Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » [Solved] Kerio Sync Connector can't verify server identity (always trust the certificate doesn't work)
  •  
muttel

Messages: 7
Karma: 0
Send a private message to this user
Hi there,

we are running KMS 6.7.3 patch 1 on a OS/X SL server.
On the client I've installed the Sync connector for Mac.
I'm using a self signed certificate on the mailserver.

Whenever the sync connector tries to sync a validate certificate message pops up (see attachment).
Although I've marked the 'always trust myserver.domain.int' checkbox it always shows up again.
The server name in the sync settings login screen is identical to the name on the certificate.
I don't have any issues with Apple mail or any other program using that certificate.

I think I'll might have to add the sync program to some keychain entry. But don't know which one that might be.
Could somebody please point me in the right direction?

[Updated on: Sun, 28 February 2010 12:30]


KMS 6.7.3 patch 1 7919 on OS/X Server (10.6.2)
  •  
fleecy

Messages: 17
Karma: 0
Send a private message to this user
We have the same exact issue.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Kerio Sync Conector for Mac is using Mac OS X system framework for network communication. The framework does reverse DNS lookup for validating certificates in SSL connections. Therefore, make sure that both A and PTR DNS records for the server use the same hostname.
  •  
muttel

Messages: 7
Karma: 0
Send a private message to this user
I did verify that and it looks correct to me.
On the Xserve the DNS server only resolves the local server address (with A and PTR records). We are also having a Win2008R2 AD server and that one needs to be the DNS master of the local net.
But both entries (on the Xserve & the Win server) look ok to me (see attached pics). And DNS resolution works well on my net (from both clients and servers).

What am I missing?

  • Attachment: DNS.pdf
    (Size: 125.38KB, Downloaded 340 times)

KMS 6.7.3 patch 1 7919 on OS/X Server (10.6.2)
  •  
marook

Messages: 520

Karma: 3
Send a private message to this user
Looks like your DNS is fine, IF the Mac in question uses one of those DNS servers.. Wink

Terminal:
dig maud.cocon.int

dig PTR 21.1.168.192.in-addr.arpa

Regards,

Jakob Peterhänsel
Consultant - Humac A/S

Apple Certified Support Professional (ACSP)
Apple Certified Technical Coordinator (ACTC)
AppleSeed/CQF member since 1998
Kerio Messaging Partner
  •  
giobbi

Messages: 90
Karma: 0
Send a private message to this user
Do you use both NIC's? Is this an internal problem or external, or both?
  •  
muttel

Messages: 7
Karma: 0
Send a private message to this user
Hi,

DNS runs fine. nslookup tells me:
imac-rado:~ rado$ nslookup maud.cocon.int
Server:         192.168.1.112
Address:        192.168.1.112#53

Name:   maud.cocon.int
Address: 192.168.1.21

imac-rado:~ rado$ nslookup 192.168.1.21
Server:         192.168.1.112
Address:        192.168.1.112#53

21.1.168.192.in-addr.arpa       name = maud.cocon.int.

I don't use dig because man dig says:Quote:
Mac OS X NOTICE
The dig command does not use the host name and address resolution or the DNS query routing mechanisms used by other processes running on Mac OS X. The results of name or address queries printed by dig may differ from those found by other processes that use the Mac OS X native name and address resolution mechanisms. The results of DNS queries may also differ from queries that use the Mac OS X DNS routing library.


But - at last - I've found a solution. I've installed the sync connector on my Macbook as well and noticed that I did not run into that nagging popup screen. When I compared the keychains of both Macs, I saw that on the Macbook the server certificate was installed to the login AND the system keychain. On my iMac I could only see it in the login keychain.
So I (option) dragged it to the system keychain. After confirming that I really wanted to install that certificate system wide, it still did not show up in the system keychain....But the nagging screen was gone!
I wanted to make sure that that was the reason for the confirmation screen to disappear. So I've deleted the certificate from the login keychain and the system asked my if I also wanted to delete the certificate from the system keychain (that's how I remember it, maybe the text was a little different). So I assume that it somehow went into the system keychain although it didn't show up.
When I ran the sync connector the next time the confirmation screen popped up again and I set it to always trust the certificate. I did not drag it to the system keychain again. But the nagging screen is gone ever since.
Maybe it would have been enough to just delete the certificate from the login keychain and reinstall it through the sync confirmation screen. Maybe not. Maybe I did something else in between that I don't remember as relevant.
I'm happy that it's gone.
Very Happy

KMS 6.7.3 patch 1 7919 on OS/X Server (10.6.2)
Previous Topic: CardDAV & iPhone
Next Topic: Tracking License Data
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Oct 17 11:20:52 CEST 2017

Total time taken to generate the page: 1.70364 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.