Hi,
I've been working on this issue for some time now and just can't seem to figure out where I'm going wrong. I'm trying to get Internet Explorer 8 to trust the certificate presented by Zimbra in the ZWC but no matter what I try, I just can't get a trusted connection. All my users are getting the warning page in IE8 and have to click on 'continue to this page' link to get to the Zimbra login page. This page also appears sometimes when they're working within Zimbra -- eg. opening PDF attachments -- and is interrupting to say the least.
I have tried importing the certificate into various places including the 'Trusted Root Certification Authorities' store as is recommended in various places and it makes no difference. I double-checked that the certificates were in fact imported into these stores using the Certificates MMC console. I've made sure that the domain for the zimbra host matches the certificate. The workstations are running XP SP3 with latest IE8, but I also had this problem on IE7 before upgrading.
Any help with this would be greatly appreciated. Thank you.
Trusting self-signed certificates
Trusting self-signed certificates
Well, I finally made some progress. Of course, being relatively new to CAs, certificate trust chains, etc. I ended up wasting half my day figuring it out.
Most of the research I did pointed to importing the certificate presented to the browser when using the ZWC into the Trusted Root Certification Authorities store, which no matter how many dozens of ways I did it made no difference. I ended up going into /opt/zimbra/ssl/zimbra/ca and converting the PEM format ca.pem certificate into Windows compatible DER format:
openssl x509 -inform PEM -in ca.pem -outform DER -out ca.cer
Then I imported this into the Trusted Root Certification Authorities store and finally I'm not getting the warnings from IE.
I did have one more question for anyone knowledgeable with certificates and domains/DNS. I'd like to use the servers host name as the URL instead of the FQDN (e.g. https://mail/ instead of https://mail.subdomain.domain.com/) to simplify things, but of course the browser then complains the URL doesn't match the certificate (issued to mail.subdomain.domain.com). Anyone know if this is possible without getting the warnings? I tried to create a certificate using just the hostname but it requires a proper domain name.
Most of the research I did pointed to importing the certificate presented to the browser when using the ZWC into the Trusted Root Certification Authorities store, which no matter how many dozens of ways I did it made no difference. I ended up going into /opt/zimbra/ssl/zimbra/ca and converting the PEM format ca.pem certificate into Windows compatible DER format:
openssl x509 -inform PEM -in ca.pem -outform DER -out ca.cer
Then I imported this into the Trusted Root Certification Authorities store and finally I'm not getting the warnings from IE.
I did have one more question for anyone knowledgeable with certificates and domains/DNS. I'd like to use the servers host name as the URL instead of the FQDN (e.g. https://mail/ instead of https://mail.subdomain.domain.com/) to simplify things, but of course the browser then complains the URL doesn't match the certificate (issued to mail.subdomain.domain.com). Anyone know if this is possible without getting the warnings? I tried to create a certificate using just the hostname but it requires a proper domain name.
Trusting self-signed certificates
just for future ...you can just download the ca.pem and rename to ca.crt and double click on it in windows the install the cert..no need to convert
Raj
Raj
-
pup_seba
- Outstanding Member
- Posts: 687
- Joined: Sat Sep 13, 2014 2:43 am
- Location: Tarragona - Spain
- Contact:
Trusting self-signed certificates
Hi,
This solution is not working for me, do you happen to know what may be happening? I can see the self-signed certificate in the Trusted Root Certification Authorities store but the "There is a problem with this website's security certificate" is still showing.
I wan't to solve this problem mainly because the import migration wizard is having errors 'cause an SSL connection timeout and latetly to avoid having this annoying issue everytime I log into the web admin.
Any help will be most helpfull!
Regards,
pup_seba
This solution is not working for me, do you happen to know what may be happening? I can see the self-signed certificate in the Trusted Root Certification Authorities store but the "There is a problem with this website's security certificate" is still showing.
I wan't to solve this problem mainly because the import migration wizard is having errors 'cause an SSL connection timeout and latetly to avoid having this annoying issue everytime I log into the web admin.
Any help will be most helpfull!
Regards,
pup_seba
-
pup_seba
- Outstanding Member
- Posts: 687
- Joined: Sat Sep 13, 2014 2:43 am
- Location: Tarragona - Spain
- Contact:
Trusting self-signed certificates
Hi!
Finally it did work!
I was making a silly mistake. The certificate is valid for *.domain.local so if I try to connect to one of the Zimbra servers like zimbra1.domain.local using "zimbra1" it will warns me, if I use the FQDN for which the certificate is issued (here is why my mistake is silly ) there's no warning nor error whatsoever. So now I'm using "zimbra1.domain.local" to connect and everything works like a charm.
Thank you so much for your help!!!
pup_seba
Finally it did work!
I was making a silly mistake. The certificate is valid for *.domain.local so if I try to connect to one of the Zimbra servers like zimbra1.domain.local using "zimbra1" it will warns me, if I use the FQDN for which the certificate is issued (here is why my mistake is silly ) there's no warning nor error whatsoever. So now I'm using "zimbra1.domain.local" to connect and everything works like a charm.Thank you so much for your help!!!
pup_seba