Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: CA certificate options for SSL with Gateway and iCal?

  1. #1

    CA certificate options for SSL with Gateway and iCal?

    I've tried out SSL for the Gateway and iCal servers in 6.30.0 and it works fine with a self-signed certificate as described in the server PDF manual.

    I have gotten a proper certificate from startcom.com, which works fine for encrypting my Apache SSL connections. I can also set the Gateway and iCal servers to use the real certs - but without any option for specifying the CA certificates and so on, the clients still see the certificates as being invalid.

    The server.cfg file has options for defining CA certs - server_ssl_ca_file and server_ssl_ca_path. Where are the equivalent options for the Gateway and iCal servers?

    Will

  2. #2
    Senior Member Imar's Avatar
    Join Date
    Jan 2008
    Location
    Tiel
    Posts
    1,803

    Re: CA certificate options for SSL with Gateway and iCal?

    Hi Will,

    I think this:

    will help.

    Note: probably it's the .PEM sort order of the private key and certicificate.

    Imar.
    Nuts, by definition limited.

  3. #3

    Re: CA certificate options for SSL with Gateway and iCal?

    Hi Imar,

    Thanks for your reply. The discussion in the thread you mention refers to zarafa-server, while my question refers to zarafa-gateway and zarafa-ical. The SSL configuration parameters for those two are different from those for zarafa-server.

    server.cfg:
    server_ssl_key_file <-- PEM file in which to put the combined .key and .crt files, as described in your link
    server_ssl_key_pass
    server_ssl_ca_file <-- PEM file for the CA; demoCA in the dummy example from the docs, and my startcom.com file for my real cert.

    gateway.cfg:
    ssl_private_key_file <-- I guess this is my .key file
    ssl_certificate_file <-- I guess this is my .crt file

    Nowhere in the gateway.cfg (or ical.cfg) do I have the option of defining a CA certificate file. This file is crucial for a real cert, since all real CAs sign their certs using an intermediate CA, whose cert must be sent to the client along with the actual server cert file.

    While I can put my .key and my .crt files in the gateway.cfg file - and they do indeed get used - my IMAPS and POP3S clients don't automatically accept the certificates because they are signed by an "untrusted authority" - the intermediate CA.

    Am I missing something?

    Will

    (btw: this is the second time I've written this reply - the forum unceremoniously logged me out when I clicked "Submit" the first time. Too much idle time I guess. But ridiculously annoying...)

  4. #4

    Re: CA certificate options for SSL with Gateway and iCal?

    Browsing through the source code (provider/server/ECServer.cpp) it seems that "server_ssl_ca_file" is actually used to validate client certificates...

    Which leaves me stumped: How do you add an intermediate CA certificate to the chain?

    Will

  5. #5

    Re: CA certificate options for SSL with Gateway and iCal?

    Okay, I seem to have gotten it working by combining my certificate with the various CA certificates into a single .pem file.

    Given the following Apache config parameters

    SSLCertificateFile /etc/zarafa/ssl/startcom-zarafa.crt
    SSLCertificateKeyFile /etc/zarafa/ssl/startcom-zarafa.key
    SSLCertificateChainFile /etc/zarafa/ssl/startcom-sub.class1.server.ca.pem
    SSLCACertificateFile /etc/zarafa/ssl/startcom-ca.pem

    I was able to create a .pem file that works with zarafa-gateway and zarafa-ical to provide SSL to the clients without them complaining about the CA being untrusted as follows:

    cat /etc/zarafa/ssl/startcom-zarafa.crt > /etc/zarafa/ssl/startcom-combined.pem
    cat /etc/zarafa/ssl/startcom-sub.class1.server.ca.pem >> /etc/zarafa/ssl/startcom-combined.pem
    cat /etc/zarafa/ssl/startcom-ca.pem >> /etc/zarafa/ssl/startcom-combined.pem

    and then setting the following parameters in gateway.cfg and ical.cfg:

    ssl_private_key = /etc/zarafa/ssl/startcom-zarafa.key
    ssl_certificate_file = /etc/zarafa/ssl/startcom-combined.pem

    Hope that helps someone else having similar problems.

    Will

  6. #6
    Junior Member
    Join Date
    Aug 2010
    Posts
    13

    Re: CA certificate options for SSL with Gateway and iCal?

    Thank you, this has helped me! :-)

  7. #7
    Senior Member
    Join Date
    Feb 2008
    Location
    Leonberg, Germany
    Posts
    273

    Re: CA certificate options for SSL with Gateway and iCal?

    This solution will of course work, but it isn't the sanest way.

    The most sane way for Zarafa itself is to add the root and intermediate certificates of your choosen certificate authority into your distribution's standard PKI directory, such as e.g. /etc/pki/tls/certs/ on Red Hat Enterprise Linux, CentOS or Fedora. Afterwards execute "c_rehash" (part of the openssl-perl RPM package). Now it is more than enough to only put the SSL certificate into one file and the private key into another. No need for any combined files anymore.

    By the way, the same is applying to the Apache Webserver: If you do above, it's enough to use "SSLCACertificatePath /etc/pki/tls/certs" rather "SSLCertificateChainFile" and "SSLCACertificateFile".

    Beside of that, a common PKI directory is more maintainable than lots of different combined SSL certificate files. And it's more easy to replace a certificate during renewal without paying attention to the intermediate certificate authoritiy file.
    I install, configure, customize, integrate and maintain Zarafa setups in different environments since 2007. If you want my full attention, please send me a private message and ask for paid support.

  8. #8
    Senior Member
    Join Date
    Mar 2011
    Posts
    346

    Re: CA certificate options for SSL with Gateway and iCal?

    Sorry for opening up an old thread, but I'm having the same problem with the gateway and an Android smartphone.
    I used to have te following configuration:
    ssl_private_key_file = /etc/pki/tls/private/xxx.key
    ssl_certificate_file = /etc/pki/tls/certs/xxx.crt

    This has always worked fine, but now I tried to use IMAPs on a new Android device and that complains about the certificate. Both the standard client and K9.
    This is ofcourse because these certs need a number of CA certificates. In server.cfg there is a separate configuration option, in gateway.cfg there isn't.
    So I tried to combine these certificates with the private key and the certificate, but without success:
    1. key + cert + ca in one .pem after "ssl_private_key_file". "ssl_certificate_file" is empty.
    Result: Gateway gives an error: SSL CTX certificate file error: error:02001002:system library:fopen:No such file or directory - which is strange, because the file is there
    2. key after "ssl_private_key_file". cert + ca in one .pem after "ssl_certificate_file". Works in K9, doesn't in the standard client. Says that SSL isn't available.

    Anyone some other suggestions?

  9. #9
    Senior Member
    Join Date
    Mar 2011
    Posts
    346

    Re: CA certificate options for SSL with Gateway and iCal?

    No one any suggestions?

  10. #10
    Junior Member
    Join Date
    Sep 2010
    Location
    Cuijk, The Netherlands
    Posts
    3

    Re: CA certificate options for SSL with Gateway and iCal?

    I agree that it behooves the developers of Zarafa to develop a better solution to take care of this server side, or document it in an FAQ if this set up can already be made to work out of the box.

    Until then, a possible workaround; I haven't tested this: Import the certificate and intermediate in Android, as per . It does require a rooted phone, though.

Page 1 of 2 12 LastLast

Similar Threads

  1. Still problems with ical-gateway in 7.0.1
    By felix1234 in forum Other mail/calendar clients
    Replies: 1
    Last Post: 17-08-2011, 12:32 PM
  2. gateway with client certificate authentication
    By zerocool in forum Administration and Integration Archives
    Replies: 3
    Last Post: 23-03-2011, 07:42 PM
  3. iCal gateway
    By malloc100 in forum Installation and Configuration Archives
    Replies: 4
    Last Post: 09-08-2010, 01:10 PM
  4. ical gateway crash
    By Michael in forum Installation and Configuration Archives
    Replies: 0
    Last Post: 13-11-2008, 10:22 AM
  5. no dates from ical gateway
    By Ragna in forum Other mail/calendar clients Archives
    Replies: 7
    Last Post: 22-10-2008, 10:45 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •