Author Topic: [Solved] Zentyal 3.2 Internet Explorer Browser Certificate Errors Fixed  (Read 9476 times)

rcarney

  • Zen Apprentice
  • *
  • Posts: 37
  • Karma: +5/-0
    • View Profile
I have installed Zentyal 3.2.  I am trying to configure it so that it sits on my local network behing a snapgear router with port forwarding.  I cannot seem to get it work and I can't find an example in the forum.  I am following the tutorials by Jonas.

I want to configure outlook and activsync for remote access.  So far I can get webapp and webaccess to work, but webaccess seems to have bugs.  (side: When i log in with ie10 i get a background but no text.  I hit back arrow and all info comes up - very strange.)

Assuming I am starting with a clean install:

1. How should I set up the A, MX, and SRV records?  My domain is hosted with godaddy, as an example the domain name is house.net. 

2. Should my IP address be external or internal?   I have been selecting it as external.  (I have only one ethernet nic)

2. How should I create the certificate for house.net domain?  I assume I would select this for all of the web services?
 
3. Then how to configure the outlook client to connect from a remote location?

I would be grateful for any help....


« Last Edit: November 14, 2013, 09:53:31 pm by rcarney »

christian

  • Guest
Re: configure Zentyal 3.2 behind Nat with external godaddy domain
« Reply #1 on: November 09, 2013, 05:54:32 pm »
Zentyal is better designed to run with multiple interfaces.
With one single interface, if connected on your LAN, this interface should not be set as external.
Configure your external DNS (the godaddy one) to point to your router (on external IP) from where you will route requests to Zentyal server.

robb

  • Guest
Re: configure Zentyal 3.2 behind Nat with external godaddy domain
« Reply #2 on: November 09, 2013, 08:18:39 pm »
Additional to this, point your domain on Zentyal DNS to the Zentyal interface, so internal clients can reach Zarafa on the same URL as external clients.

Question: do you have any subdomains hosted externally? If so, set A records for those domains to the IP address where they are hosted.
« Last Edit: November 09, 2013, 08:25:30 pm by robb »

rcarney

  • Zen Apprentice
  • *
  • Posts: 37
  • Karma: +5/-0
    • View Profile
Re: configure Zentyal 3.2 behind Nat with external godaddy domain
« Reply #3 on: November 09, 2013, 08:36:09 pm »
Thank you for the quick response.  I didn't set up any sub domains.

This is a common configuration for home email servers, and many would appreciate help in working this out.  I ran sbs2008 for years this way.

I am trying your suggestion now. 

But I still have an issue with configuring certificates for this external domain name.  I am using a self-cert.  I set up CA name house.local.  Then added a certificate with common name house.net.  Then added that to all of the services.  Is this correct?

christian

  • Guest
Re: configure Zentyal 3.2 behind Nat with external godaddy domain
« Reply #4 on: November 09, 2013, 08:56:20 pm »
This is a common configuration for home email servers, and many would appreciate help in working this out.  I ran sbs2008 for years this way.

sbs2008 for home email server  ::) ::)  I suppose I don't understand what you mean here  ???


Quote
But I still have an issue with configuring certificates for this external domain name.  I am using a self-cert.  I set up CA name house.local.  Then added a certificate with common name house.net.  Then added that to all of the services.  Is this correct?

One simple option is to have your Zentyal deployment matching your public domain name. I do it myself without any single problem.
What's your problem with CA and issued certificates ? I don't understand what the issue is if any  :-\

rcarney

  • Zen Apprentice
  • *
  • Posts: 37
  • Karma: +5/-0
    • View Profile
Re: configure Zentyal 3.2 behind Nat with external godaddy domain
« Reply #5 on: November 09, 2013, 09:41:24 pm »
My issue with the certificates is proper initial configuration.

1. I create a CA with name house, enter US, City, State, etc.
2. On the second screen it asks me to enter a common name which I enter house.net (My godaddy domain name)
3. then I go to services and enter certificate common name in each service (house.net)
4. Save it all

Problem: Internet explorer sees it as an untrusted certificate.  So fine, I import it and store in trusted root certificates.  But when I reset explorer it still sees it as untrusted.  Also, the https://house.net/webaccess/index.php webmail gives blank screen.  But  https://house.net/webapp works fine.

christian

  • Guest
Re: configure Zentyal 3.2 behind Nat with external godaddy domain
« Reply #6 on: November 09, 2013, 09:50:46 pm »
So fine, I import it and store in trusted root certificates.  But when I reset explorer it still sees it as untrusted.
Strange indeed.
Can you see CA in the list of trusted certificates once added to trusted list ?

rcarney

  • Zen Apprentice
  • *
  • Posts: 37
  • Karma: +5/-0
    • View Profile
Re: configure Zentyal 3.2 behind Nat with external godaddy domain
« Reply #7 on: November 09, 2013, 10:05:11 pm »
Yes, I can see it.  On the surface the certificate looks ok.

rcarney

  • Zen Apprentice
  • *
  • Posts: 37
  • Karma: +5/-0
    • View Profile
Re: configure Zentyal 3.2 behind Nat with external godaddy domain
« Reply #8 on: November 09, 2013, 11:13:42 pm »
When you open the certificate the error says:

This certificate cannot be verified up to a trusted certificate authority.  Has any dealt with this.  Put the certificate into windows trusted root folder.  I went to internet explorer and added with web address as a trusted site.  Still it does not like the imported certificate.  I am concerned because I don't think outlook will work unless that certificate is bullet proof.   Any ideals?

Thanks!

