Author Topic: [Solved] Zentyal 3.2 Internet Explorer Browser Certificate Errors Fixed  (Read 5436 times)

rcarney

  • Zen Apprentice
  • *
  • Posts: 37
  • Karma: +5/-0
    • View Profile
Re: configure Zentyal 3.2 behind Nat with external godaddy domain
« Reply #15 on: November 10, 2013, 06:33:01 pm »
It looks to me your certificates are for a domain name hosted on your Zentyal server.  Is your server behind a NAT and can you connect outlook and mobile devices to your server?

My domain name records are not hosted on my Zentyal server but are hosted externally on Godaddy.   The A records and MX record point to my NAT ip address which port forwards to the Zentyal server.

My problem is that I cannot connect remote outlook clients and mobile devices to the Zentyal server.  I am guessing I must have a root certificate to enable this, but Zentyal does not create one. Just an intermediate certificate which I believe cannot be validated outside the NAT.

Does this make any sense?  If not, how do I configure Zentyal to enable remote (external NAT) outlook and mobile access?

Thanks again!

christian

  • Guest
Re: configure Zentyal 3.2 behind Nat with external godaddy domain
« Reply #16 on: November 10, 2013, 06:57:15 pm »
Does this make any sense?  If not, how do I configure Zentyal to enable remote (external NAT) outlook and mobile access?

Not to me at least  :-\
I might be wrong but I'm afraid you mix up some different concepts.
Certificates are not linked to IP address neither to NAT.
Reaching your mail server is matter of MX when it comes to receive mails then uses A or CNAME records when clients need to access POP, IMAP, MAPI or Web server.

If you can't connect, then, sorry if my sentence looks stupid, but you have connectivity issue  ::)
If you can connect but face error message due to certificate, this is another issue but so far you don't show any certificate related error.

Perhaps all of this in only matter of wording and glossary but without aligning this, we can't understand each others  ;)

Like many here, I host my own mail server that I do not access using Outlook but I don't think this detail matters  ;D
MX, A and CNAME records are managed on DNS hosted by my registrar (meaning on internet)

What I suggest is that you drop, at least for the time being, this point about certificates.
Focus on connectivity and once clients are able to reach server on the right port, we can look at certificates  8)

rcarney

  • Zen Apprentice
  • *
  • Posts: 37
  • Karma: +5/-0
    • View Profile
Re: configure Zentyal 3.2 behind Nat with external godaddy domain
« Reply #17 on: November 10, 2013, 07:49:10 pm »
I am sorry for my communications skills, let me try a little better.  All I am saying is that my Zentyal server sits behind a NAT and my clients are external to the NAT. I can connect just fine and run webapp and webaccess but with certificate errors.  (It is this same error the prevents outlook client from connecting.) The Outlook client requires no errors with repect to certificates.  You cannont ignore it like you can do with a browser.

I also have to disagree with you a bit.  I very familiar with certificates use on Exchange 2007 & CommuniGate Pro and connecting remote outlook clients and mobile devices.  These clients require certificates and that do not create certificate errors. (It is a microsoft thing!)

Attached is a working root certificate from both CommuniGate Pro and Exchange 2007, called "good cert.jpg".  This certificate was imported into my browser (which also sets it up for Outlook).  I am also including the Zentyal intermediate Cert, called bad cert.  The PROBLEM is that the self cert must have the issue to: and issue by: names exactly the same.  This makes it a ROOT CA.  If they are not it is an intermediate CA which requires the client to locate the root ca to validate and the can't because the server sits behind a NAT.  If you check the Zentyal (Bad Cert.jpg) intermediate cert with SSL Checker you get the not trusted error because it can't find the root CA either!  When using SSL checker the good cert has no errors.  See attached certs...

Here is what I think the problem is and the fix:  Because Zentyal sits behind a NAT clients cannot verify the root certificate authority on intermediate cert.  Therefore we need Zentyal to create a root certificate like the good one I should you.  If so all will be fine.  Other servers do this.

rcarney

  • Zen Apprentice
  • *
  • Posts: 37
  • Karma: +5/-0
    • View Profile
Re: configure Zentyal 3.2 behind Nat with external godaddy domain
« Reply #18 on: November 10, 2013, 07:59:05 pm »
As a follow up.  Here is what I would like to do in order to validate my theory.  I want to create a ROOT CA (Issue by and Issue to being the same and equal to FQDN).  Then install this in Zentyal, I have no idea how and where to install it for Zentyal, although it should not be hard.  Then connect with a brower and see if works.

