"Certificates does not conform to algorithm constraints" after replacing to Microsoft CA signed certificate

[Andrey]

Hello

Zimbra 8.6.0 Open Source is installed.
I had self signed certificate and it expired. I decided to use new one from intranet corporate CA (Microsoft) to not populate self-signed via GPO again.
I have successfully done certificate and root CA deployment and everything seems work well, like web-interface via https in browsers, imap and smtp with ssl but i noticed that shared folders stopped working and I see this error if I try run zmprov

Code: Select all

ERROR: zclient.IO_ERROR (invoke java.security.cert.CertificateException: Certificates does not conform to algorithm constraints, server: localhost) (cause: javax.net.ssl.SSLHandshakeException java.security.cert.CertificateException: Certificates does not conform to algorithm constraints)

Server certificate has:

Code: Select all

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384

All certificates in chain also have `Signature Algorithm: sha256WithRSAEncryption`

I commented #jdk.certpath.disabledAlgorithms= in /opt/zimbra/java/jre/lib/security/java.security but with no luck.

The cipher is modern and one of the most strong, what is causing such error?

[Andrey]

Enabled debug and find out next:
Root CA and intermediate CA has next lines

Code: Select all

Signature Algorithm: 1.2.840.113549.1.1.10, params unparsed, OID = 1.2.840.113549.1.1.10

it is RSASSA-PSS and it is looks like not supported in java
Unfortunately I have to back to self-signed certificate or renew root certificates with other algorithm.

[phoenix]

You could always use a LetsEncrypt certificate: viewtopic.php?f=15&t=60781

[Andrey]

You could always use a LetsEncrypt certificate

I already use it for external access (via apache proxy) could I have subjectAltNames with internal domain? like mail.domain.local inside LetsEncrypt certificate?

[phoenix]

You could always use a LetsEncrypt certificate

I already use it for external access (via apache proxy) could I have subjectAltNames with internal domain? like mail.domain.local inside LetsEncrypt certificate?

Yes, I believe you can, it's mentioned in this blog post: https://scotthelme.co.uk/setting-up-le/

[Andrey]

Yes, I believe you can

I'm afraid I'm not. Domain must be publicity resolvable

Code: Select all

An unexpected error occurred:                                                                                                                                                                                                                                                  
The request message was malformed :: Error creating new authz :: Name does not end in a public suffix

Anyway, I found out that CA certificates was already renewed with correct Signature Algorithm some time ago. I have applied them and everything work OK now.
The problem is solved.