Zentyal Forum, Linux Small Business Server

Zentyal Server => Installation and Upgrades => Topic started by: rcarney on November 09, 2013, 05:23:20 pm

Title: [Solved] Zentyal 3.2 Internet Explorer Browser Certificate Errors Fixed
Post by: rcarney on November 09, 2013, 05:23:20 pm
I have installed Zentyal 3.2.  I am trying to configure it so that it sits on my local network behing a snapgear router with port forwarding.  I cannot seem to get it work and I can't find an example in the forum.  I am following the tutorials by Jonas.

I want to configure outlook and activsync for remote access.  So far I can get webapp and webaccess to work, but webaccess seems to have bugs.  (side: When i log in with ie10 i get a background but no text.  I hit back arrow and all info comes up - very strange.)

Assuming I am starting with a clean install:

1. How should I set up the A, MX, and SRV records?  My domain is hosted with godaddy, as an example the domain name is house.net. 

2. Should my IP address be external or internal?   I have been selecting it as external.  (I have only one ethernet nic)

2. How should I create the certificate for house.net domain?  I assume I would select this for all of the web services?
 
3. Then how to configure the outlook client to connect from a remote location?

I would be grateful for any help....


Title: Re: configure Zentyal 3.2 behind Nat with external godaddy domain
Post by: christian on November 09, 2013, 05:54:32 pm
Zentyal is better designed to run with multiple interfaces.
With one single interface, if connected on your LAN, this interface should not be set as external.
Configure your external DNS (the godaddy one) to point to your router (on external IP) from where you will route requests to Zentyal server.
Title: Re: configure Zentyal 3.2 behind Nat with external godaddy domain
Post by: robb on November 09, 2013, 08:18:39 pm
Additional to this, point your domain on Zentyal DNS to the Zentyal interface, so internal clients can reach Zarafa on the same URL as external clients.

Question: do you have any subdomains hosted externally? If so, set A records for those domains to the IP address where they are hosted.
Title: Re: configure Zentyal 3.2 behind Nat with external godaddy domain
Post by: rcarney on November 09, 2013, 08:36:09 pm
Thank you for the quick response.  I didn't set up any sub domains.

This is a common configuration for home email servers, and many would appreciate help in working this out.  I ran sbs2008 for years this way.

I am trying your suggestion now. 

But I still have an issue with configuring certificates for this external domain name.  I am using a self-cert.  I set up CA name house.local.  Then added a certificate with common name house.net.  Then added that to all of the services.  Is this correct?
Title: Re: configure Zentyal 3.2 behind Nat with external godaddy domain
Post by: christian on November 09, 2013, 08:56:20 pm
This is a common configuration for home email servers, and many would appreciate help in working this out.  I ran sbs2008 for years this way.

sbs2008 for home email server  ::) ::)  I suppose I don't understand what you mean here  ???


Quote
But I still have an issue with configuring certificates for this external domain name.  I am using a self-cert.  I set up CA name house.local.  Then added a certificate with common name house.net.  Then added that to all of the services.  Is this correct?

One simple option is to have your Zentyal deployment matching your public domain name. I do it myself without any single problem.
What's your problem with CA and issued certificates ? I don't understand what the issue is if any  :-\
Title: Re: configure Zentyal 3.2 behind Nat with external godaddy domain
Post by: rcarney on November 09, 2013, 09:41:24 pm
My issue with the certificates is proper initial configuration.

1. I create a CA with name house, enter US, City, State, etc.
2. On the second screen it asks me to enter a common name which I enter house.net (My godaddy domain name)
3. then I go to services and enter certificate common name in each service (house.net)
4. Save it all

Problem: Internet explorer sees it as an untrusted certificate.  So fine, I import it and store in trusted root certificates.  But when I reset explorer it still sees it as untrusted.  Also, the https://house.net/webaccess/index.php webmail gives blank screen.  But  https://house.net/webapp works fine.
Title: Re: configure Zentyal 3.2 behind Nat with external godaddy domain
Post by: christian on November 09, 2013, 09:50:46 pm
So fine, I import it and store in trusted root certificates.  But when I reset explorer it still sees it as untrusted.
Strange indeed.
Can you see CA in the list of trusted certificates once added to trusted list ?
Title: Re: configure Zentyal 3.2 behind Nat with external godaddy domain
Post by: rcarney on November 09, 2013, 10:05:11 pm
Yes, I can see it.  On the surface the certificate looks ok.
Title: Re: configure Zentyal 3.2 behind Nat with external godaddy domain
Post by: rcarney on November 09, 2013, 11:13:42 pm
When you open the certificate the error says:

This certificate cannot be verified up to a trusted certificate authority.  Has any dealt with this.  Put the certificate into windows trusted root folder.  I went to internet explorer and added with web address as a trusted site.  Still it does not like the imported certificate.  I am concerned because I don't think outlook will work unless that certificate is bullet proof.   Any ideals?

Thanks!
Title: Re: configure Zentyal 3.2 behind Nat with external godaddy domain
Post by: BrettonWoods on November 09, 2013, 11:29:30 pm
Glad you posted as I need to do this with a domain I have set up.

http://www.conetrix.com/Blog/post/How-to-Trust-a-Self-Signed-Certificate-in-IE-9.aspx

So I guess you will to do a search for the specific version of IE you are using.

Anyone have any ideas on doing this with group policies?

http://community.spiceworks.com/how_to/show/16832-installing-a-self-signed-certificate-on-workstations-with-group-policy-using-the-group-policy-management-console-gpmc

I will tell you how it goes.
Title: Re: configure Zentyal 3.2 behind Nat with external godaddy domain
Post by: rcarney on November 09, 2013, 11:47:56 pm
I am using internet explorer 10.  I have completed that procedure many times and it does not work.  I think the Zentyal certificate is messed up how.

I have tried reinstalling Zentyal 3.2 10 times.  So far no luck with the certificate issue.  This issue will prevent outlook from connecting.

If some is willing to look at my certificate, I will send it to you.
Title: Re: configure Zentyal 3.2 behind Nat with external godaddy domain
Post by: BrettonWoods on November 10, 2013, 12:08:41 am
Wouldn't really matter as I can't test it unless your domain is public.

Zentyal doesn't automatically make certificates for virtual domains or mail domains.

So the cn will not match your server name.

Does that sound plausible.

Apache looks for the server name in the header and matches that to virtual domains.

You cert prob has a cn of zentyal or host.zentyaldomain.lan

you need a cert with a cn of my external registered domain.

I hate my memory as I can't remember the format for the options. Anything over six months is gone for me.

This is one where webmin comes in handy for applying the cert to the ssl listening server and having a browse in what is happening with apache.
That way you can see what webmin does to the config

I guess zentyal will overwrite and a not very elegant way is just hack the config zentyal creates and paste that into a post hook.

Stops you being able to use the gui to add or change things for that module. So remove the hook get the changes and paste back the hook with mods.

Have you had a look at certifcate details does it match the server or the external domain?

In fact I wish this was handled by zentyal so off to create a feature request.

PS if you are handling mail its wise to get your ISP to provide a rDNS pointer for the domain on the registered IP


Title: Re: configure Zentyal 3.2 behind Nat with external godaddy domain
Post by: rcarney on November 10, 2013, 01:57:20 am
Thanks for the reply. 

Background:  Yes I set the common name (cn) to my domain house.net not Zentyal.   

Problem: Zentyal requires you to first create a Certification Authority Certificate (cac).  Then it creates an "intermediate certificate" from the cac with a cn equal to your domain name house.net.
When you download the intermediate certificate and put it in the trusted root folder, internet explorer fails because it can't locate the cac. 

The trusted root store wants a Root CA not an intermediate ca.  A root ca has the issued to: and issued by: fields with the same name, mostly house.net.  The certificate you download from Zentyal has issued to: house.net and issued by: Certification Authority Certificate.  if the names are different, then by definition it is an intermediate certificate and will not work, from what I have summized.

Remedy:  Need to figure out how to create a root certificate with the same name house.net in issued toL  and issued by: fields name. Then  install that on Zentyal in all of the webs services and your  client browser.  Can anyone give a step by step on how to create the root CA and install on Zentyal?

Getting close.  I think this is critical since Zentyal will not be able to connect to Outlook or mobile devices until this is fixed.

