Skip navigation

OD master, certificate 'trust' and FQDN

657 Views 6 Replies Latest reply: Aug 1, 2012 2:20 PM by kristin. RSS
rueddldueddl Calculating status...
Currently Being Moderated
Mar 13, 2012 12:39 PM

Hi all,

 

I have been searching the discussions, but simply can't find the answer I am looking for.

I have a mac mini server set up and many things work, but I can't get my head around one thing and was hoping that someone could explain the fundamental piece of the puzzle to me that I appear to be missing.

 

So, what I do I have (relevant pieces renamed for illustration purposes):

Lion Server is set up with hostname server.mydomain.com

DNS is set up with primary zone mydomain.com, A record, machine record, MX record, CNAME and serveral SRV records are all configured.

DNS also exists with an external DNS service.

Web Server is running using a wildcard SSL certificate for *.mydomain.com.

Mail, iCal and Calendar servers are also set up and running.

OD Master is set up at server.mydomain.com.

Several users have been created, mail, ical and calendar server works for all of them (below comes my question around this).

When the OD Master was created, it created its own certificate. So far so good. SSL was configured for LDAP to use the wildcard certificate.

 

Finally this is where my questions comes in, let's use the following example:

User A wants to configure his new email account on his home computer at home. He happens to have a Mac, opens Mail, goes into settings and wants to add the new mail account. For the incoming mail server he enters mydomain.com with user and password. Now he presses next.

This is where the OD authentication kicks in.

First he will get the message that the hostnames do not match, OD runs at server.mydomain.com and of course the OD certificate is for server.mydomain.com and not mydomain.com. DNS is set up for Mail for example with an alias of mydomain.com to server.mydomain.com.

-> Why does this not work for OD? How can I fix this, i.e. what am I missing in my understanding of how this flow works?

If as incoming mail server he enters server.mydomain.com, then of course the hostnames match and the message is not posted. I am told however (intelligently and correctly) that the certificate is not trusted. How should it be, it's the OD certificate that was created by Lion Server and not by a trusted authority (outside of my server).

-> I have a signed wildcard certificate for SSL, which does me no good in this case. One is SSL and the other OD, i.e. it's not like I could use the SSL certificate here.

 

Either I did something wrong to get to this or I am the only one wondering about this / being bothered by this. I could not find any discussion about this so far.

Is everyone just setting up the clients to 'trust' the certificate, so that it's in the client keychain and all is good or is there some other step that I am missing?

 

Many thanks in advance for any insight one of you can provide!

  • Brettermeier Level 1 Level 1 (25 points)
    Currently Being Moderated
    Mar 13, 2012 12:51 PM (in response to rueddldueddl)

    Hi,

     

    you should get a official certificate for your email service. The OD certificate is not from an official certifcate instance and therefore it can't be checked recursive to any of the official certificate instance. You can get an official certificate for free at www.startssl.com.

  • Brettermeier Level 1 Level 1 (25 points)
    Currently Being Moderated
    Mar 13, 2012 2:20 PM (in response to rueddldueddl)

    Ok,

     

    here is what i have done to get and install an official certificate.

     

    - At first create a new self signed root certificate with your server app. The name of the certificate should be equal to you domain name. Don't use the fqdn of your server. -> use: yourdomain.com. Then generate a CSR from the certificate and store the generated key into a file. You need the CSR to register an official certificate.

     

    - Register yourself at your prefered certificate instance. That could be www.verisign.com, www.thawte.com or even www.startssl.com if you prefer a certificate for free. -> there you go: https://www.startssl.com/?app=11&action=true You should use the "express lane" to register and generate the certificate.

    Im not sure about the exact procedure anymore but don't let startssl.com generate the key for you.

    At this point startssl.com offers to upload/paste your CSR. Do that and finish the "express lane"

    Starssl.com will ask you for a sub domain, you could enter "www" that means that the certificate are valid for "yourdomain.com" and "www.yourdomain.com".

     

    -Go back to your server.app and replace your self signed root certificate with the one you got from startssl.com.

    Tell your mail service to use the new certificate and restart your mail server.

     

    Hope that helps

  • kristin. Level 2 Level 2 (230 points)
    Currently Being Moderated
    Aug 1, 2012 2:20 PM (in response to rueddldueddl)

    Did you ever figure this out?

    I'm looking at the same issue...

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.