Setting up iPhones with self-signed SSL certificates

[Baylink]

So I'm trying to get Zimbra Mobile working.

And I'm about to be hoist on my own petard; I can see it coming.

My server is named benjamin.mycompany.com. That's the server's actual name, so that's what I created the self-signed cert pointed to.

But of course, that's not what anyone actually *calls* it. Most people call it zmail.mycompany.com, and that name resolves to two different addresses; the address of my firewall in my public DNS zone, and the actual address of the server in my internal zone.

So, even if I recreated the certificate so that it's name was zmail, the error I'm getting when I try to set up the Exchange account on the iPhone isn't going to go away... because all the doco says that you have to have the EAS server name be the same IP address from both sides of your firewall, or everything will blow to hell... and zmail *has* to resolve to 2 different addresses, because apparently my firewall setup won't permit packets to the public address from the private LAN to get NATted back inside.

Any ideas other than replacing the firewall (which may be practical...)

[Baylink]

As it turns out, I will have to replace the firewall -- it's Shorewall, which will only do inside->inside "hairpin" NAT by replacing the source address with that of the Firewall itself.

I know this can be done properly; Snapgear routers do it out of the box.

Hopefully Smoothwall will.

[Baylink]

Ok, so to refocus this (admittedly, sorry) somewhat unclear question:

Once I get my hairpin problems settled, am I going to have to rename my server to the rolename it will play as an ActiveSync server, "async.company.com" and rebuild my self-signed certs, just to get my iPhone clients to play nice with ZMobile?

Or is there a way to either

a) make a self-signed wildcard cert that will answer for all 3 names (benjamin, async, zmail) or

b) put a different cert in on the port 443 apache that will make the iPhones happy?

[Baylink]

{bumpitty bumpbump bump}

[uxbod]

Why I use a self signed cert and once I accepted it on my iPhone (at the account creation stage) it carried on syncing quite happily.

[Baylink]

Ok; apologies: let me clarify.

1) I'm told that in order to avoid DNS/caching problems on smart phones with Exchange ActiveSync, the *phone's* idea of the IP for the DNS name you configure must be the same whether you're inside your firewall or out -- that is, both sides of the split-horizon must return for it the public address of your firewall.

2) I presently have a self-signed cert named after the *real* name of my server, benjamin.mumble, which resolves to the firewall public address in my public zone, but the *actual* address of the server from inside. Therefore, I can't use that name in my EAS client config.

3) When I try to use the "role" DNS name, "async.mumble", in my client config, the client tosses an SSL error, *even though I've used that name to go to the https webclient and accepted it in Safari on the iPhone*.

So clearly

4) The iPhone EAS client *requires* that the SSL cert contain the name *by which it is accessing the server*.

My question is: must that be the "actual" (or primary) name on the cert? Or can it be an additional name?

And if it *does* have to be the primary name, does that mean I have to change the name of the server proper? I would much prefer that it remain named benjamin. I don't much like servers with role names as their "true name".

[Baylink]

This might actually be properly an Apple question; anyone know the best Apple tree to ask it under?

I would just do a bunch of testing, but both the Zimbra server proper and the iPhones are in production, and I can't.

[Baylink]

Ok, while Brad in Apple tier 3 support went non-linear about how "we don't support iPhones with any Exchange ActiveSync provider except Genuine Microsoft Exchange", he *did* tell me that the SSL cert placed on the phone needs the *phone's* idea of the server name -- in my case, async.mumble -- as the *primary* name on the certificate -- any other names must apparently be secondary, if they exist at all.

Now to find out if Zimbra will barf if the primary name isn't the *server's* idea of it's name.