verifyCert(Unknown Source) at sun.security.x509.X509CertInfo.parse(Unknown Source) at sun.security.x509.X509CertInfo.(Unknown Source) at sun.security.x509.X509CertImpl.parse(Unknown Source) at sun.security.x509.X509CertImpl.(Unknown Source) at sun.security.provider.X509Factory.engineGenerateCe rtificate(Unknown Source) at java.security.cert.CertificateFactory.generateCert ificate(Unknown Source) at com.sun.net.ssl.internal.ssl.HandshakeMessage$Cert ificateMsg.(Unknown Source) at com.sun.net.ssl.internal.ssl.ClientHandshaker.proc essMessage(Unknown Source) at com.sun.net.ssl.internal.ssl.Handshaker.processLoo p(Unknown Source) at com.sun.net.ssl.internal.ssl.Handshaker.process_re cord(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRec ord(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.perform InitialHandshake(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHa ndshake(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHa ndshake(Unknown Source) at com.zimbra.common.net.CustomSSLSocket.startHandsha ke(CustomSSLSocket.java:90) at com.zimbra.common.net.CustomSSLSocket.getInputStre am(CustomSSLSocket.java:341) at org.apache.commons.httpclient.HttpConnection.open( HttpConnection.java:745) at org.apache.commons.httpclient.MultiThreadedHttpCon nectionManager$HttpConnectionAdapter.open(MultiThr eadedHttpConnectionManager.java:1361) at org.apache.commons.httpclient.HttpMethodDirector.e xecuteWithRetry(HttpMethodDirector.java:387) at org.apache.commons.httpclient.HttpMethodDirector.e xecuteMethod(HttpMethodDirector.java:171) at org.apache.commons.httpclient.HttpClient.executeMe thod(HttpClient.java:397) at com.zimbra.common.soap.SoapHttpTransport.invoke(So apHttpTransport.java:243) at com.zimbra.common.soap.SoapHttpTransport.invoke(So apHttpTransport.java:164) at com.zimbra.common.soap.SoapTransport.invoke(SoapTr ansport.java:407) at com.zimbra.cs.zclient.ZMailbox.invoke(ZMailbox.jav a:561) ... 37 more Code:remote.SSLCERT_ERROR at com.zimbra.common.soap.Soap12Protocol.soapFault(So ap12Protocol.java:88) at com.zimbra.common.soap.SoapTransport.extractBodyEl ement(SoapTransport.java:354) at com.zimbra.common.soap.SoapTransport.parseSoapResp onse(SoapTransport.java:313) at com.zimbra.common.soap.SoapHttpTransport.invoke(So apHttpTransport.java:260) at com.zimbra.common.soap.SoapHttpTransport.invoke(So apHttpTransport.java:164) at com.zimbra.common.soap.SoapTransport.invoke(SoapTr ansport.java:407) at com.zimbra.common.soap.SoapTransport.invokeWithout Session(SoapTransport.java:393) at com.zimbra.cs.account.soap.SoapProvisioning.invoke Request(SoapProvisioning.java:342) at com.zimbra.cs.account.soap.SoapProvisioning.invoke (SoapProvisioning.java:350) at com.zimbra.cs.account.soap.SoapProvisioning.create Account(SoapProvisioning.java:493) at com.zimbra.cs.offline.jsp.JspProvStub.createOfflin eAccount(JspProvStub.java:94) at com.zimbra.cs.offline.jsp.ZmailBean.doRequest(Zmai lBean.java:151) at com.zimbra.cs.offline.jsp.FormBean.doRequest(FormB ean.java:156) at sun.reflect.GeneratedMethodAccessor50.invoke(Unkno wn Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Un known Source) at java.lang.reflect.Method.invoke(Unknown Source) at com.sun.el.parser.AstFunction.getValue(AstFunction .java:127) at com.sun.el.ValueExpressionImpl.getValue(ValueExpre ssionImpl.java:206) at org.apache.jasper.runtime.PageContextImpl.evaluate Expression(PageContextImpl.java:1001) at org.apache.jsp.desktop.accsetup_jsp._jspx_meth_c_w hen_6(Unknown Source) at org.apache.jsp.desktop.accsetup_jsp._jspx_meth_c_c hoose_0(Unknown Source) at org.apache.jsp.desktop.accsetup_jsp._jspService(Un known Source) at org.apache.jasper.runtime.HttpJspBase.service(Http JspBase.java:109) at javax.servlet.http.HttpServlet.service(HttpServlet .java:814) at org.apache.jasper.servlet.JspServletWrapper.servic e(JspServletWrapper.java:389) at org.apache.jasper.servlet.JspServlet.serviceJspFil e(JspServlet.java:486) at org.apache.jasper.servlet.JspServlet.service(JspSe rvlet.java:380) at javax.servlet.http.HttpServlet.service(HttpServlet .java:814) at com.zimbra.webClient.servlet.JspServlet.service(Js pServlet.java:64) at org.mortbay.jetty.servlet.ServletHolder.handle(Ser vletHolder.java:511) at org.mortbay.jetty.servlet.ServletHandler$CachedCha in.doFilter(ServletHandler.java:1166) at com.zimbra.cs.servlet.SetHeaderFilter.doFilter(Set HeaderFilter.java:79) at com.zimbra.webClient.filters.SetHeaderFilter.doFil ter(SetHeaderFilter.java:239) at org.mortbay.jetty.servlet.ServletHandler$CachedCha in.doFilter(ServletHandler.java:1157) at org.mortbay.jetty.servlet.ServletHandler.handle(Se rvletHandler.java:388) at org.mortbay.jetty.security.SecurityHandler.handle( SecurityHandler.java:218) at org.mortbay.jetty.servlet.SessionHandler.handle(Se ssionHandler.java:182) at org.mortbay.jetty.handler.ContextHandler.handle(Co ntextHandler.java:765) at org.mortbay.jetty.webapp.WebAppContext.handle(WebA ppContext.java:422) at org.mortbay.jetty.handler.ContextHandlerCollection .handle(ContextHandlerCollection.java:230) at org.mortbay.jetty.handler.HandlerCollection.handle (HandlerCollection.java:114) at org.mortbay.jetty.handler.HandlerWrapper.handle(Ha ndlerWrapper.java:152) at org.mortbay.jetty.handler.rewrite.RewriteHandler.h andle(RewriteHandler.java:230) at org.mortbay.jetty.handler.HandlerWrapper.handle(Ha ndlerWrapper.java:152) at org.mortbay.jetty.Server.handle(Server.java:326) at org.mortbay.jetty.HttpConnection.handleRequest(Htt pConnection.java:585) at org.mortbay.jetty.HttpConnection$RequestHandler.co ntent(HttpConnection.java:988) at org.mortbay.jetty.HttpParser.parseNext(HttpParser. java:756) at org.mortbay.jetty.HttpParser.parseAvailable(HttpPa rser.java:218) at org.mortbay.jetty.HttpConnection.handle(HttpConnec tion.java:415) at org.mortbay.io.nio.SelectChannelEndPoint.run(Selec tChannelEndPoint.java:429) at org.mortbay.thread.BoundedThreadPool$PoolThread.ru n(BoundedThreadPool.java:451)

if we bypass the apache proxy eg we nat 9443 to 443 directly to the zimbra server it's working(still says somehting about the certificate but we can continue)

does anyone of you have a clue?

regards karl