Q: Server 3 / SSL Certificate / Open Directory - Problem!

Having progressively replicated the Server.app-generated self-signed cert, I got to the point where the only differences between my self-signed cert and its were the key, and the serial.

Turns out that everything else is OK, but OpenDirectory will refuse to use a cert with a "large" serial number. I'm not sure what the limit is, but using https://redkestrel.co.uk/products/decoder/ I saw that my cert had a 128-bit serial, while Server.app's was only 64-bit. So I regenerated a cert with a 64-bit serial, and it worked.

I haven't yet tested whether it also requires the various other parts of the cert I fixed to be identical (e.g. UTF8Strings rather than PrintableStrings in subject and issuer DNs) were also required.

Can you provide that public cert so that I can take a look at it? I'm not asking for the private key or anything like that, just the public cert they issued to you that works for OD. I would like to take a look at the cert details so that I can see why their cert is working and others aren't.

If you're willing, just past the certificate text in a reply to this post. Thanks:)

Can you paste the certificate text in a reply to this post?

Just to be clear, I'm just asking for the public cert text which GeoTrust issued to you, and not the private key.

Sorry, I didn't realize that this posted twice. I thought it error'd out the first time.

Hi all.

So, I have spent the best part of several weeks looking into this annoying issue.

I have tried the following SSL's:

• 123-REG 123-SSL (£9.99/yr)
• Future Hosting Standard SSL ($24.94/yr)
• GoDaddy Protect One Website SSL (£39.19/yr)
• NameCheap Comodo PositiveSSL (£5.93/yr)

They all failed to work for OD, then I purchased

• RapidSSL ($49/yr)

This worked flawlessly first time! It seems there is something specific about this SSL that makes OD work. Anyway, thought I would share my fix for this. Will now try and cancel all of the above SSL's!

Thanks for reporting that. I've seen some say RapidSSL fixes it and maybe a couple saying it didn't, but your experience tips the scale enough for me to try that next.

One question, at what point did you install the cert: before installing server.app, after installing, before setting up the host name, after setting up OD with the self-signed?

There are lots of points to do it and ultimately it shouldn't matter much, but an Apple engineer I spoke to was keen on the timing as a test scenario so I'm wondering what coincided with it working for you.

Thanks

I am glad my experience will help you out, and these discussions are actually useful!

My previous GoDaddy SSL had actually expired, so I renewed it, and then had these issues with OD. So then I removed all the certificates, and installed each of the above SSL certs one by one. Then the one that worked was the RapidSSL one.

So in answer to your question, the server.app was installed and running, hostname was set up and functioning and OD was running (with a self signed cert).

Hope this helps!

Rob

It certainly did help. I can confirm that using RapidSSL fixes the problem (finally).

Thanks again!

I was having problems with a legit GoDaddy cert I was trying to use for a web site in Server.app 4 (Yosemite) but I believe this also applies to Mavericks Server.app 3:

I found that the Web Services Site creation panel would always default to port 80 when I chose my cert. It is a good and valid cert and it trusted and intermediate certs are installed.

But when I chose an Apple default cert it would get the proper port 443.

If I changed it to port 443 and tried to save I would get the message:

"Port 443 can't be used without an SSL certificate"

"You must choose an SSL certificate to use port 443. If you don't want to choose an SSL certificate you must use a different port"

But the cert looks perfect KeyChain Access.

Although Keychain Access would not show the problem, the problem COULD be detected by examing /etc/certificates where I found that unlike the Apple default certs, my GoDaddy cert was missing the fourth member of its set (the private key one ending in ".key.pem")

1) mysite.example.com.CAGobbledygooknumbersandletters.cert.pem

2) mysite.example.com.CAGobbledygooknumbersandletters.chain.pem

3) mysite.example.com.CAGobbledygooknumbersandletters.concat.pem

4) mysite.example.com.CAGobbledygooknumbersandletters.key.pem  THIS WAS MISSING

Finally, I found this Apple tech note which resolved the problem:

http://support.apple.com/en-ca/HT203731

OS X Server: Access Controls might prevent a certificate identity from working with Server services - Apple Support

After using the Access Control fix listed in the above knowledgebase article and restarting the computer the fourth member of the set magically appeared in /etc/certificates and I when I chose my cert in the Web Services site creator the port magically defaulted to the proper "443".

Everything working fine now!

Eureka!

I've been trying to get my certificate to play nice for weeks. This fixed it! Thanks a million elgringito!