Results 1 to 3 of 3

Thread: Issue sharing Address Books with Tomcat Commercial Cert SSL

  1. #1
    airbish is offline Member
    Join Date
    Sep 2006
    Posts
    12
    Rep Power
    8

    Default Issue sharing Address Books with Tomcat Commercial Cert SSL

    We're seeing an issue with accessing sharing Address Books with commercial cert HTTPS turned on. (self-signed cert works fine)

    The self-cert SSL works fine, and HTTP obviously works fine. But With commercial cert HTTP on we get the following error:

    A network service error has occurred.

    msg - system failure: IOException
    code - service.FAILURE
    method - ZmCsfeCommand.prototype.invoke
    detail - soap:Receiver

    If I change my zmtlsctl to allow HTTP, then the existing shared address book(s) works fine.

    We are using an SBSInstant cert installed for Tomcat only (for now). The cert requires 3 imports to the keystore (root, intermed1, intermed2, and the server cert). I'd like to say the install was easy, but since there is little to no documentation on this particular cert, it took some digging and trial and error, but the chain finally worked. I do plan on extracting the keys and using the cert for other services as well (but haven't gotten to that yet. In fact, I HOPE that's the issue here.)

    From what we can see, everything else works. (Shared Calendars, for example, appear to be fine.)

    Any ideas. I'd really like to use HTTPS with the redirect turned off (so that EVERYTHING runs HTTPS...not just the sign-in screen).

    Thanks!

  2. #2
    jholder's Avatar
    jholder is offline Former Zimbran
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    20

    Default

    Can you post the segment of your /opt/zimbra/log/mailbox.log that occurs at the time that you try to share the address books?

    Thanks
    john

  3. #3
    airbish is offline Member
    Join Date
    Sep 2006
    Posts
    12
    Rep Power
    8

    Default -tail of mail.log when trying to access shared calendar.

    Looks like something is up with the root-->intermediate1->intermediate2 (no documentation whatsoever) enom/sbs cert.

    The Strange thing is that all other aspects of the ssl communications (at least login/web and IMAP) with this cert seem to work ok. Firefox for example issues no cert warnings (or store and certs like it does with the self signed cert). Mail.app has no issues with it either. If it truly is an untrusted cert chain (like mail.log) indicates below, would there be other issues/indications?

    Any ideas? Anyone else done an SBS (securebusinessservices) cert?

    The only docs I could find were here:

    http://www.securebusinessservices.co...icate-java.asp

    I did all the instructions (including extracting the key and installing for the other services) from the zimbra commercial cert instructions at:

    http://wiki.zimbra.com/index.php?tit...cate_Procedure

    I hosed it up once because I didn't know there was an intermediate cert (much less two) required. I backed up the certs and ssl info (using the tar commands on the same page above.) I did the backups just AFTER I did the csr request. Perhaps I got the recovery of that information wrong when I restored it to try over. ?

    Thanks for your assistance.

    ---

    [root@zimbra log]# tail mailbox.log
    at org.apache.commons.httpclient.HttpClient.executeMe thod(HttpClient.java:324)
    at com.zimbra.soap.SoapHttpTransport.invoke(SoapHttpT ransport.java:192)
    at com.zimbra.soap.SoapTransport.invokeWithoutSession (SoapTransport.java:254)
    at com.zimbra.cs.index.ProxiedQueryResults.bufferNext Hits(ProxiedQueryResults.java:307)
    ... 35 more
    Caused by: java.security.cert.CertificateException: Untrusted Server Certificate Chain
    at com.sun.net.ssl.X509TrustManagerJavaxWrapper.check ServerTrusted(SSLSecurity.java:600)
    at com.sun.net.ssl.internal.ssl.JsseX509TrustManager. checkServerTrusted(SSLContextImpl.java:320)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serv erCertificate(ClientHandshaker.java:841)
    ... 55 more


    ---
    (Tried to add output from keytool -list but the forum said I had 'included 5 images in my message' (which I took to read that somehow the output included what the system interpreted as 'smilies')....so I left it out. Chain looks valid to me though...

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Installing commercial ssl on zimbra cs (network ed.)
    By keithop in forum Administrators
    Replies: 4
    Last Post: 04-28-2009, 04:16 PM
  2. Java error shen sharing address books and calendar
    By Myrddin in forum Installation
    Replies: 1
    Last Post: 08-02-2007, 07:45 AM
  3. Help with tomcat ssl errors...
    By sgtstadanko in forum Administrators
    Replies: 4
    Last Post: 03-19-2007, 09:13 PM
  4. Commercial SSL Cert
    By alexz in forum Installation
    Replies: 19
    Last Post: 10-13-2006, 10:58 AM
  5. Question installing commercial SSL cert
    By jigi in forum Administrators
    Replies: 0
    Last Post: 02-13-2006, 12:29 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •