Want to highlight a helpful answer? Upvote!

Did someone help you, or did an answer or User Tip resolve your issue? Upvote by selecting the upvote arrow. Your feedback helps others! Learn more about when to upvote >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

stooky Author

Level 1

0 points

iCalServer wrong SSL certificate OS X 10.6.4

hello

after installation of the latest 10.6.4 server and client update I suffer from a big problem!

what I have done:
- installation of OS X 10.6.4 on client and server via SWupdate
- reboot and permission repairing on client and server
all looked well updates seemed to have passed without any problems.

I started iCal on the client and noticed my caldav account was missing. in ical settings accounts no account listed.
when I tried to newly add the account I recieved an error, that the certificate for SSL did not match the server name. a look at the cert showed the wrong one, 'dw.lan'. so I verified in server-admin that the correct one is chosen, and indeed in server-admin ical settings I chosse
SSL - 8443 - 'server.dw.lan'.

reassigning the cert in ical server-admin, restarting the service, rebooting the mac mini server, nothing did the job. ical server seems to deliver the wrong cert, or ical client pulls the wrong one ... ???

as I am new to OS X server and did very well the last 10 days to setup my whole network, incl. DHCP - DNS - AFP - Adressbook - VPN - WEB ... everything just running fine and easy, it was so smooth ... and now this.

I haven't got a single clue where and how to continue debugging. what else did I do ... well actually nothing I can remember, than updateing client and server to 10.6.4

the worst thing is, that I run mobileme as well and it synced my calendars-accounts so on both clients the ical-account vanished. thanx god I have backups ... puhhh ... otherwise some calendars seemed to have vanished into nirvana?!

to visualize my settings I have uploaded some screenshots:
http://gallery.me.com/g.unger#100022

- 1st shows the certs, all are signed by selfsigned CA and worked propperly on 10.6.3
- 2nd shows the correct cert chosen in server-admin ical settings
- 3rd shows the ical client when adding the account the wrong cert is offered, and of cause the hostname does not match thats why it is marked insecure

any help would be highly appreciated ... thx a lot
g.

iMac 27" i5, first unibody MacBook 13", MacMini OSX Server, Mac OS X (10.6.3), acutally 10.6.4 which isn't yet available in select ;)

Posted on Jun 15, 2010 6:36 PM

46 replies

Jun 17, 2010 10:31 AM in response to Random Chaos

My hunch is that this problem is due to the change in 10.6 server as to how wikis and group calendars are created. I noticed when browsing around in Safari, looking at the entries for our individual users and groups that all the individual users and even groups have the same Directory GUID listed under the Directory Information section. The wiki calendars however do not. Also the principal uid for users is the same as the apple-generateduid in OpenDirectory.

In 10.6 when you create a new wiki it doesn't seem to create a group for the wiki in OpenDirectory. Looking at the page in Safari for the CalDAV wiki entry the Directory GUID is different than all the other user accounts. I'm not sure which directory the wiki information get's stored in, or how they come up with the uid.

Jun 17, 2010 10:46 AM in response to Mr Beardsley

I believe that you are exactly correct, Mr. Beardsley. I checked the principal details using Safari as you suggested, and found the discrepancy that you describe. It seems that the iOS clients work fine because they leave the alternate URL alone, while iCal 4 fails because it resolves to the principal URL.

Do you have any experience posting bug reports to Apple? Are they responsive at all?

One additional question: I seem to recall that with a 10.6.3 client, iCal also resolved to the principal URL, but it worked fine in that case. I no longer have a 10.6.3 client available. Could somebody check on this?

_morgen__

Level 1

140 points

Jun 17, 2010 11:03 AM in response to stooky

stooky: can you look at your server's /etc/caldavd/caldavd.plist file for "SSLCertificate" and see if the value on the following line matches the certificate you expect calendar server to be using?

Jun 17, 2010 11:14 AM in response to Elliot Hui

I upgraded clients & server to 10.6.4 & had the problem on 2 clients. 1 client remained at 10.6.3: it worked fine. Another client at 10.5 worked fine.

From my POV it seems to be a client iCal issue. I've tried manually editing & locking Info.plist files, but iCal just creates a new calendar...

Apple: we need a fix NOW, my server users are screwed right now!

Jun 17, 2010 11:18 AM in response to Elliot Hui

I think iCal resolved principal URLs for individual user calendars, but left the wiki URLs alone until this latest update. I guess technically it is a good thing that iCal is now consistent in that it will resolve all URLs to the principal URL, but it does expose the bug in the way the server works.

I haven't submitted a radar in quite a while, but from what I remember and what I've read, the best course of action is to have as many people submit bugs, even if they are marked as duplicates.

Jun 17, 2010 12:29 PM in response to cyborgsam

cyborgsam wrote:
I upgraded clients & server to 10.6.4 & had the problem on 2 clients. 1 client remained at 10.6.3: it worked fine. Another client at 10.5 worked fine.

From my POV it seems to be a client iCal issue. I've tried manually editing & locking Info.plist files, but iCal just creates a new calendar...

Apple: we need a fix NOW, my server users are screwed right now!

In my mind it is the server that needs to be fixed to use the proper Principal URLs for group calendars. However just reverting the behavior of the client to where it doesn't auto change the URL would be a sufficient work around.

ericc56

Level 1

124 points

Jun 17, 2010 12:35 PM in response to Mr Beardsley

FYI: For those experiencing the 10.6.4 update group calendars problem, refer to the latest post in:

http://discussions.apple.com/thread.jspa?threadID=2463707

stooky Author

Level 1

0 points

Jun 17, 2010 1:48 PM in response to _morgen__

~morgen wrote:
stooky: can you look at your server's /etc/caldavd/caldavd.plist file for "<key>SSLCertificate</key>" and see if the value on the following line matches the certificate you expect calendar server to be using?

looks correct, caldav has the server.dw.lan cert
but the clients get the dw.lan cert offered

<key>SSLAuthorityChain</key>
<string>/etc/certificates/server.dw.lan.CE17C8BEAF31E387687E6D6AC5A633DD83FE21E 1.chain.pem</string>
<key>SSLCertificate</key>
<string>/etc/certificates/server.dw.lan.CE17C8BEAF31E387687E6D6AC5A633DD83FE21E 1.cert.pem</string>
<key>SSLPort</key>
<integer>8443</integer>
<key>SSLPrivateKey</key>
<string>/etc/certificates/server.dw.lan.CE17C8BEAF31E387687E6D6AC5A633DD83FE21E 1.key.pem</string>

Jun 18, 2010 8:54 AM in response to stooky

So ours is now broke as well. Has anyone found a fix?

ericc56

Level 1

124 points

Jun 18, 2010 10:09 AM in response to stooky

stooky - In Server Admin -> <server> -> iCal -> Settings -> Authentication, what is the SSL certificate set to: server.dw.lan, or dw.lan?

Based on your earlier response, it's probably set to server.dw.lan, since that is what the plist is implying. But you need to verify that there is no mismatch.

Update - In reading back through the thread, looks like you already did this.

Eric

Message was edited by: ericc56

stooky Author

Level 1

0 points

Jun 18, 2010 10:18 AM in response to ericc56

sorry eric, the thread has merged into a group calendar blabla problem, which is actually not mine as I use just OD-users and their normal calendars, no group calendars.

ericc56 wrote:
stooky - In Server Admin -> <server> -> iCal -> Settings -> Authentication, what is the SSL certificate set to: server.dw.lan, or dw.lan?

Based on your earlier response, it's probably set to server.dw.lan, since that is what the plist is implying. But you need to verify that there is no mismatch.

Eric

my problem is documented in first post of the thread please see the images at:

http://gallery.me.com/g.unger#100022

*to sum it up:*

1st shows the certs, all are signed by selfsigned CA and worked propperly on 10.6.3
2 certs are for SSL
'server.dw.lan' is used for SSL and Kerberos-KDC

2nd shows the correct cert chosen in server-admin ical settings

3rd shows the ical client when adding the account the wrong cert is offered, and of cause the hostname does not match thats why it is marked insecure.

OSXServer -> etc/caldavd/caldavd.plist looks korrekt

<key>SSLAuthorityChain</key>
<string>/etc/certificates/server.dw.lan.CE17C8BEAF31E387687E6D6AC5A633DD83FE21E1 .chain.pem</string>
<key>SSLCertificate</key>
<string>/etc/certificates/server.dw.lan.CE17C8BEAF31E387687E6D6AC5A633DD83FE21E1 .cert.pem</string>
<key>SSLPort</key>
<integer>8443</integer>
<key>SSLPrivateKey</key>
<string>/etc/certificates/server.dw.lan.CE17C8BEAF31E387687E6D6AC5A633DD83FE21E1 .key.pem</string>

solution atm. is to create the account in ical, and when the wrong cert is shown continue and and in next step refuse to accept the cert in my keychain. then the account is created propperly. and workz.

all clients have the CertAauthority installed in systen keychain and therefor should accept and trust all 3 certs from first screenshot, without explicitly installing and trusting them in the users local keychain on clients. how can I verify, that the connection in ical is really established vias SSL.
for web I use https.// and it workz without asking for cert.

once more this all worked fine 10.6.3
now all clients and server are 10.6.4
on clients there is only the issuing CertAuthority in keychain, the 3 certs arent in there.

hope that explains my problem.
otherwise please bare with me and ask again, I am no eglish native ... suprise suprise ... italian living in germany.

rgds,
guido aka stooky

Jun 25, 2010 4:38 AM in response to stooky

Hello,
I replaced my ssl certificate and was able to make my iphone work with the calendar but still not able to make ical work. Anyone have any insight?

During the process I removed the calendar settings from ical, deleted the preferences and cache. Ical works on the user calendar just not the wiki calendar..

Thanks in advance
Thom

Jul 10, 2010 8:29 PM in response to no1tmorrow

Hey Fellas,
I contacted apple via a bug ticket and they say they are aware of Ical not working but offer no fix. Did any of you find a work around?

Thanks so much for any input
Thom

ericc56

Level 1

124 points

Jul 14, 2010 10:01 AM in response to no1tmorrow

I'm not seeing this problem after an update to 10.6.4. But try the following:

1. Open a Terminal window, and enter:

openssl s_client -ssl3 -connect <host>:<port>

where 'host' and 'port' are the calendar server hostname and SSL port (default is 8843 for calendar), respectively.

Take note of the "subject".

2. In the Terminal window, enter:

openssl x509 -subject -in /etc/certificates/<X>.cert.pem

where '<X>.cert.pem' is the certificate.

Again, take note of the "subject".

The "subject" for Step #1 should match that of #2. If not, there is something wrong somewhere.

I'm by no means an expert on the topic, but these are troubleshooting tips that someone forwarded to me that I use. So while this might indicate a problem, I realize it doesn't help you resolve it.

Can you create new calendars, or delete, then recreate calendars for existing iCal accounts?

Eric

ericc56

Level 1

124 points

Jul 14, 2010 10:28 AM in response to ericc56

Make that 8443 for the calendar default port (not 8843).

iCalServer wrong SSL certificate OS X 10.6.4