Back
Title: Re: configure Zentyal 3.2 behind Nat with external godaddy domain
Post by: BrettonWoods on November 10, 2013, 02:18:27 am
https://help.ubuntu.com/community/OpenSSL

You sound like your cruising and it will be sorted soon.

I will have a look at mine as I honestly thought from memory it just referenced a single cert for both default and virtual domains.

When it comes to mail I am even more lost as are you using zarafa? as it has its own mail gateways.

Would you kindly publish your findings as it sounds like I am going to have to do the same.

Also did you just try and install both the root cert and the intermediate that zentyal supplied as I don't know but I guess it could work.

I usually set up zentyal as house.domain.lan and then have a virtual domain domain.org so sorry about missleading you if your using the default website.
Title: Re: configure Zentyal 3.2 behind Nat with external godaddy domain
Post by: christian on November 10, 2013, 07:56:19 am
This certificate cannot be verified up to a trusted certificate authority.

I can't see any error in what you describe  :-[

This is a warning message stating that you have trusted this certificate but CA having generated it is still unknown, which is true BTW until you decide to import in your trusted CA list the one from Zentyal.
However, such warning message should not prevent you to use trusted certificate.

So this is not clear to me if you are facing any error message or if you are only afraid that it may not work due to this warning message.

If you search this forum, you should find similar topic as I've commented it already a couple of times.

If the assumption and principle supported by Zentyal is that Zentyak works with its own certificate authority, what is for sure missing in the interface is capability for either admins or even end-users to import bot CA and certificates so that applications are aware of it and do not warn users about unknown CA. This is basic certificate management within organizations dealing with internal servers and clients ::)

Of course, request for being able to import external certificates has been expressed multiple times in features request section. That's another story not linked with the problem you face and this is, to me, not mandatory except for services that are exposed outside.

Look at attached screen copy: I'm using Zentyal issued certificates and don't face any error or even warning message  ;)
Title: Re: configure Zentyal 3.2 behind Nat with external godaddy domain
Post by: rcarney on November 10, 2013, 06:33:01 pm
It looks to me your certificates are for a domain name hosted on your Zentyal server.  Is your server behind a NAT and can you connect outlook and mobile devices to your server?

My domain name records are not hosted on my Zentyal server but are hosted externally on Godaddy.   The A records and MX record point to my NAT ip address which port forwards to the Zentyal server.

My problem is that I cannot connect remote outlook clients and mobile devices to the Zentyal server.  I am guessing I must have a root certificate to enable this, but Zentyal does not create one. Just an intermediate certificate which I believe cannot be validated outside the NAT.

Does this make any sense?  If not, how do I configure Zentyal to enable remote (external NAT) outlook and mobile access?

Thanks again!
Title: Re: configure Zentyal 3.2 behind Nat with external godaddy domain
Post by: christian on November 10, 2013, 06:57:15 pm
Does this make any sense?  If not, how do I configure Zentyal to enable remote (external NAT) outlook and mobile access?

Not to me at least  :-\
I might be wrong but I'm afraid you mix up some different concepts.
Certificates are not linked to IP address neither to NAT.
Reaching your mail server is matter of MX when it comes to receive mails then uses A or CNAME records when clients need to access POP, IMAP, MAPI or Web server.

If you can't connect, then, sorry if my sentence looks stupid, but you have connectivity issue  ::)
If you can connect but face error message due to certificate, this is another issue but so far you don't show any certificate related error.

Perhaps all of this in only matter of wording and glossary but without aligning this, we can't understand each others  ;)

Like many here, I host my own mail server that I do not access using Outlook but I don't think this detail matters  ;D
MX, A and CNAME records are managed on DNS hosted by my registrar (meaning on internet)

What I suggest is that you drop, at least for the time being, this point about certificates.
Focus on connectivity and once clients are able to reach server on the right port, we can look at certificates  8)
Title: Re: configure Zentyal 3.2 behind Nat with external godaddy domain
Post by: rcarney on November 10, 2013, 07:49:10 pm
I am sorry for my communications skills, let me try a little better.  All I am saying is that my Zentyal server sits behind a NAT and my clients are external to the NAT. I can connect just fine and run webapp and webaccess but with certificate errors.  (It is this same error the prevents outlook client from connecting.) The Outlook client requires no errors with repect to certificates.  You cannont ignore it like you can do with a browser.

