Gavin Lawrie

Q: Server 3 / SSL Certificate / Open Directory - Problem!

We've updated from Server 2 to Server 3 / OS X 10.9.

 

We have an SSL certificate for server from Comodo.

 

Under Server 2, all worked just fine, with the SSL certificate being used to secure all services (configure via Server app).

 

Under Server 3, all works just fine, but Open Directory will not accept certificate - so Certificates / Settings in Server 3 app shows "Custom Configuration" for Settings - and on inspecting this it is because Open Directory set to be not secured but everything else is using SSL.

 

I've tried setting the Open Directory to use the SSL, but when ever I do it simply bounces back to being unsecured.

 

Does this matter?  Presumably it should be possible (as the standard setting appears to try and set Open Directory to use the SSL certificate), but not sure whether trying to fix is simply a fools errand.

 

Anyone got any clues as to whether to fix or not, and if to fix, how?

 

Thanks in advance.

Mac mini (Late 2012), OS X Server

Posted on Nov 6, 2013 5:22 AM

Close

Q: Server 3 / SSL Certificate / Open Directory - Problem!

  • All replies
  • Helpful answers

first Previous Page 3 of 8 last Next
  • by scpotter,

    scpotter scpotter Dec 27, 2013 3:22 PM in response to tim_r_66
    Level 1 (0 points)
    Dec 27, 2013 3:22 PM in response to tim_r_66

    I had similar issues in another thread, someone directed me here.  As suggested I tried RappidSSL and it installed with no problem.  The price difference is almost nothing, especially compared to the pain this has caused me.

  • by tim_r_66,

    tim_r_66 tim_r_66 Dec 27, 2013 4:03 PM in response to scpotter
    Level 1 (50 points)
    Dec 27, 2013 4:03 PM in response to scpotter

    I'm one of those where I downloaded EssentialSSL wildcard cert and I still have OD using the system generated cert.  I decided to press ahead figuring the system generated cert would be okay. I'm have a number of issues which I'm working on in another thread, but I'm curious if others who are using the system generated cert are able to use Profile Manager and bind clients over SSL?

     

    Tim

  • by AustinJGibson,

    AustinJGibson AustinJGibson Dec 27, 2013 5:25 PM in response to Gavin Lawrie
    Level 4 (1,037 points)
    Dec 27, 2013 5:25 PM in response to Gavin Lawrie

    Well, self-signed certificates won't even work for me whenever I try to use Open Directory. The new OS X Server *****.

     

    <Edited By Host>

  • by Icarus Solis,

    Icarus Solis Icarus Solis Jan 9, 2014 3:51 AM in response to Gavin Lawrie
    Level 1 (0 points)
    Jan 9, 2014 3:51 AM in response to Gavin Lawrie

    We had kinda same problem with the webserver. Configured it with a signed certificate from a trusted authority and it simply bounced back to the self signed certificate. Note this was a certificate we moved from server a to b, so it's not exactly the same problem but maybe it works for you too.

     

    I first tried it in keychain, no dice. Then checked the rights on /etc/certificate, seems to be right.

     

    Then it came to mind that server app and keychain didn't play nice on 10.8, so i tried it just using server app.

     

    My solution:

     

    1. open server app.

    2. go to certificates

    3. click the + and import the certificate.

     

    Done

     

    Note: you might need to add a chaincertificate manualy in keychain manager to make it work.

  • by Peter-Erik,

    Peter-Erik Peter-Erik Jan 15, 2014 4:02 AM in response to Gavin Lawrie
    Level 1 (10 points)
    Jan 15, 2014 4:02 AM in response to Gavin Lawrie

    Running into the same problem after upgrade 10.9(.1) Open Directory dont accept the (comodo) certificate. All others have no problem with the Certificate. (10.8.5 no problem with the Certificate)

     

    I fill in an bug at http://bugreport.apple.com and they ask me for more information so please also report here your problem with the comodo certificate. (at this time no respone from Apple yet)

  • by Peter-Erik,

    Peter-Erik Peter-Erik Jan 22, 2014 1:21 AM in response to Peter-Erik
    Level 1 (10 points)
    Jan 22, 2014 1:21 AM in response to Peter-Erik

    Still feeding information to Apple at this time about this problem. At my report i see now also "

    Duplicate of 15458777 (Open)"

    Is someone here also reporting this problem?


  • by scott88,

    scott88 scott88 Jan 27, 2014 9:19 AM in response to Peter-Erik
    Level 1 (0 points)
    Jan 27, 2014 9:19 AM in response to Peter-Erik

    Unfortunately, whoever opened 15458777 did not put that info into open apple radar (http://openradar.appspot.com/page/1) so we can't tell.

