Q: Server 3 / SSL Certificate / Open Directory - Problem!

The problem is not a configuration problem since that was checked and double checked by the issuer.  They even had me to create a new CSR and they reissued the cert and the same problem occurred.

It appears to surface with Comodo certs primarily AND for clients that have upgraded or migrated their system.  I have found a few other posters with the same issue using other cert providers, but mainly with Comodo.

I think will purchase from another company and see if the problem still exists and report back.  Since Godaddy is my last choice, I think I will try Geotrust.

Well the Geotrust (RapidSSL) cert produced the same results as the Comodo cert.  Their tech people had no clue how to fix it and they told me to go to the developers of the software.  I suppose in order to get this fixed I will need to buy a Godaddy cert.  It would be nice if someone else with this problem would purchase a Godaddy and let us know if it works.  Otherwise I guess we will wait for Apple to fix this.

FIXED IT!!!!!!  I found this info on Apple's server admin site:

http://help.apple.com/advancedserveradmin/mac/10.8/#apdF0A5E00E-7DF6-45F5-8385-0 E0477A3D170

created the file and restarted the machine (not sure if necessary) and restarted OD.  I then chose my rapidssl cert and it accepted it!!!

So it appears that mine is fixed for now.  The file was not there in Mavericks so I assume creating it solved the problem.

the file is there - it's invisible.  You can either use terminal or enable the root user on your machine to log in and create the account.  I used Cocktail to make all files visible (all admins are wincing now) and used the GUI to find the keychain directory and create the file.

A couple of caveats - make sure the text file is plain text and follow the creation EXACTLY!  Also after i set the permissions I clicked on the file and chose "Get Info".  The spotlight user had permission to read.  I deleted the spotlight user and only left root to read and write and everyone no access.  Then I stopped OD and restarted it, went to certificates and choose the trusted cert and after a few moments it accepted it.  I had a self-signed cert in the OD since I needed SSL but when OD accepted the trusted cert I deleted the self-signed.

@gavin - The Keychain folder HAS to be there or you have other problems going on.  I enabled the root user and logged in to that account.  I know there are good reasons not to do it, but I was so ticked about this issue that I may have given myself an edge in getting this fixed so doing so.  It's possible that in the process of initializing the root account that it created the keychains folder which would allow root to connect to the keychain file.

There are several issues that I have run across in dealing with the Mavericks Server installation that may have had a bearing on this problem.  Postgres was not running when i first installed 10.9 and I had to copy the file back into the /Library/Servers directory because it was in the root of the drive.  Some of those processes are used in security settings.  Check your logs to make sure postgres is running.

The first time I tried the fix it didn't work but today when i tried it again it did.  In the meanwhile I had done a lot of work making sure my keychain trusted all the intermediate certs by opening them in keychain and making sure it trusted all of them.  I deleted certs from the /etc/certificates that had expired or were not being used.

At this point I don't know what to tell you except that i was able to make my server accept the cert.  Good Luck!

@shcaerp,

I tried your solution, but it did not work for me either.

I'm wondering if something else you did solved the problem because it doesn't really fit with what I know about the keychain set up in OS X. I was hoping you could explain, or correct my understanding:

The suggestion of creating a password file is applicable to the certkc keychain file only. Is this where your SSL certs are stored? Mine are in the System Keychain. The System Keychain is the default location certs generated by the Server app are stored. And, this keychain has no known password, AFAIK. The password is hidden from users, but the keychain is unlockable by all admin users.

I was curious to see if Server would accept the certs if I moved them into the certkc keychain, but it does not. I only allows selection of certs from the login or system keychain.

Thanks.

I just realized that I am running a pre-release update to Mavercks so I am prohibited by the non-disclosure agreement from discussing on a public forum.  If you have an Apple developer account - as I do - then log in and post under servers and we will pick up the discussion from there.

It may be that the version I'm running helped to correct the issue.  Sorry......

I ended up solving the problem:

I cancelled my Comodo certificates and orderd a RapidSSL certificate instead.

That installed without difficulty and is accepted by Open Directory.

I now have a separate issue which I am looking to solve: Even though I installed the server certificate only once, there appears to be a duplication of the certificate in my chain. When testing the server on RapidSSL's certificate server (https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=conten t&id=SO9556&actp=LIST&viewlocale=en_US) I get an error:

Two certificates were found with the same common name. The certificate
installation checker cannot determine which is the correct certificate
for the Web server. Remove the incorrect certificate and then test again.

I have found a couple of threads indicating that others have found their certificates duplicated, but I have not yet found the solution!

Anyone seen this?

Thanks.

Any indication/information on what actually caused the Comodo cert not to work?  I tried building a Mavericks server using a PositiveSSL cert and experienced the behavior described by the OP.  My cert is coming due at the end of the year and I'll have to decide if I continue with PostiveSSL or try RapidSSL.  I probably won't try shifing to Mavericks again until next year, or if they come out with an update first.

Thanks.

I don't know what the problem was. I was frustrated so I gave up. I went with RapidSSL and had no trouble whatsoever with Open Directory.

The only problem I do have is the one I just posted: There appears to be a duplication of the server certificate even though it's only installed once!

Thanks.  Hopefullly some others will chime in with their cert experiences and Mavericks.  If I don't hear anything, I'll probably go with RapidSSL.

For your other issue, I only know enough about how these work to take stabs in the dark.  Are you getting any errors if you test the configuration without using the rapidSSL site?  Does the load look good in Server.app?  Do you see a duplicate entry if you look using Keychain?

Tim

Well the issue is with Comodo and they are blaming it on Apple.  No matter, since I am a domain registrar I can get rapidssl certs for half price. It made sense to try and they work!

As for dupes - there are several things that I did.  First - I deleted all duplicate certs in /etc/certificates.  Made sure they were also deleted from the keychain.  Ran repair permissions, ran repair on the keychain, rebooted, and selected the rapidssl for the global cert and it accepted it.  I then deleted my self-signed cert.  If the Comodo cert is still there you will have to delete it first before any of this will work - that also includes the entire trust chain!!!

Happy Securing!!