Author Topic: [Solved] Zentyal 3.2 Internet Explorer Browser Certificate Errors Fixed  (Read 5437 times)

rcarney

  • Zen Apprentice
  • *
  • Posts: 37
  • Karma: +5/-0
    • View Profile
Re: [Solved] Zentyal 3.2 Internet Explorer Browser Certificate Errors Fixed
« Reply #30 on: November 15, 2013, 05:42:06 am »
I guess we need to agree to disagree.  Do a web search on the definition of intermediate vs root certificate authority.....  I explained the difference earlier in the post.  This is where I am coming from.

The good news is that it solves the problem...

christian

  • Guest
Re: [Solved] Zentyal 3.2 Internet Explorer Browser Certificate Errors Fixed
« Reply #31 on: November 15, 2013, 07:13:46 am »
I guess we need to agree to disagree.

Perhaps and, after all, it doesn't really matter. Goal is that it works for you.
My initial point was not to get an agreement but to clear up some potential misconception  ;)

Quote
Do a web search on the definition of intermediate vs root certificate authority.....  I explained the difference earlier in the post.  This is where I am coming from.

I'm afraid you will have to explain again because I still don't understand this. The keyword here is not certificate but authority.
I don't need Google to understand (well to think I understand) certificates as I'm an old X509 and OpenSSL user  8)

Let me try to explain again with more technical detail. In the meantime, feel free to provide me with URL explaining difference between  "leaf certificate" and intermediate "certificate authority".
BTW I think (hope) you already understand the difference now as your last post says:
Quote
Do a web search on the definition of intermediate vs root certificate authority
meaning this is clear to you that intermediate should only apply to authorities, while the previous post said:
Quote
Anything else you create after that will be an intermediate certificate which requires a certificate authority to validate
which is to me, if not wrong, at least the misleading statement.

Although everything is feasible especially if you don't follow X509v3, the technical difference between "basic" certificate and "certificate authority" is the fact that authority embeds "basicConstraints=CA:TRUE" showing that such certificate is granted for CSR signature and certificate signing while, on the other hand, leaf certificates (that are therefore not "intermediates"  ;) ) inherit from constraints like "extended key usage" to specify what can (should) be done with this certificate.

Like LDAP, X509 inherits from X500 naming convention, thus let me take this analogy that may help to understand.
In LDAP, there is technically no difference between branches and entries attached to this branch. Does it mean that you would happily add password attribute to ou=users,dc=whatever in order to permit someone or application to authenticate with this entry? I don't think so...  ::)  this LDAP entry in as branch to which leaf entries are attached.
X509 works more or less the same way, at least until they issued X509v3 because this "certificate usage" concept was misunderstood and misused.

So back to our initial point:
- what is intermediate is the authority, not the leaf certificate. This looks obvious to me when expressed this way  ::)
If this is clear to you too and if you agree, then we are on the same track. If not, your welcome with any URL explaining the opposite  ;D and, as you rightly say, we can just agree to disagree

Quote
The good news is that it solves the problem...

Sure, anything else doesn't really matter  ;)

Escorpiom

  • Zen Hero
  • *****
  • Posts: 897
  • Karma: +25/-1
    • View Profile
Re: configure Zentyal 3.2 behind Nat with external godaddy domain
« Reply #32 on: November 16, 2013, 04:08:32 am »
Ok, I figure out how to get stop the browser certificate errors, after much research.  In order to stop the errors messages you need to install the Zentyal Certificate Authority in the clients trusted root certificate cache.  The file can be found at /var/lib/zentyal/CA/cacert.pem.

I used openssl to convert it to a .crt file with can be installed by internet explorer.  IE does not know about .pem files.

openssl x509 -inform PEM -in "cacert.pem" -text > cacert.crt

then move this certificate to your windows client computer and install in trusted root certificate folder.  should be able to just double click on it and an install program is launched.

Hope this helps.  Solved.

Still getting the certificate errors using Zentyal 2.2.9, converted the cacert.pem and put it in the root store.
Also activated the Zentyal admin interface and webserver certificates, no show.
Browser still complains...

Edit: Error says "mismatched address".

Cheers.
« Last Edit: November 16, 2013, 04:10:54 am by Escorpiom »
Marcus' Rule:
Blanks & capitals = avoid it and you'll avoid problems...

BrettonWoods

  • Guest
Re: [Solved] Zentyal 3.2 Internet Explorer Browser Certificate Errors Fixed
« Reply #33 on: November 16, 2013, 05:45:38 am »
What does your apache log say?

Escorpiom

  • Zen Hero
  • *****
  • Posts: 897
  • Karma: +25/-1
    • View Profile
Re: [Solved] Zentyal 3.2 Internet Explorer Browser Certificate Errors Fixed
« Reply #34 on: November 16, 2013, 06:17:59 am »
What does your apache log say?

