Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Workspace » Certificate Problem (No certificate works without error in Firefox)
  •  
nausica

Messages: 26
Karma: -1
Send a private message to this user
Hello to the forum,

I have tested a couple of certificates from different providers. None of them works and from Thawte to RapidSSL all the tech support are just unable to understand what is going on.

Firstly it seems to me a lot of people outside of certificate providers ignore there are now two intermediate certificates plus a CA.

I have installed Thawte and RapidSSL, on KWS and all the time the checker says no intermediate certificates found. If you look at the certificate in KWS, I can see in the Show Details, the CA certificate, followed by the two intermediate certificates...

I have tried to change the order of the two intermediate certificate, I have tried to put one intermediate certificate, I have spent hours with tech support who sent me to Kerio support, I have spent quite some time with Kerio support, I am on the support with little clues and hopes...

I don't understand why the structure of SSL is not the same of Kerio Mailserver, everyone seem to miss the sslca folder in KWS... Me first.

Thanks for your help.
  •  
nausica

Messages: 26
Karma: -1
Send a private message to this user
I did another experience with GoDaddy for the same result...

I am amazed because more than 300 people have read my message and noone answer that mean either everyone use a self certificate or have no problem with certificate and in that case I would be super happy to know what provider of certificate they used and how they managed to have it work.

The support is as silent as the forum, I feel farther and farther from KWS...
  •  
BudDurland

Messages: 348

Karma: 10
Send a private message to this user
We're using a self-signed certificate; import it once into FireFox and all is OK. I also set the certificate to push down to the windows boxes via group policy, which is working just fine with IE and Chrome.

Good is better than evil because it's nicer
--Mammy Yokum
  •  
nausica

Messages: 26
Karma: -1
Send a private message to this user
Thanks Bud, but this is good if you work on a LAN with people from the same organizations... I don't use KWS this way but with thousands of people coming from everywhere and I am not going to ask them to download the self signed certificate... I don't even know those people...
  •  
Jarda Snajdr (Kerio)

Messages: 221
Karma: 12
Send a private message to this user
Hello Nausica,

you need to install the intermediate certificates manually using the following steps:

1. Get the file with intermediate certificates from your CA and put them into file:

C:\Program Files\Kerio\Workspace\sslca\intermediates.crt (you need to create the sslca directory)

2. Edit the ...\Kerio\Workspace\Tomcat\conf\server.xml file in a text editor. At two places, there are lines:

SSLCertificateFile="${com.kerio.workspace.home}/sslcert/active.crt "
SSLCertificateKeyFile="${com.kerio.workspace.home}/sslcert/active.key "

Add a new line with the path to the intermediate certificates after them:

SSLCertificateFile="${com.kerio.workspace.home}/sslcert/active.crt "
SSLCertificateKeyFile="${com.kerio.workspace.home}/sslcert/active.key "
+ SSLCertificateChainFile="${com.kerio.workspace.home}/sslca/intermediates.crt "

3. Restart the Workspace service.

From now, the server will be sending the complete certificate chain to the connecting clients.

All intermediate certificates must be concatenated inside one file.

This is the Apache way of doing things, slightly different from how Connect is configured.

Jarda
  •  
nausica

Messages: 26
Karma: -1
Send a private message to this user
Everything is working just fine with your workaround.

Thank you very much Jarda.
  •  
renefn

Messages: 158
Karma: 0
Send a private message to this user
I did the exact same thing about a month ago after researching the problem. I also created a support ticket and this was their response:

Quote:
You can edit your server certificate and copy/past over the intermediate certificate at the end of the main certificate within a text editor. this will allow you to have your intemediate and main cert as one.

Please be careful when pasting in though, for a guide please look at this section of the kerio connect manual as this is the same procedure -

http://manuals.kerio.com/connect/adminguide/en/sect-kmscert. html


Regards,
Rene Frej Nielsen
  •  
nausica

Messages: 26
Karma: -1
Send a private message to this user
Yes but this is not working, this was for connect and this is what I used for many years now in Connect but this was not working in KWS. The workaround given by Jarda works like a charm.
  •  
renefn

Messages: 158
Karma: 0
Send a private message to this user
Yes... Jarda's workaround is working fine for me, but I'm wondering what will happen when the next update is out?

Regards,
Rene Frej Nielsen
  •  
ThorstenV

Messages: 20
Karma: 2
Send a private message to this user
Is this also the workaround for Kerio Workspace 2.0.1 ??
  •  
ThorstenV

Messages: 20
Karma: 2
Send a private message to this user
@Jarda Snajdr

...it is not working for me with certificates from RapidSSL CA Sad

This is my server xml from KWS 2.0.1 b505, System is Kerio's VMware OVF:

<?xml version='1.0' encoding='utf-8'?>
<Server port="4064" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<Listener className="org.apache.catalina.core.JasperListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener " />

