Server 3 / SSL Certificate / Open Directory - Problem!

This is really a Me Too post. I'm running Mavericks on a mid 2010 mac mini server (4,1) and it won't under any circumstances stay with the SSL Cert I bought from Networks Solutions. The behavior for my set up is exactly what is described above.

As a side note, I also experienced the problem with trying to do a clean server install, and the old stuff all came back. Now I'll probably have to just wipe the computer and do everything from scratch.

Hello Gavin,

I had a similar problem and managed to solve it (after hours of work). Can't remember if it was *exactly* the problem you are mentionning but this might be useful to you:

Your certificate from Comodo (and the associated private key) should both appear under the System keychain in Keychain Access. If this is the case, open a terminal and check that you have exactly 4 files corresponding to this certificate in /etc/certificates. If your certificate is named server.company.com, you should see something like this:

-rw-r--r-- 1 root wheel ... server.company.com.cert.pem

-rw-r--r-- 1 root wheel ... server.company.com.chain.pem

-rw-r----- 1 root certusers ... server.company.com.concat.pem

-rw-r----- 1 root certusers ... server.company.com.key.pem

In my case, when I experienced the issue, the key.pem file was missing. If this is the case for you, your problem might be solved in a few seconds ;-) To bring the missing file back, go to Keychain Access again and move both the certificate and the private key to (say) the login keychain. Then bring them back again to the System keychain. Check that all four files are indeed present in /etc/certificates. If they are, go back to Server.app and try your settings again. I should work. At least, I hope it will!

Good luck!

Has anyone found a solution to this problem?? I have searched and can't find one. I have had the certs reissued by Comodo, gone into the keychain and set the "trust settings", restarted the services, etc., and can't get open directory to accept the Comodo cert.

Does anyone have a clue what's going on? All other services accept the cert.

I also filed a support request - about 15 min ago. I will let you know if they respond.

I just received a reply from Comodo. They wanted to make sure I had all the chain certs installed - which I do. They asked for the error I receive. I told them I don't receive an error - it just resets to "none" on OD. I took a screenshot and emailed it to them. We will see.

I'm surprised you didn't get a response since you are in the UK. That is where their HQ is located.

Well I just received an email from Comodo. It was escalated to a premier support tech who sent this reply:

Do you have any info on this issue?

Unfortunately we don't.

Is it something that Apple needs to be involved with?

Possibly.

OD WILL accept a self-signed cert however so the problem is elsewhere.

Most likely, yes. Sorry we can't be more helpful but OD isn't our product and not in the scope of what we support directly.

Lindsay

--

Comodo Technical Support

Here's yet another me too post...

I have the same problem. I have tried destroying open directory and rebuilding, reinstalling a clean server build, reissuing a certificate.

All my attempts end up the same way: The certificate can be assigned to every service, but not to Open Directory! The certificate is selected and once "OK" is pressed, the certificate selection is undone.

Any progress with this?

Thanks!

Have you check to see that the certificate is indeed "Trusted" by your server?

Above, you stated that they're in the etc/certificates folder, but that doesn't mean that the server likes them. You can create a "Self Signed" Certificate and still have certificates in there. That doesn't mean that anyone else on the planet has to trust them.

Open Keychain Access in your utilities folder. Depending on how you have it configured, you may have to look around to find the certificate in question. It may be under login, or System.

When you select your Certificate, if it's there, does it show as trusted?

Another thing you can check... Often times Certificate authories, use Intermdeiate certificates. Since anyone can sell a certificate, in order to have it trusted, you need to have it signed by someone else. A good example is Godaddy. They sell both SSL and Code signing certificates of all flavours. In order to get them to be trusted, the "Intermediate Certificate" needs to also be installed in the keychain. My Godaddy cert looks to be trusted by Verisign via an intermediate.

Have a look here... https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid =1182

Not sure if it's directly relevant, but there it is.

The point is, I think you need to verify that your certificate is trusted by your server. OD won't use an untrusted certificate.

--an afterthought-- Anything in the logs?

Open up your server window where you try to select the certificate for OD. Also, in another window open up the terminal. In terminal, type:

tail -f /var/log/system.log

In the server window try to select the certificate and click done. See what the output in terminal says.

Thanks very much for your reply.

The certificate (which is a PositiveSSL certificate obtained from Comodo) is fully trusted.

The intermediate certificate is installed in the keychain.

The logs don't show an error.

Any other suggestions?

Thanks again!

This is a defect that Apple will have to fix. So far I have done all that has been mentioned above, worked with Comodo and they don't have a clue as to why. Some have been able to fix it by reinstalling Mavericks from scratch however I don't have the time or will to do that. This error can be fix by an Apple engineer and we can move on to something else. For the time being you either use OD without SSL or create a self-signed cert and use it until Apple, Comodo, et all, get this corrected!

Do we know that Apple has even acknowledged this as an issue?

Is this a broadly applicable problem, or only an issue with certain certificate authorities?

They haven't. My certificate works fine running OD.

It's a godaddy issued certificate. All clients accept it without issue.

It's a configuration problem for sure.

I'll admit that the fact that it happens at all though is an issue. Clearly you're not the only one having a problem with this matter.

**edit**

I just thought of something. The certificate that I'm using is a standar wildcard ssl cert. I wonder if that changes something.

-Graham

The problem is not a configuration problem since that was checked and double checked by the issuer. They even had me to create a new CSR and they reissued the cert and the same problem occurred.

It appears to surface with Comodo certs primarily AND for clients that have upgraded or migrated their system. I have found a few other posters with the same issue using other cert providers, but mainly with Comodo.

I think will purchase from another company and see if the problem still exists and report back. Since Godaddy is my last choice, I think I will try Geotrust.