I also have to disagree with you a bit.  I very familiar with certificates use on Exchange 2007 & CommuniGate Pro and connecting remote outlook clients and mobile devices.  These clients require certificates and that do not create certificate errors. (It is a microsoft thing!)

Attached is a working root certificate from both CommuniGate Pro and Exchange 2007, called "good cert.jpg".  This certificate was imported into my browser (which also sets it up for Outlook).  I am also including the Zentyal intermediate Cert, called bad cert.  The PROBLEM is that the self cert must have the issue to: and issue by: names exactly the same.  This makes it a ROOT CA.  If they are not it is an intermediate CA which requires the client to locate the root ca to validate and the can't because the server sits behind a NAT.  If you check the Zentyal (Bad Cert.jpg) intermediate cert with SSL Checker you get the not trusted error because it can't find the root CA either!  When using SSL checker the good cert has no errors.  See attached certs...

Here is what I think the problem is and the fix:  Because Zentyal sits behind a NAT clients cannot verify the root certificate authority on intermediate cert.  Therefore we need Zentyal to create a root certificate like the good one I should you.  If so all will be fine.  Other servers do this.
Title: Re: configure Zentyal 3.2 behind Nat with external godaddy domain
Post by: rcarney on November 10, 2013, 07:59:05 pm
As a follow up.  Here is what I would like to do in order to validate my theory.  I want to create a ROOT CA (Issue by and Issue to being the same and equal to FQDN).  Then install this in Zentyal, I have no idea how and where to install it for Zentyal, although it should not be hard.  Then connect with a brower and see if works.

Could you let me know how to do this and install it?  I will actually do it and post the results.
Title: Re: configure Zentyal 3.2 behind Nat with external godaddy domain
Post by: christian on November 10, 2013, 09:01:57 pm
Indeed we do not share same understanding  ;)
I've no doubt that, if you are very familiar with certificates, that you are right with you analysis.

With my own Zentyal platform, I don't have any self-signed certificates but certificates that are signed by certificate authority that is generated on Zentyal server. Of course this is a "private" CA if I can say so, meaning not issued by organization that is already registered in default list of trusted CA on main browsers. What I suggested was to add this CA to this list as I do here  ::)

One point that my have impact on your capability to access your web server is, and from this standpoint I do share your analysis, the potential need for certificate to match fqdn. I can't really comment it as I'm not Outlook user but keep in mind that Zentyal permits to set subject alternative names, purpose being to use same certificate with multiple (different services).

That said, I can't help further. Sorry.
For what I understand, you can have only one CA on Zentyal...
Perhaps some more advanced users or members using Outlook can comment and help further.
Title: Re: configure Zentyal 3.2 behind Nat with external godaddy domain
Post by: BrettonWoods on November 10, 2013, 11:34:40 pm
Any certificate that isn't issued from a known authority is self signed.

Or anyone could publish bogus certs. Usually with certs such as thwaite or verisign there is also libiality insurance. Also there is a vetting process.

The CA authority on Zentyal is just a self signed cert store. And could be used to decrypt SSL.

Its what the NSA do and they just have the public keys.

So its exactly the same christian. I am the same though as they should be imported into the trusted certs and work.

I have to do this on my server but lazy sundays.

Also Christian is correct as you should be able to connect but the self signed certs will just provide nags.

Packet Filter > External networks to Zentyal have you enabled groupware and web?

Also just looking at the default services http and https are defined but also webserver is defined with the same ports.
What happens to IPtables when you add a port twice? (Just something I noticed)

Apols I skipped a few messages.

Could you use the root cert and change the service cert apache and mail are using?

+1 as you are probably right as I am not very up on certificates and they are a pretty good way of authentication as well.

Its one of the current zentyal features that I would like to offer more.

SSH passwordless connections for server to server connections is one.

Also I don't really understand the implications but if you have a look at the apache logs apache is always complaining about the certs not matching the server name.

I created a feature request http://forum.zentyal.org/index.php/topic,18733.msg73085.html#msg73085

If you would add to it maybe someone who knows more than I do can help and also provide more on certificate services.

I might of falsely presumed this had some bearing on the errors.

I picked a M$ server solution as we are talking M$ clients.
http://en.help.mailstore.com/Deploying_a_Self-signed_SSL_Certificate
http://www.poweradmin.com/help/sslhints/ie.aspx

I always create a custom server name on the smtp server which straight away causes a certificate problem.
Some mail servers check the RDNS records and your mail server domain name or identify you as spam.

I actually run two virtual mail domains and two virtual domains.

I leave the default .lan domain of install I created for internal intranet applications.

The current certificate store doesn't seem to take this into account so hence the feature request.

[Apache error]
Quote
Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)

http://en.wikipedia.org/wiki/Server_Name_Indication

PS
I know webmin again but if you browse all the ssl domains are using the same cert, attached image.

[Strange]
I am setting up a new server saturday I added the websites and spent sometime with imapcopy to drag the mail from the old server.
Great tool imapcopy top tip.
Zarafa doesn't come with a brick level backup and restore but you can just restore the whole zarafa database on another server and then imapcopy the individual mailbox back.

Anyway because of this conversation I thought its about time to check my external ports which are default and all closed.
Thing is and it never twigged at the time but I have been receiving mail.
I have now opened the external ports but I am still trying to work out how I managed to get those emails?

[Addition]
I did an smpt check and received SMTP Reverse DNS Mismatch   Warning - Reverse DNS does not match SMTP Banner
This is because my hostname doesn't match the registered mx record.
I always thought the mx record should be mail.registereddnsdomain

This is why I say shouldn't you be able to store a hostname for each virtual name.

Or can you simply put the mail server FQDN even though that has no registered DNS?

Quote
Edit the file /etc/postfix/master.cf and change the line below from
smtp inet n - n - - smtpd
to this
localhost:smtp  inet n - n - - smtpd
ipaddress1:smtp inet n - n - - smtpd
ipaddress2:smtp inet n - n - - smtpd -o myhostname=hostname2
.
.
.
ipaddressn:smtp inet n - n - - smtpd -o myhostname=hostnamen

I do have five static IP addresses and have set up four vnets to correspond.
Is this the only way to do this?
Guess so as multiple rDNS is supposedly not a good idea

I cant find anything but I am presuming so.
PS http://mxtoolbox.com/ great for checking if everything is set correctly.

Title: Re: configure Zentyal 3.2 behind Nat with external godaddy domain
Post by: christian on November 11, 2013, 05:09:02 am
I'm sorry guys, you are too much in advance compared to my own understanding about certificates, or at least we are definitely on different parallel tracks.

In my own understanding, self signed certificate is certificate that is signed by... itself  ::) no more than this. Self-signed is self-explanatory  ::)
But, like for LDAP, I've perhaps learnt old stuff that is no more valid or at least wording has changed.

Anyway, you can still go with external (paid) certificates, not managed in Zentyal but manually installed for each service. There is a couple of topic discussing this plus howto in Zentyal forum.
Title: Re: configure Zentyal 3.2 behind Nat with external godaddy domain
Post by: BrettonWoods on November 11, 2013, 05:31:45 am
I think we are on the same lines christian I meant that we are not talking about certificates issued from a certificate authority.

As far as I am aware the Zentyal Certificate authority is that in name and there is no means of validating these.

Stop being so picky :) Join in as I am sure you would be of assistance.

Self signed as in https://help.ubuntu.com/12.04/serverguide/certificates-and-security.html

If you make a self signed certificate yourself like zentyal does its not like a purchased certificate.

Also the certificates zentyal provides cause problems as they don't match the virtual names that you have defined.

Just try and and see.

TLS server name indication support (RFC 4366)
Title: Re: configure Zentyal 3.2 behind Nat with external godaddy domain
Post by: rcarney on November 11, 2013, 08:55:32 pm
Ok, I figure out how to get stop the browser certificate errors, after much research.  In order to stop the errors messages you need to install the Zentyal Certificate Authority in the clients trusted root certificate cache.  The file can be found at /var/lib/zentyal/CA/cacert.pem.

I used openssl to convert it to a .crt file with can be installed by internet explorer.  IE does not know about .pem files.

openssl x509 -inform PEM -in "cacert.pem" -text > cacert.crt

then move this certificate to your windows client computer and install in trusted root certificate folder.  should be able to just double click on it and an install program is launched.

Hope this helps.  Solved.
Title: Re: configure Zentyal 3.2 behind Nat with external godaddy domain
Post by: BrettonWoods on November 11, 2013, 09:33:00 pm
Many Thanks, Havent tried yet. I use chrome which you have to use ie to accept the certs so of much use to me.
Title: Re: configure Zentyal 3.2 behind Nat with external godaddy domain
Post by: christian on November 12, 2013, 04:04:54 am
Ok, I figure out how to get stop the browser certificate errors, after much research.  In order to stop the errors messages you need to install the Zentyal Certificate Authority in the clients trusted root certificate cache.  The file can be found at /var/lib/zentyal/CA/cacert.pem.

I'm glad you discovered this.  ::)
Well... I tried to tell you already...
Quote
This is a warning message stating that you have trusted this certificate but CA having generated it is still unknown, which is true BTW until you decide to import in your trusted CA list the one from Zentyal.
but I suppose I was not enough clear.  :-X

FYI, you can download this CA file from Zentyal GUI too.

If problem is now solved, please modify first post title to stamp it as [SOLVED]
Title: [Solved] Re: configure Zentyal 3.2 behind Nat with external godaddy domain
Post by: rcarney on November 12, 2013, 04:13:37 pm
I tried downloading from GUI, but it doesn't work.
Title: Re: [Solved] configure Zentyal 3.2 behind Nat with external godaddy domain
Post by: BrettonWoods on November 12, 2013, 07:51:32 pm
Also if your like me and create your default lan to be an intranet with mydomain.lan.

then have your external internet site on a mydomain.com or similar.

or have multiple virtual and mail domains the certificate authority isnt much use.

i have had a look at the certificates and the alt names are there but apache still complains.
Title: Re: [Solved] configure Zentyal 3.2 behind Nat with external godaddy domain
Post by: rcarney on November 14, 2013, 09:42:03 pm
I have figure it out.  You need to download the Certificate Authority (CA) which is the first thing you create after a clean install.  Anything else you create after that will be an intermediate certificate which requires a certificate authority to validate.  Unfortunately your IE browser does not have access to it on the server.  Therefore you must install the CA, locally, in your IE client's trusted root certificate store. 

The problem is that Internet Explorer does not understand the .pem certificate files, like Linux.  So you need to convert the CA into a .cer or .crt file, which is easy but not painless.  Here is how you do it.

1. Log on to the Zentyal management console, from your Zentyal server, and go to certificates>general
2. Download the CA to the a directory on the server, it's the first entry in the certificate list, by clicking the download button.
3. Store it in your server's home directory somewhere.
4. run the command from the command line:   openssl x509 -inform PEM -in ca-cert.pem -text -out ca-cert.crt
5. Copy ca-cert.crt to a usb drive (or use file sharing) and port it to your client computer that's runing Internet explorer.
6. On windows, double click the file ca-cert.crt and click install
7. Manually select the installation directory option
8. browse to "Trusted Root Certificate Authority"
9. Click install, then click yes on the pop up window.
10. Done, no more internet error messages if your intermediate certificate is correct.

The root CA you installed will authencate all of your intermediate certificates.  Just make sure your Intermediate certificate's common name matches your web address.  For example cn=mydomain.com and the webaddess is https://mydomain.com are the same.  The installed CA also works for https://mydomain.com/webapp or webaccess.

It would be nice if someone at Zentyal would write  a download script to give us the CA as a .crt file.  so we do not need to do it manually.  Anyone browsing from Internet explorer will have this issue. I have not tested with other browsers yet, but suspect it will work.

Please try this process and let me know if it works for you...



Title: Re: [Solved] Zentyal 3.2 Internet Explorer Browser Certificate Errors Fixed
Post by: christian on November 15, 2013, 12:12:50 am
Just to clarify some wording in order to avoid confusion:
- there is no such thing as "intermediate certificate". Well, technically, X509 permits to sign CSR or generate certificate using another certificate as signing authority and CA is also, itself, certificate but in standard PKI, the only intermediate component is not certificate (as to be used by server) but certificate authority.

This idea is that you can have hierarchical organization of  your certificates using branches made of various levels of intermediate certification authorities, which is very useful when you want to establish cross-certification without doing this at root level.

Aside side, what is used as server level is not intermediate but leaf certificate.
Title: Re: [Solved] Zentyal 3.2 Internet Explorer Browser Certificate Errors Fixed
Post by: rcarney on November 15, 2013, 05:42:06 am
I guess we need to agree to disagree.  Do a web search on the definition of intermediate vs root certificate authority.....  I explained the difference earlier in the post.  This is where I am coming from.

The good news is that it solves the problem...
Title: Re: [Solved] Zentyal 3.2 Internet Explorer Browser Certificate Errors Fixed
Post by: christian on November 15, 2013, 07:13:46 am
I guess we need to agree to disagree.

Perhaps and, after all, it doesn't really matter. Goal is that it works for you.
My initial point was not to get an agreement but to clear up some potential misconception  ;)

Quote
Do a web search on the definition of intermediate vs root certificate authority.....  I explained the difference earlier in the post.  This is where I am coming from.

I'm afraid you will have to explain again because I still don't understand this. The keyword here is not certificate but authority.
I don't need Google to understand (well to think I understand) certificates as I'm an old X509 and OpenSSL user  8)

Let me try to explain again with more technical detail. In the meantime, feel free to provide me with URL explaining difference between  "leaf certificate" and intermediate "certificate authority".
BTW I think (hope) you already understand the difference now as your last post says:
Quote
Do a web search on the definition of intermediate vs root certificate authority
meaning this is clear to you that intermediate should only apply to authorities, while the previous post said:
Quote
Anything else you create after that will be an intermediate certificate which requires a certificate authority to validate
which is to me, if not wrong, at least the misleading statement.

Although everything is feasible especially if you don't follow X509v3, the technical difference between "basic" certificate and "certificate authority" is the fact that authority embeds "basicConstraints=CA:TRUE" showing that such certificate is granted for CSR signature and certificate signing while, on the other hand, leaf certificates (that are therefore not "intermediates"  ;) ) inherit from constraints like "extended key usage" to specify what can (should) be done with this certificate.

Like LDAP, X509 inherits from X500 naming convention, thus let me take this analogy that may help to understand.
In LDAP, there is technically no difference between branches and entries attached to this branch. Does it mean that you would happily add password attribute to ou=users,dc=whatever in order to permit someone or application to authenticate with this entry? I don't think so...  ::)  this LDAP entry in as branch to which leaf entries are attached.
X509 works more or less the same way, at least until they issued X509v3 because this "certificate usage" concept was misunderstood and misused.

So back to our initial point:
- what is intermediate is the authority, not the leaf certificate. This looks obvious to me when expressed this way  ::)
If this is clear to you too and if you agree, then we are on the same track. If not, your welcome with any URL explaining the opposite  ;D and, as you rightly say, we can just agree to disagree

Quote
The good news is that it solves the problem...

Sure, anything else doesn't really matter  ;)
Title: Re: configure Zentyal 3.2 behind Nat with external godaddy domain
Post by: Escorpiom on November 16, 2013, 04:08:32 am
Ok, I figure out how to get stop the browser certificate errors, after much research.  In order to stop the errors messages you need to install the Zentyal Certificate Authority in the clients trusted root certificate cache.  The file can be found at /var/lib/zentyal/CA/cacert.pem.

I used openssl to convert it to a .crt file with can be installed by internet explorer.  IE does not know about .pem files.

openssl x509 -inform PEM -in "cacert.pem" -text > cacert.crt

then move this certificate to your windows client computer and install in trusted root certificate folder.  should be able to just double click on it and an install program is launched.

Hope this helps.  Solved.

Still getting the certificate errors using Zentyal 2.2.9, converted the cacert.pem and put it in the root store.
Also activated the Zentyal admin interface and webserver certificates, no show.
Browser still complains...

Edit: Error says "mismatched address".

Cheers.
Title: Re: [Solved] Zentyal 3.2 Internet Explorer Browser Certificate Errors Fixed
Post by: BrettonWoods on November 16, 2013, 05:45:38 am
What does your apache log say?
Title: Re: [Solved] Zentyal 3.2 Internet Explorer Browser Certificate Errors Fixed
Post by: Escorpiom on November 16, 2013, 06:17:59 am
What does your apache log say?

Nothing. That is, either SSL traffic is not being logged or I'm looking at the wrong log file...Seems only localhost and public ip's are present in the file but no access from LAN.