Could you let me know how to do this and install it?  I will actually do it and post the results.

christian

  • Guest
Re: configure Zentyal 3.2 behind Nat with external godaddy domain
« Reply #19 on: November 10, 2013, 09:01:57 pm »
Indeed we do not share same understanding  ;)
I've no doubt that, if you are very familiar with certificates, that you are right with you analysis.

With my own Zentyal platform, I don't have any self-signed certificates but certificates that are signed by certificate authority that is generated on Zentyal server. Of course this is a "private" CA if I can say so, meaning not issued by organization that is already registered in default list of trusted CA on main browsers. What I suggested was to add this CA to this list as I do here  ::)

One point that my have impact on your capability to access your web server is, and from this standpoint I do share your analysis, the potential need for certificate to match fqdn. I can't really comment it as I'm not Outlook user but keep in mind that Zentyal permits to set subject alternative names, purpose being to use same certificate with multiple (different services).

That said, I can't help further. Sorry.
For what I understand, you can have only one CA on Zentyal...
Perhaps some more advanced users or members using Outlook can comment and help further.

BrettonWoods

  • Guest
Re: configure Zentyal 3.2 behind Nat with external godaddy domain
« Reply #20 on: November 10, 2013, 11:34:40 pm »
Any certificate that isn't issued from a known authority is self signed.

Or anyone could publish bogus certs. Usually with certs such as thwaite or verisign there is also libiality insurance. Also there is a vetting process.

The CA authority on Zentyal is just a self signed cert store. And could be used to decrypt SSL.

Its what the NSA do and they just have the public keys.

So its exactly the same christian. I am the same though as they should be imported into the trusted certs and work.

I have to do this on my server but lazy sundays.

Also Christian is correct as you should be able to connect but the self signed certs will just provide nags.

Packet Filter > External networks to Zentyal have you enabled groupware and web?

Also just looking at the default services http and https are defined but also webserver is defined with the same ports.
What happens to IPtables when you add a port twice? (Just something I noticed)

Apols I skipped a few messages.

Could you use the root cert and change the service cert apache and mail are using?

+1 as you are probably right as I am not very up on certificates and they are a pretty good way of authentication as well.

Its one of the current zentyal features that I would like to offer more.

SSH passwordless connections for server to server connections is one.

Also I don't really understand the implications but if you have a look at the apache logs apache is always complaining about the certs not matching the server name.

I created a feature request http://forum.zentyal.org/index.php/topic,18733.msg73085.html#msg73085

If you would add to it maybe someone who knows more than I do can help and also provide more on certificate services.

I might of falsely presumed this had some bearing on the errors.

I picked a M$ server solution as we are talking M$ clients.
http://en.help.mailstore.com/Deploying_a_Self-signed_SSL_Certificate
http://www.poweradmin.com/help/sslhints/ie.aspx

I always create a custom server name on the smtp server which straight away causes a certificate problem.
Some mail servers check the RDNS records and your mail server domain name or identify you as spam.

I actually run two virtual mail domains and two virtual domains.

I leave the default .lan domain of install I created for internal intranet applications.

The current certificate store doesn't seem to take this into account so hence the feature request.

[Apache error]
Quote
Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)

http://en.wikipedia.org/wiki/Server_Name_Indication

PS
I know webmin again but if you browse all the ssl domains are using the same cert, attached image.

[Strange]
I am setting up a new server saturday I added the websites and spent sometime with imapcopy to drag the mail from the old server.
Great tool imapcopy top tip.
Zarafa doesn't come with a brick level backup and restore but you can just restore the whole zarafa database on another server and then imapcopy the individual mailbox back.

Anyway because of this conversation I thought its about time to check my external ports which are default and all closed.
Thing is and it never twigged at the time but I have been receiving mail.
I have now opened the external ports but I am still trying to work out how I managed to get those emails?