Nothing. That is, either SSL traffic is not being logged or I'm looking at the wrong log file...Seems only localhost and public ip's are present in the file but no access from LAN.

Cheers.
Marcus' Rule:
Blanks & capitals = avoid it and you'll avoid problems...

BrettonWoods

  • Guest
Re: [Solved] Zentyal 3.2 Internet Explorer Browser Certificate Errors Fixed
« Reply #35 on: November 16, 2013, 07:03:11 am »
I have never noticed that and I wonder why.

My external domain is different to my internal domain.

For virtual hosts apache applies a virtual server host name of the virtual domain name.
The certs on apache restart always provide a warning that the cert server name doesn't match the server name.

I know the TLS server name indication support on virtual domains has a mismatch with the certs provided.

You need a specific cert for each ssl virtual domain and without even going to what the error or fix might be they all just point to one.

I don't know why apache isn't logging the local lan :)

PS my comments about moderators have been limited to my scope which is the international (english) forum I am not really sure what happens in the other language forums.
Its just a generalisation and it isn't all.

BrettonWoods

  • Guest
Re: [Solved] Zentyal 3.2 Internet Explorer Browser Certificate Errors Fixed
« Reply #36 on: November 16, 2013, 08:03:44 am »
Bit of a bump but if you are using windows use certmgr.msc not the options in IE.

I have no idea when in IE when I import a trusted root cert it doesn't show use certmgr.msc it works and you can delete certs.

To be honest I am confused at what is going on firstly in the Zentyal CA I have several certificate authority certificates.
What and where the service certificates go I am unsure.

I apache I expect something like this

Code: [Select]
SSLEngine On
     SSLCertificateFile /etc/apache2/ssl/apache.pem
     SSLCertificateKeyFile /etc/apache2/ssl/apache.key

I get
Code: [Select]
SSLEngine on
        SSLCertificateFile    /etc/apache2/ssl/ssl.pem

where is the key file?

I hate certs confuses the hell out of me.

Really good cert blog here.
http://lowtek.ca/roo/2012/ubuntu-apache2-trusted-ssl-certificate-from-startssl/

More at my level :)

self signed
https://www.digitalocean.com/community/articles/how-to-set-up-multiple-ssl-certificates-on-one-ip-with-apache-on-ubuntu-12-04

cert authority
http://codeghar.wordpress.com/2008/03/17/create-a-certificate-authority-and-certificates-with-openssl/
« Last Edit: November 16, 2013, 09:23:49 am by BrettonWoods »

rcarney

  • Zen Apprentice
  • *
  • Posts: 37
  • Karma: +5/-0
    • View Profile
Re: [Solved] Zentyal 3.2 Internet Explorer Browser Certificate Errors Fixed
« Reply #37 on: November 18, 2013, 07:48:57 pm »

Escorpiom, I have only tested Zenytal 3.2.  It may work in other versions, but I have not tested it as I am pretty new to Zentyal.

But here goes, the Authority you need to import into your IE browser is the Certification Certificate Authority; and, in Zentyal 3.2 it is highlighted in orange. (Don't know about other versions.) Use the process I mentioned above to import this one into IE.   This CA is a root CA. You can see that it is a Root CA when you install.  Look at the issue to: and issued by: fields.  They both should say "Certification Certificate Authority" with out the quotes.  The other certs created are Intermediate Certificate Authorities (IMA) and you do not need to import them.  Although the common name on the IMA must match your FQDN. Then you must use https://FQDN to log into your server, otherwise you will get an error even if you use the server's ip address, for example.  The IMA issue by: field should be Certification Certificate Authority.  The issue to: field should be your FQDN. 

The way it should work is that when your browser sees the IMA, it will look for a Root CA in its trusted root folder.  It will look for the Certification Certificate Authority (just a name Zentyal gives it) and use this root CA to validate the IMA.  This way you can have many IMAs and only need to import the one Root CA that will qualify all the IMAs.

Hopefully this makes sense... :)

rcarney

  • Zen Apprentice
  • *
  • Posts: 37
  • Karma: +5/-0
    • View Profile
Re: [Solved] Zentyal 3.2 Internet Explorer Browser Certificate Errors Fixed
« Reply #38 on: November 18, 2013, 07:53:35 pm »
I should also that IE and Firefox are totally different. IE stores the CA in the windows operating system and FireFox stores it in Firefox's local cache, independent of the OS. So not all browsers act the same....

christian

  • Guest
Re: [Solved] Zentyal 3.2 Internet Explorer Browser Certificate Errors Fixed
« Reply #39 on: November 18, 2013, 08:59:00 pm »
And this even even different from this  ;D
Sure IE and Firefox use different mechanisms to store trusted CA and certificates (although OS vs. cache looks... strange) but you may also notice that certificates are used elsewhere, e.g. in java based applications) and this may also required trusting and storing public keys elsewhere, one  more time  ;)