SSL Cert requiring intermediate CA chain breaks 10.5.8 caldavd?
Mac OS X Server 10.5.8
I just upgraded from a self-signed cert to a cert from StartCom, which requires use of an intermediate certificate on the server. I imported it using Server Admin. It and the intermediate cert are present in the /Library/Keychains/System.keychain and in /etc/certificates. Mail (Both postfix and cyrus) are happy with it. Apache is happy with it.
caldavd, however, reports the following:
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [startup] Adding server at :8008+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [startup] Adding SSL server at :8443+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] Traceback (most recent call last):+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/bin/twistd", line 21, in <module>+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] run()+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/lib/python/twisted/scripts/twistd.py", line 27, in run+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] app.run(runApp, ServerOptions)+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/lib/python/twisted/application/app.py", line 379, in run+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] runApp(config)+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/lib/python/twisted/scripts/twistd.py", line 23, in runApp+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] _SomeApplicationRunner(config).run()+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/lib/python/twisted/application/app.py", line 157, in run+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] self.application = self.createOrGetApplication()+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/lib/python/twisted/application/app.py", line 202, in createOrGetApplication+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] ser = plg.makeService(self.config.subOptions)+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/lib/python/twistedcaldav/tap.py", line 754, in makeService+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] service = serviceMethod(options)+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/lib/python/twistedcaldav/tap.py", line 727, in makeService_Slave+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] passwdCallback=_getSSLPassphrase+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/lib/python/twistedcaldav/tap.py", line 423, in _init_+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] sslmethod=sslmethod+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/lib/python/twisted/internet/ssl.py", line 79, in _init_+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] self.cacheContext()+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/lib/python/twistedcaldav/tap.py", line 437, in cacheContext+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] ctx.use certificate_chainfile(self.certificateChainFile)+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] OpenSSL.SSL.Error: [('x509 certificate routines', 'X509 check_privatekey', 'key values mismatch')]+
But the key and the certificate do match, as confirmed by the other apps working fine and openssl x509/rsa -modulus.
/etc/caldavd/caldavd.plist contains:
<key>SSLAuthorityChain</key>
<string>/etc/certificates/osxserver.example.com.chcrt</string>
<key>SSLCertificate</key>
<string>/etc/certificates/osxserver.example.com.crt</string>
<key>SSLPort</key>
<integer>8443</integer>
<key>SSLPrivateKey</key>
<string>/etc/certificates/osxserver.example.com.key</string>
<key>ServerHostName</key>
<string>osxserver.example.com</string>
Using openssl I verified that those three files are, in fact, correct.
If I remove the filename from the SSLAuthorityChain attribute, the server starts normally but, naturally, connections fail unless I add the intermediate certificate to the local client's keychain.
Not sure where to go next. I haven't been able to check Server 10.6.1 yet.
I just upgraded from a self-signed cert to a cert from StartCom, which requires use of an intermediate certificate on the server. I imported it using Server Admin. It and the intermediate cert are present in the /Library/Keychains/System.keychain and in /etc/certificates. Mail (Both postfix and cyrus) are happy with it. Apache is happy with it.
caldavd, however, reports the following:
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [startup] Adding server at :8008+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [startup] Adding SSL server at :8443+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] Traceback (most recent call last):+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/bin/twistd", line 21, in <module>+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] run()+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/lib/python/twisted/scripts/twistd.py", line 27, in run+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] app.run(runApp, ServerOptions)+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/lib/python/twisted/application/app.py", line 379, in run+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] runApp(config)+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/lib/python/twisted/scripts/twistd.py", line 23, in runApp+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] _SomeApplicationRunner(config).run()+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/lib/python/twisted/application/app.py", line 157, in run+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] self.application = self.createOrGetApplication()+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/lib/python/twisted/application/app.py", line 202, in createOrGetApplication+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] ser = plg.makeService(self.config.subOptions)+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/lib/python/twistedcaldav/tap.py", line 754, in makeService+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] service = serviceMethod(options)+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/lib/python/twistedcaldav/tap.py", line 727, in makeService_Slave+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] passwdCallback=_getSSLPassphrase+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/lib/python/twistedcaldav/tap.py", line 423, in _init_+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] sslmethod=sslmethod+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/lib/python/twisted/internet/ssl.py", line 79, in _init_+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] self.cacheContext()+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/lib/python/twistedcaldav/tap.py", line 437, in cacheContext+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] ctx.use certificate_chainfile(self.certificateChainFile)+
+2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] OpenSSL.SSL.Error: [('x509 certificate routines', 'X509 check_privatekey', 'key values mismatch')]+
But the key and the certificate do match, as confirmed by the other apps working fine and openssl x509/rsa -modulus.
/etc/caldavd/caldavd.plist contains:
<key>SSLAuthorityChain</key>
<string>/etc/certificates/osxserver.example.com.chcrt</string>
<key>SSLCertificate</key>
<string>/etc/certificates/osxserver.example.com.crt</string>
<key>SSLPort</key>
<integer>8443</integer>
<key>SSLPrivateKey</key>
<string>/etc/certificates/osxserver.example.com.key</string>
<key>ServerHostName</key>
<string>osxserver.example.com</string>
Using openssl I verified that those three files are, in fact, correct.
If I remove the filename from the SSLAuthorityChain attribute, the server starts normally but, naturally, connections fail unless I add the intermediate certificate to the local client's keychain.
Not sure where to go next. I haven't been able to check Server 10.6.1 yet.
20" Intel iMac x 4, 17" G4 iMac upg to 1GB 160GB, 2.2GHz MacBook, Mac OS X (10.5.8)