[Addition]
I did an smpt check and received SMTP Reverse DNS Mismatch   Warning - Reverse DNS does not match SMTP Banner
This is because my hostname doesn't match the registered mx record.
I always thought the mx record should be mail.registereddnsdomain

This is why I say shouldn't you be able to store a hostname for each virtual name.

Or can you simply put the mail server FQDN even though that has no registered DNS?

Quote
Edit the file /etc/postfix/master.cf and change the line below from
smtp inet n - n - - smtpd
to this
localhost:smtp  inet n - n - - smtpd
ipaddress1:smtp inet n - n - - smtpd
ipaddress2:smtp inet n - n - - smtpd -o myhostname=hostname2
.
.
.
ipaddressn:smtp inet n - n - - smtpd -o myhostname=hostnamen

I do have five static IP addresses and have set up four vnets to correspond.
Is this the only way to do this?
Guess so as multiple rDNS is supposedly not a good idea

I cant find anything but I am presuming so.
PS http://mxtoolbox.com/ great for checking if everything is set correctly.

« Last Edit: November 11, 2013, 04:37:50 am by BrettonWoods »

christian

  • Guest
Re: configure Zentyal 3.2 behind Nat with external godaddy domain
« Reply #21 on: November 11, 2013, 05:09:02 am »
I'm sorry guys, you are too much in advance compared to my own understanding about certificates, or at least we are definitely on different parallel tracks.

In my own understanding, self signed certificate is certificate that is signed by... itself  ::) no more than this. Self-signed is self-explanatory  ::)
But, like for LDAP, I've perhaps learnt old stuff that is no more valid or at least wording has changed.

Anyway, you can still go with external (paid) certificates, not managed in Zentyal but manually installed for each service. There is a couple of topic discussing this plus howto in Zentyal forum.

BrettonWoods

  • Guest
Re: configure Zentyal 3.2 behind Nat with external godaddy domain
« Reply #22 on: November 11, 2013, 05:31:45 am »
I think we are on the same lines christian I meant that we are not talking about certificates issued from a certificate authority.

As far as I am aware the Zentyal Certificate authority is that in name and there is no means of validating these.

Stop being so picky :) Join in as I am sure you would be of assistance.

Self signed as in https://help.ubuntu.com/12.04/serverguide/certificates-and-security.html

If you make a self signed certificate yourself like zentyal does its not like a purchased certificate.

Also the certificates zentyal provides cause problems as they don't match the virtual names that you have defined.

Just try and and see.

TLS server name indication support (RFC 4366)
« Last Edit: November 11, 2013, 05:41:42 am by BrettonWoods »

rcarney

  • Zen Apprentice
  • *
  • Posts: 37
  • Karma: +5/-0
    • View Profile
Re: configure Zentyal 3.2 behind Nat with external godaddy domain
« Reply #23 on: November 11, 2013, 08:55:32 pm »
Ok, I figure out how to get stop the browser certificate errors, after much research.  In order to stop the errors messages you need to install the Zentyal Certificate Authority in the clients trusted root certificate cache.  The file can be found at /var/lib/zentyal/CA/cacert.pem.

I used openssl to convert it to a .crt file with can be installed by internet explorer.  IE does not know about .pem files.

openssl x509 -inform PEM -in "cacert.pem" -text > cacert.crt

then move this certificate to your windows client computer and install in trusted root certificate folder.  should be able to just double click on it and an install program is launched.

Hope this helps.  Solved.

BrettonWoods

  • Guest
Re: configure Zentyal 3.2 behind Nat with external godaddy domain
« Reply #24 on: November 11, 2013, 09:33:00 pm »
Many Thanks, Havent tried yet. I use chrome which you have to use ie to accept the certs so of much use to me.

christian

  • Guest
Re: configure Zentyal 3.2 behind Nat with external godaddy domain
« Reply #25 on: November 12, 2013, 04:04:54 am »
Ok, I figure out how to get stop the browser certificate errors, after much research.  In order to stop the errors messages you need to install the Zentyal Certificate Authority in the clients trusted root certificate cache.  The file can be found at /var/lib/zentyal/CA/cacert.pem.

I'm glad you discovered this.  ::)
Well... I tried to tell you already...
Quote
This is a warning message stating that you have trusted this certificate but CA having generated it is still unknown, which is true BTW until you decide to import in your trusted CA list the one from Zentyal.
but I suppose I was not enough clear.  :-X

FYI, you can download this CA file from Zentyal GUI too.

If problem is now solved, please modify first post title to stamp it as [SOLVED]
« Last Edit: November 12, 2013, 04:08:51 am by christian »

rcarney

  • Zen Apprentice
  • *
  • Posts: 37
  • Karma: +5/-0
    • View Profile
[Solved] Re: configure Zentyal 3.2 behind Nat with external godaddy domain
« Reply #26 on: November 12, 2013, 04:13:37 pm »
I tried downloading from GUI, but it doesn't work.

BrettonWoods

  • Guest
Re: [Solved] configure Zentyal 3.2 behind Nat with external godaddy domain
« Reply #27 on: November 12, 2013, 07:51:32 pm »
Also if your like me and create your default lan to be an intranet with mydomain.lan.

then have your external internet site on a mydomain.com or similar.

or have multiple virtual and mail domains the certificate authority isnt much use.

i have had a look at the certificates and the alt names are there but apache still complains.
« Last Edit: November 12, 2013, 08:08:31 pm by BrettonWoods »

rcarney

  • Zen Apprentice
  • *
  • Posts: 37
  • Karma: +5/-0
    • View Profile
Re: [Solved] configure Zentyal 3.2 behind Nat with external godaddy domain
« Reply #28 on: November 14, 2013, 09:42:03 pm »
I have figure it out.  You need to download the Certificate Authority (CA) which is the first thing you create after a clean install.  Anything else you create after that will be an intermediate certificate which requires a certificate authority to validate.  Unfortunately your IE browser does not have access to it on the server.  Therefore you must install the CA, locally, in your IE client's trusted root certificate store. 

The problem is that Internet Explorer does not understand the .pem certificate files, like Linux.  So you need to convert the CA into a .cer or .crt file, which is easy but not painless.  Here is how you do it.

1. Log on to the Zentyal management console, from your Zentyal server, and go to certificates>general
2. Download the CA to the a directory on the server, it's the first entry in the certificate list, by clicking the download button.
3. Store it in your server's home directory somewhere.
4. run the command from the command line:   openssl x509 -inform PEM -in ca-cert.pem -text -out ca-cert.crt
5. Copy ca-cert.crt to a usb drive (or use file sharing) and port it to your client computer that's runing Internet explorer.
6. On windows, double click the file ca-cert.crt and click install
7. Manually select the installation directory option
8. browse to "Trusted Root Certificate Authority"
9. Click install, then click yes on the pop up window.
10. Done, no more internet error messages if your intermediate certificate is correct.

The root CA you installed will authencate all of your intermediate certificates.  Just make sure your Intermediate certificate's common name matches your web address.  For example cn=mydomain.com and the webaddess is https://mydomain.com are the same.  The installed CA also works for https://mydomain.com/webapp or webaccess.

It would be nice if someone at Zentyal would write  a download script to give us the CA as a .crt file.  so we do not need to do it manually.  Anyone browsing from Internet explorer will have this issue. I have not tested with other browsers yet, but suspect it will work.

Please try this process and let me know if it works for you...



« Last Edit: November 14, 2013, 09:50:18 pm by rcarney »

christian

  • Guest
Re: [Solved] Zentyal 3.2 Internet Explorer Browser Certificate Errors Fixed
« Reply #29 on: November 15, 2013, 12:12:50 am »
Just to clarify some wording in order to avoid confusion:
- there is no such thing as "intermediate certificate". Well, technically, X509 permits to sign CSR or generate certificate using another certificate as signing authority and CA is also, itself, certificate but in standard PKI, the only intermediate component is not certificate (as to be used by server) but certificate authority.

This idea is that you can have hierarchical organization of  your certificates using branches made of various levels of intermediate certification authorities, which is very useful when you want to establish cross-certification without doing this at root level.

Aside side, what is used as server level is not intermediate but leaf certificate.