Results 1 to 5 of 5

Thread: installed a new ssl cert but activesync won't use it

  1. #1
    alauppe is offline Active Member
    Join Date
    Jan 2009
    Posts
    27
    Rep Power
    6

    Default installed a new ssl cert but activesync won't use it

    I installed a new SSL cert (because the old one expired.) All the standard zimbra services work fine, and all use the new cert, but activesync continues to use the old one. Of course, now that its expired, devices refuse to connect.

    What do I need to do to update the SSL cert for activesync?

    Andy
    ---
    Release 7.2.0_GA_2669.UBUNTU8_64
    UBUNTU8_64 NETWORK edition.

    Release 7.1.1_GA_3196.UBUNTU8_64
    UBUNTU8_64 NETWORK edition.

  2. #2
    gnyce is offline Advanced Member
    Join Date
    Aug 2007
    Location
    outside Philadelphia
    Posts
    214
    Rep Power
    7

    Default

    Dunno...
    - does the sync.log show anything about this?
    - What is the output of
    /opt/zimbra/bin/zmcertmgr viewdeployedcrt mailboxd
    - typically the mailboxd (which I think handles activesync as well?? could be wrong) stores its' keystore at /opt.zimbra/conf/keystore... however, I have seen where it can be used/located at /opt/zimbra/mailboxd/etc/keystore. See if you have that, maybe even compare?

  3. #3
    alauppe is offline Active Member
    Join Date
    Jan 2009
    Posts
    27
    Rep Power
    6

    Default

    Hey thanks Greg :-)

    Turns out, /opt/zimbra/conf/domaincerts did have the old crt/key files in it. I've backed them up and replaced them with the new stuff. Good thinking.

    Andy
    ---
    Release 7.2.0_GA_2669.UBUNTU8_64
    UBUNTU8_64 NETWORK edition.

    Release 7.1.1_GA_3196.UBUNTU8_64
    UBUNTU8_64 NETWORK edition.

  4. #4
    alauppe is offline Active Member
    Join Date
    Jan 2009
    Posts
    27
    Rep Power
    6

    Default

    So, /opt/zimbra/bin/zmcertmgr viewdeployedcrt returns the correct certs, and it doesn't make any reference to the cert that activesync is using.

    Still stumped.
    ---
    Release 7.2.0_GA_2669.UBUNTU8_64
    UBUNTU8_64 NETWORK edition.

    Release 7.1.1_GA_3196.UBUNTU8_64
    UBUNTU8_64 NETWORK edition.

  5. #5
    alauppe is offline Active Member
    Join Date
    Jan 2009
    Posts
    27
    Rep Power
    6

    Default

    We solved this problem. Here is how:

    Our next step was to try another device. I had a colleague with an android device try to add an activesync account. He got an error, but in this case his device showed the proper (new) certificate, so we suspected that the problem was device related. Further reading suggested that the primary domain on the certificate must match the access URL (which in this case it did not - a wildcard cert has *.domain.com as its primary name).

    We bought a dedicated, for the purpose, single domain certificate, deployed that, and the problem went away.

    I suspected that the device was caching the old certificate, but I couldn't figure out why it would use it. Now, knowing that it didn't like the new one, I can almost understand. Bottom line here is that the wildcard certificate simply would not work for activesync.
    ---
    Release 7.2.0_GA_2669.UBUNTU8_64
    UBUNTU8_64 NETWORK edition.

    Release 7.1.1_GA_3196.UBUNTU8_64
    UBUNTU8_64 NETWORK edition.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. ZD untrusted Verisign SSL cert
    By JaymeH in forum General Questions
    Replies: 10
    Last Post: 01-12-2012, 06:39 AM
  2. SSL cert install fails (ver 6)
    By mahalito in forum Administrators
    Replies: 1
    Last Post: 12-17-2010, 08:28 AM
  3. SSL Cert Questions
    By playnada in forum Administrators
    Replies: 3
    Last Post: 05-06-2008, 10:22 AM
  4. [SOLVED] SSL Cert Import IE/windows broken?
    By raj in forum Installation
    Replies: 4
    Last Post: 01-28-2008, 07:48 PM
  5. Replies: 2
    Last Post: 03-25-2007, 09:40 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •