Previous 1 2 3 4 Next 46 Replies Latest reply: Jul 15, 2010 8:44 AM by no1tmorrow Go to original post
  • Random Chaos Level 1 Level 1 (0 points)
    I am seeing that too. Hope someone knows which Python file to edit to fix this issue server side. Waiting or the next OSX release will not be fun.
  • Mr Beardsley Level 1 Level 1 (40 points)
    My hunch is that this problem is due to the change in 10.6 server as to how wikis and group calendars are created. I noticed when browsing around in Safari, looking at the entries for our individual users and groups that all the individual users and even groups have the same Directory GUID listed under the Directory Information section. The wiki calendars however do not. Also the principal uid for users is the same as the apple-generateduid in OpenDirectory.

    In 10.6 when you create a new wiki it doesn't seem to create a group for the wiki in OpenDirectory. Looking at the page in Safari for the CalDAV wiki entry the Directory GUID is different than all the other user accounts. I'm not sure which directory the wiki information get's stored in, or how they come up with the uid.
  • Elliot Hui Level 1 Level 1 (20 points)
    I believe that you are exactly correct, Mr. Beardsley. I checked the principal details using Safari as you suggested, and found the discrepancy that you describe. It seems that the iOS clients work fine because they leave the alternate URL alone, while iCal 4 fails because it resolves to the principal URL.

    Do you have any experience posting bug reports to Apple? Are they responsive at all?

    One additional question: I seem to recall that with a 10.6.3 client, iCal also resolved to the principal URL, but it worked fine in that case. I no longer have a 10.6.3 client available. Could somebody check on this?
  • ~morgen Level 1 Level 1 (115 points)
    stooky: can you look at your server's /etc/caldavd/caldavd.plist file for "<key>SSLCertificate</key>" and see if the value on the following line matches the certificate you expect calendar server to be using?
  • cyborgsam Level 1 Level 1 (20 points)
    I upgraded clients & server to 10.6.4 & had the problem on 2 clients. 1 client remained at 10.6.3: it worked fine. Another client at 10.5 worked fine.

    From my POV it seems to be a client iCal issue. I've tried manually editing & locking Info.plist files, but iCal just creates a new calendar...

    Apple: we need a fix NOW, my server users are screwed right now!
  • Mr Beardsley Level 1 Level 1 (40 points)
    I think iCal resolved principal URLs for individual user calendars, but left the wiki URLs alone until this latest update. I guess technically it is a good thing that iCal is now consistent in that it will resolve all URLs to the principal URL, but it does expose the bug in the way the server works.

    I haven't submitted a radar in quite a while, but from what I remember and what I've read, the best course of action is to have as many people submit bugs, even if they are marked as duplicates.
  • Mr Beardsley Level 1 Level 1 (40 points)
    cyborgsam wrote:
    I upgraded clients & server to 10.6.4 & had the problem on 2 clients. 1 client remained at 10.6.3: it worked fine. Another client at 10.5 worked fine.

    From my POV it seems to be a client iCal issue. I've tried manually editing & locking Info.plist files, but iCal just creates a new calendar...

    Apple: we need a fix NOW, my server users are screwed right now!


    In my mind it is the server that needs to be fixed to use the proper Principal URLs for group calendars. However just reverting the behavior of the client to where it doesn't auto change the URL would be a sufficient work around.
  • ericc56 Level 1 Level 1 (120 points)
    FYI: For those experiencing the 10.6.4 update group calendars problem, refer to the latest post in:

    http://discussions.apple.com/thread.jspa?threadID=2463707
  • stooky Level 1 Level 1 (0 points)
    ~morgen wrote:
    stooky: can you look at your server's /etc/caldavd/caldavd.plist file for "<key>SSLCertificate</key>" and see if the value on the following line matches the certificate you expect calendar server to be using?


    looks correct, caldav has the server.dw.lan cert
    but the clients get the dw.lan cert offered

    <key>SSLAuthorityChain</key>
    <string>/etc/certificates/server.dw.lan.CE17C8BEAF31E387687E6D6AC5A633DD83FE21E 1.chain.pem</string>
    <key>SSLCertificate</key>
    <string>/etc/certificates/server.dw.lan.CE17C8BEAF31E387687E6D6AC5A633DD83FE21E 1.cert.pem</string>
    <key>SSLPort</key>
    <integer>8443</integer>
    <key>SSLPrivateKey</key>
    <string>/etc/certificates/server.dw.lan.CE17C8BEAF31E387687E6D6AC5A633DD83FE21E 1.key.pem</string>
  • no1tmorrow Level 1 Level 1 (10 points)
    So ours is now broke as well. Has anyone found a fix?
  • ericc56 Level 1 Level 1 (120 points)
    stooky - In Server Admin -> <server> -> iCal -> Settings -> Authentication, what is the SSL certificate set to: server.dw.lan, or dw.lan?

    Based on your earlier response, it's probably set to server.dw.lan, since that is what the plist is implying. But you need to verify that there is no mismatch.

    Update - In reading back through the thread, looks like you already did this.

    Eric

    Message was edited by: ericc56
  • stooky Level 1 Level 1 (0 points)
    sorry eric, the thread has merged into a group calendar blabla problem, which is actually not mine as I use just OD-users and their normal calendars, no group calendars.

    ericc56 wrote:
    stooky - In Server Admin -> <server> -> iCal -> Settings -> Authentication, what is the SSL certificate set to: server.dw.lan, or dw.lan?

    Based on your earlier response, it's probably set to server.dw.lan, since that is what the plist is implying. But you need to verify that there is no mismatch.

    Eric


    my problem is documented in first post of the thread please see the images at:

    http://gallery.me.com/g.unger#100022

    *to sum it up:*

    1st shows the certs, all are signed by selfsigned CA and worked propperly on 10.6.3
    2 certs are for SSL
    'server.dw.lan' is used for SSL and Kerberos-KDC

    2nd shows the correct cert chosen in server-admin ical settings

    3rd shows the ical client when adding the account the wrong cert is offered, and of cause the hostname does not match thats why it is marked insecure.

    OSXServer -> etc/caldavd/caldavd.plist looks korrekt

    <key>SSLAuthorityChain</key>
    <string>/etc/certificates/server.dw.lan.CE17C8BEAF31E387687E6D6AC5A633DD83FE21E1 .chain.pem</string>
    <key>SSLCertificate</key>
    <string>/etc/certificates/server.dw.lan.CE17C8BEAF31E387687E6D6AC5A633DD83FE21E1 .cert.pem</string>
    <key>SSLPort</key>
    <integer>8443</integer>
    <key>SSLPrivateKey</key>
    <string>/etc/certificates/server.dw.lan.CE17C8BEAF31E387687E6D6AC5A633DD83FE21E1 .key.pem</string>

    solution atm. is to create the account in ical, and when the wrong cert is shown continue and and in next step refuse to accept the cert in my keychain. then the account is created propperly. and workz.

    all clients have the CertAauthority installed in systen keychain and therefor should accept and trust all 3 certs from first screenshot, without explicitly installing and trusting them in the users local keychain on clients. how can I verify, that the connection in ical is really established vias SSL.
    for web I use https.// and it workz without asking for cert.

    once more this all worked fine 10.6.3
    now all clients and server are 10.6.4
    on clients there is only the issuing CertAuthority in keychain, the 3 certs arent in there.

    hope that explains my problem.
    otherwise please bare with me and ask again, I am no eglish native ... suprise suprise ... italian living in germany.

    rgds,
    guido aka stooky
  • no1tmorrow Level 1 Level 1 (10 points)
    Hello,
    I replaced my ssl certificate and was able to make my iphone work with the calendar but still not able to make ical work. Anyone have any insight?

    During the process I removed the calendar settings from ical, deleted the preferences and cache. Ical works on the user calendar just not the wiki calendar..

    Thanks in advance
    Thom
  • no1tmorrow Level 1 Level 1 (10 points)
    Hey Fellas,
    I contacted apple via a bug ticket and they say they are aware of Ical not working but offer no fix. Did any of you find a work around?

    Thanks so much for any input
    Thom
  • ericc56 Level 1 Level 1 (120 points)
    I'm not seeing this problem after an update to 10.6.4. But try the following:

    1. Open a Terminal window, and enter:

    openssl s_client -ssl3 -connect <host>:<port>

    where 'host' and 'port' are the calendar server hostname and SSL port (default is 8843 for calendar), respectively.

    Take note of the "subject".

    2. In the Terminal window, enter:

    openssl x509 -subject -in /etc/certificates/<X>.cert.pem

    where '<X>.cert.pem' is the certificate.

    Again, take note of the "subject".

    The "subject" for Step #1 should match that of #2. If not, there is something wrong somewhere.

    I'm by no means an expert on the topic, but these are troubleshooting tips that someone forwarded to me that I use. So while this might indicate a problem, I realize it doesn't help you resolve it.

    Can you create new calendars, or delete, then recreate calendars for existing iCal accounts?

    Eric