BrettonWoods

  • Guest
Re: configure Zentyal 3.2 behind Nat with external godaddy domain
« Reply #9 on: November 09, 2013, 11:29:30 pm »
Glad you posted as I need to do this with a domain I have set up.

http://www.conetrix.com/Blog/post/How-to-Trust-a-Self-Signed-Certificate-in-IE-9.aspx

So I guess you will to do a search for the specific version of IE you are using.

Anyone have any ideas on doing this with group policies?

http://community.spiceworks.com/how_to/show/16832-installing-a-self-signed-certificate-on-workstations-with-group-policy-using-the-group-policy-management-console-gpmc

I will tell you how it goes.
« Last Edit: November 09, 2013, 11:37:28 pm by BrettonWoods »

rcarney

  • Zen Apprentice
  • *
  • Posts: 37
  • Karma: +5/-0
    • View Profile
Re: configure Zentyal 3.2 behind Nat with external godaddy domain
« Reply #10 on: November 09, 2013, 11:47:56 pm »
I am using internet explorer 10.  I have completed that procedure many times and it does not work.  I think the Zentyal certificate is messed up how.

I have tried reinstalling Zentyal 3.2 10 times.  So far no luck with the certificate issue.  This issue will prevent outlook from connecting.

If some is willing to look at my certificate, I will send it to you.

BrettonWoods

  • Guest
Re: configure Zentyal 3.2 behind Nat with external godaddy domain
« Reply #11 on: November 10, 2013, 12:08:41 am »
Wouldn't really matter as I can't test it unless your domain is public.

Zentyal doesn't automatically make certificates for virtual domains or mail domains.

So the cn will not match your server name.

Does that sound plausible.

Apache looks for the server name in the header and matches that to virtual domains.

You cert prob has a cn of zentyal or host.zentyaldomain.lan

you need a cert with a cn of my external registered domain.

I hate my memory as I can't remember the format for the options. Anything over six months is gone for me.

This is one where webmin comes in handy for applying the cert to the ssl listening server and having a browse in what is happening with apache.
That way you can see what webmin does to the config

I guess zentyal will overwrite and a not very elegant way is just hack the config zentyal creates and paste that into a post hook.

Stops you being able to use the gui to add or change things for that module. So remove the hook get the changes and paste back the hook with mods.

Have you had a look at certifcate details does it match the server or the external domain?

In fact I wish this was handled by zentyal so off to create a feature request.

PS if you are handling mail its wise to get your ISP to provide a rDNS pointer for the domain on the registered IP


« Last Edit: November 10, 2013, 12:52:58 am by BrettonWoods »

rcarney

  • Zen Apprentice
  • *
  • Posts: 37
  • Karma: +5/-0
    • View Profile
Re: configure Zentyal 3.2 behind Nat with external godaddy domain
« Reply #12 on: November 10, 2013, 01:57:20 am »
Thanks for the reply. 

Background:  Yes I set the common name (cn) to my domain house.net not Zentyal.   

Problem: Zentyal requires you to first create a Certification Authority Certificate (cac).  Then it creates an "intermediate certificate" from the cac with a cn equal to your domain name house.net.
When you download the intermediate certificate and put it in the trusted root folder, internet explorer fails because it can't locate the cac. 

The trusted root store wants a Root CA not an intermediate ca.  A root ca has the issued to: and issued by: fields with the same name, mostly house.net.  The certificate you download from Zentyal has issued to: house.net and issued by: Certification Authority Certificate.  if the names are different, then by definition it is an intermediate certificate and will not work, from what I have summized.

Remedy:  Need to figure out how to create a root certificate with the same name house.net in issued toL  and issued by: fields name. Then  install that on Zentyal in all of the webs services and your  client browser.  Can anyone give a step by step on how to create the root CA and install on Zentyal?

Getting close.  I think this is critical since Zentyal will not be able to connect to Outlook or mobile devices until this is fixed.

Back

BrettonWoods

  • Guest
Re: configure Zentyal 3.2 behind Nat with external godaddy domain
« Reply #13 on: November 10, 2013, 02:18:27 am »
https://help.ubuntu.com/community/OpenSSL

You sound like your cruising and it will be sorted soon.

I will have a look at mine as I honestly thought from memory it just referenced a single cert for both default and virtual domains.

When it comes to mail I am even more lost as are you using zarafa? as it has its own mail gateways.

Would you kindly publish your findings as it sounds like I am going to have to do the same.

Also did you just try and install both the root cert and the intermediate that zentyal supplied as I don't know but I guess it could work.

I usually set up zentyal as house.domain.lan and then have a virtual domain domain.org so sorry about missleading you if your using the default website.
« Last Edit: November 10, 2013, 02:58:57 am by BrettonWoods »

christian

  • Guest
Re: configure Zentyal 3.2 behind Nat with external godaddy domain
« Reply #14 on: November 10, 2013, 07:56:19 am »
This certificate cannot be verified up to a trusted certificate authority.

I can't see any error in what you describe  :-[

This is a warning message stating that you have trusted this certificate but CA having generated it is still unknown, which is true BTW until you decide to import in your trusted CA list the one from Zentyal.
However, such warning message should not prevent you to use trusted certificate.

So this is not clear to me if you are facing any error message or if you are only afraid that it may not work due to this warning message.

If you search this forum, you should find similar topic as I've commented it already a couple of times.

If the assumption and principle supported by Zentyal is that Zentyak works with its own certificate authority, what is for sure missing in the interface is capability for either admins or even end-users to import bot CA and certificates so that applications are aware of it and do not warn users about unknown CA. This is basic certificate management within organizations dealing with internal servers and clients ::)

Of course, request for being able to import external certificates has been expressed multiple times in features request section. That's another story not linked with the problem you face and this is, to me, not mandatory except for services that are exposed outside.

Look at attached screen copy: I'm using Zentyal issued certificates and don't face any error or even warning message  ;)