<Service name="Catalina">
<Connector port="4060" protocol="HTTP/1.1" scheme="https" secure="true" pollerSize="1024"
SSLEnabled="true"
SSLCertificateFile="${com.kerio.workspace.home}/sslcert/active.crt "
SSLCertificateChainFile="${com.kerio.workspace.sslchainfile} "
SSLCertificateKeyFile="${com.kerio.workspace.home}/sslcert/active.key "
SSLCipherSuite="ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW"
URIEncoding="utf-8"
compression="on"
compressableMimeType=" text/html,text/css,application/javascript,application/json-r pc "/>
<Connector port="${com.kerio.workspace.http.port}" protocol="HTTP/1.1" pollerSize="1024"
redirectPort="${com.kerio.workspace.https.port}"
URIEncoding="utf-8"
compression="on"
compressableMimeType=" text/html,text/css,application/javascript,application/json-r pc "/>
<Connector port="${com.kerio.workspace.https.port}" protocol="HTTP/1.1" scheme="https" secure="true" pollerSize="1024"
SSLEnabled="true"
SSLCertificateFile="${com.kerio.workspace.home}/sslcert/active.crt "
SSLCertificateChainFile="${com.kerio.workspace.sslchainfile} "
SSLCertificateKeyFile="${com.kerio.workspace.home}/sslcert/active.key "
SSLCertificateChainFile="${com.kerio.workspace.home}/sslca/intermediates.crt "
SSLCipherSuite="ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW"
URIEncoding="utf-8"
compression="on"
compressableMimeType=" text/html,text/css,application/javascript,application/json-r pc "/>

<Engine name="Catalina" defaultHost="localhost">
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"/>
</Engine>
</Service>
</Server>


Can you please help me !? Thorsten
  •  
JustAsk

Messages: 20
Karma: 0
Send a private message to this user
Hello, iam using Kerio 2.0.1 with an Start SSL certificate.

i used the http://kb.kerio.com/product/kerio-workspace/server-configura tion-kerio-workspace/intermediate-certificates-in-kerio-work space-787.html

Article und put the CA (https://www.startssl.com/certs/ca.pem) and the Intermediate certificate (https://www.startssl.com/certs/sub.class1.server.ca.pem) of Start SSL into one .crt file and restarted Kerio.

But i still get the same error.
i only edited the Catalina.properties and not the server.xml

i tested edeting both the server.xml and the Catalina.properties but it also dont work.
anyone can help?

Noone an answer?

[Updated on: Sat, 12 January 2013 17:00]

  •  
JustAsk

Messages: 20
Karma: 0
Send a private message to this user
Can noone Help? Iv tried nearby everything but nothing worked.
  •  
mwaples

Messages: 2
Karma: 0
Send a private message to this user
I am unable to get this to work in Workspace 2.1.0 build 1886 on Mac OS 10.6.8.

Jarda, can you confirm this workaround is still valid for 2.1.0?
  •  
JustAsk

Messages: 20
Karma: 0
Send a private message to this user
Well a bit late, but i finaly managed to get this work. Running the newest Kerio Version:

intermediate Certificates into one file in /sslca/inter.crt

Server XML:

<?xml version='1.0' encoding='utf-8'?>
<Server port="4064" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<Listener className="org.apache.catalina.core.JasperListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener " />

<Service name="Catalina">
<Connector address="xxxxxxxxxxx" port="4060" protocol="HTTP/1.1" scheme="https" secure="true" pollerSize="1024"
SSLEnabled="true"
SSLCertificateFile="${com.kerio.workspace.home}/sslcert/active.crt "
SSLCertificateChainFile="${com.kerio.workspace.home}/sslca/inter.crt "
SSLCertificateKeyFile="${com.kerio.workspace.home}/sslcert/active.key "
SSLCipherSuite="ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW"
URIEncoding="utf-8"
compression="on"
compressableMimeType=" text/html,text/css,application/javascript,application/json-r pc "/>
<Connector address="xxxxxxxxxxxxx2" port="${com.kerio.workspace.http.port}" protocol="HTTP/1.1" pollerSize="1024"
redirectPort="${com.kerio.workspace.https.port}"
URIEncoding="utf-8"
compression="on"
compressableMimeType=" text/html,text/css,application/javascript,application/json-r pc "/>
<Connector address="xxxxxxxxxxxxxxx" port="${com.kerio.workspace.https.port}" protocol="HTTP/1.1" scheme="https" secure="true" pollerSize="1024"
SSLEnabled="true"
SSLCertificateFile="${com.kerio.workspace.home}/sslcert/active.crt "
SSLCertificateChainFile="${com.kerio.workspace.home}/sslca/inter.crt "
SSLCertificateKeyFile="${com.kerio.workspace.home}/sslcert/active.key "
SSLCipherSuite="ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW"
URIEncoding="utf-8"
compression="on"
compressableMimeType=" text/html,text/css,application/javascript,application/json-r pc "/>

<Engine name="Catalina" defaultHost="localhost">
<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true">
</Host>
</Engine>
</Service>
</Server>

Catalina.properties:

package.access=sun.,org.apache.catalina.,org.apache.coyote., org.apache.tomcat.,org.apache.jasper.,sun.beans.
package.definition=sun.,java.,org.apache.catalina.,org.apach e.coyote.,org.apache.tomcat.,org.apache.jasper.
common.loader=${catalina.home}/lib,${catalina.home}/lib/*.ja r
server.loader=
shared.loader=
tomcat.util.buf.StringCache.byte.enabled=true

com.kerio.workspace.http.port=80
com.kerio.workspace.https.port=443
com.kerio.workspace.sslchainfile="${com.kerio.workspace.home}/sslca/inter.crt

# generated by installer
com.kerio.workspace.home=C:/Program Files (x86)/Kerio/Workspace/


This worked for me

[Updated on: Mon, 14 October 2013 20:34]

Previous Topic: Problems with Safari 6 and Workspace
Next Topic: problem of synchronization
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Thu Aug 24 01:11:24 CEST 2017

Total time taken to generate the page: 0.00493 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.