Cheers.
Title: Re: [Solved] Zentyal 3.2 Internet Explorer Browser Certificate Errors Fixed
Post by: BrettonWoods on November 16, 2013, 07:03:11 am
I have never noticed that and I wonder why.

My external domain is different to my internal domain.

For virtual hosts apache applies a virtual server host name of the virtual domain name.
The certs on apache restart always provide a warning that the cert server name doesn't match the server name.

I know the TLS server name indication support on virtual domains has a mismatch with the certs provided.

You need a specific cert for each ssl virtual domain and without even going to what the error or fix might be they all just point to one.

I don't know why apache isn't logging the local lan :)

PS my comments about moderators have been limited to my scope which is the international (english) forum I am not really sure what happens in the other language forums.
Its just a generalisation and it isn't all.
Title: Re: [Solved] Zentyal 3.2 Internet Explorer Browser Certificate Errors Fixed
Post by: BrettonWoods on November 16, 2013, 08:03:44 am
Bit of a bump but if you are using windows use certmgr.msc not the options in IE.

I have no idea when in IE when I import a trusted root cert it doesn't show use certmgr.msc it works and you can delete certs.

To be honest I am confused at what is going on firstly in the Zentyal CA I have several certificate authority certificates.
What and where the service certificates go I am unsure.

I apache I expect something like this

Code: [Select]
SSLEngine On
     SSLCertificateFile /etc/apache2/ssl/apache.pem
     SSLCertificateKeyFile /etc/apache2/ssl/apache.key

I get
Code: [Select]
SSLEngine on
        SSLCertificateFile    /etc/apache2/ssl/ssl.pem

where is the key file?

I hate certs confuses the hell out of me.

Really good cert blog here.
http://lowtek.ca/roo/2012/ubuntu-apache2-trusted-ssl-certificate-from-startssl/

More at my level :)

self signed
https://www.digitalocean.com/community/articles/how-to-set-up-multiple-ssl-certificates-on-one-ip-with-apache-on-ubuntu-12-04

cert authority
http://codeghar.wordpress.com/2008/03/17/create-a-certificate-authority-and-certificates-with-openssl/
Title: Re: [Solved] Zentyal 3.2 Internet Explorer Browser Certificate Errors Fixed
Post by: rcarney on November 18, 2013, 07:48:57 pm

Escorpiom, I have only tested Zenytal 3.2.  It may work in other versions, but I have not tested it as I am pretty new to Zentyal.

But here goes, the Authority you need to import into your IE browser is the Certification Certificate Authority; and, in Zentyal 3.2 it is highlighted in orange. (Don't know about other versions.) Use the process I mentioned above to import this one into IE.   This CA is a root CA. You can see that it is a Root CA when you install.  Look at the issue to: and issued by: fields.  They both should say "Certification Certificate Authority" with out the quotes.  The other certs created are Intermediate Certificate Authorities (IMA) and you do not need to import them.  Although the common name on the IMA must match your FQDN. Then you must use https://FQDN to log into your server, otherwise you will get an error even if you use the server's ip address, for example.  The IMA issue by: field should be Certification Certificate Authority.  The issue to: field should be your FQDN. 

The way it should work is that when your browser sees the IMA, it will look for a Root CA in its trusted root folder.  It will look for the Certification Certificate Authority (just a name Zentyal gives it) and use this root CA to validate the IMA.  This way you can have many IMAs and only need to import the one Root CA that will qualify all the IMAs.

Hopefully this makes sense... :)
Title: Re: [Solved] Zentyal 3.2 Internet Explorer Browser Certificate Errors Fixed
Post by: rcarney on November 18, 2013, 07:53:35 pm
I should also that IE and Firefox are totally different. IE stores the CA in the windows operating system and FireFox stores it in Firefox's local cache, independent of the OS. So not all browsers act the same....
Title: Re: [Solved] Zentyal 3.2 Internet Explorer Browser Certificate Errors Fixed
Post by: christian on November 18, 2013, 08:59:00 pm
And this even even different from this  ;D
Sure IE and Firefox use different mechanisms to store trusted CA and certificates (although OS vs. cache looks... strange) but you may also notice that certificates are used elsewhere, e.g. in java based applications) and this may also required trusting and storing public keys elsewhere, one  more time  ;)