     

    I can confirm similar behaviour:

    • 10.9 (stock) system, ie, 10.9.1 upgrades not yet applied.
    • Using a real (ie, paid for) SSL wildcard certificate, everything worked for securing all services
    • Now that we've got a new (updated) certificate, we were able to "Import new Certificate Identity..." with no issue.
    • Attempting to choose that new cert for "Secure services using" now shows "2 certificates chosen". Looking at each service in detail, the only service still on the OLD (soon to expire) certificate is the Open Directory service - all other services successfully took the new one

     

    I've submitted this as radar 15914873.

  • by tim_r_66,

    tim_r_66 tim_r_66 Jan 28, 2014 12:32 PM in response to Peter-Erik
    Level 1 (50 points)
    Jan 28, 2014 12:32 PM in response to Peter-Erik

    I realize this is a little bit old, but I just tried reinstalling my EssentialSSL COMODO-signed wildcard cert and still have the same problem with the system consistently shifting to the self-signed OD cert.  I'm using a 10.9.1/Server 3.0.2 system.

     

    Unfortunately, I'm having other issues with kerberos/OD/system stability and I was really hoping to test a third party cert.  I'll probably poke at COMODO too since I had asked them if they had resolved all issues with their certs and OS X OD before I purchased this solution.  They assured me they had.

     

    Maybe I'll start by asking them for an update but it sounds like I'm already where scott88 finds himself.

     

    Tim

  • by tim_r_66,

    tim_r_66 tim_r_66 Jan 29, 2014 4:54 AM in response to tim_r_66
    Level 1 (50 points)
    Jan 29, 2014 4:54 AM in response to tim_r_66

    I've requested to open a ticket with the second tier of Comodo.  I am pointing out to them that RapidSSL (issued by GeoTrust) seem to solve the problem for many in hopes they will acknowledge they have a role in the issue, and need to work with Apple to figure out what is happening.

  • by Peter-Erik,

    Peter-Erik Peter-Erik Jan 29, 2014 5:11 AM in response to tim_r_66
    Level 1 (10 points)
    Jan 29, 2014 5:11 AM in response to tim_r_66

    tim_r_66 thanks for input

     

    (In my case the comodo cert work with 10.8.5 but stops working under 10.9 (OD))

  • by tim_r_66,

    tim_r_66 tim_r_66 Jan 29, 2014 5:26 AM in response to Peter-Erik
    Level 1 (50 points)
    Jan 29, 2014 5:26 AM in response to Peter-Erik

    My hypothesis, FWIW, is that Apple changed something in how they are evaluating certs with OD.  There are other threads indicating this was the case too in later versions of L/ML (albeit with general handling of certs vice specific to OD).  No surprise here.  I further suspect this change is a tightening to make the system more tightly bound.  And what we all need is for COMODO to talk with Apple and figure out what was changed so they can update their cert production accordingly.

     

    I noticed something else that I'm curious if others noticed.  If I evaluate the certificate in Keychain Access, the evaluation status reports: No root cert found, even though Show Certificate shows lineage back to COMODO CA through EssentialSSL CA.  However, when I evaluate the EssentialSSL CA cert, I get Evaluation Status: Success.

  • by swarner23,

    swarner23 swarner23 Jan 29, 2014 7:13 AM in response to tim_r_66
    Level 1 (0 points)
    Jan 29, 2014 7:13 AM in response to tim_r_66

    So I've been working with Comodo off and on as time permits for a month.

     

    Just worked with them to send them the CSR and get the crt file resissued.

     

    I go into the server app and try to import the cert idenity, i drag it into the box and get the message

    "1 non-identity cert will be added" but the import option is greyed out. 

     

    Server issue.png

     

    This was how Comodo said to do this, but I see a lot of you are working in OD.  I've never really done this.

     

    Any and all help is appreciated.

     

    Shane

  • by tim_r_66,

    tim_r_66 tim_r_66 Jan 29, 2014 7:21 AM in response to swarner23
    Level 1 (50 points)
    Jan 29, 2014 7:21 AM in response to swarner23

    swarner23,

     

    Sounds like your'e working a different issue if you haven't gotten a cert installed.  The issue we're discussing in this thread is after the certificate is installed but OD doesn't recognize it.

     

    Tim

  • by Peter-Erik,

    Peter-Erik Peter-Erik Feb 4, 2014 5:42 AM in response to tim_r_66
    Level 1 (10 points)
    Feb 4, 2014 5:42 AM in response to tim_r_66

    @tim_r_66 I noticed something else that I'm curious if others noticed.  If I evaluate the certificate in Keychain Access, the evaluation status reports: No root cert found.

     

    I have the same result

  • by Gavin Lawrie,

    Gavin Lawrie Gavin Lawrie Feb 4, 2014 6:07 AM in response to Peter-Erik
    Level 2 (413 points)
    Mac App Store
    Feb 4, 2014 6:07 AM in response to Peter-Erik

    I'm sure I'm doing something wrong here, but I can't even get that far.

     

    My Comodo certificate is 'valid' according to Keychain access, and works fine in most respects.  But when I try and evaluate the certificate I get odd result.  Here is view of evaluation dialog step 1:

     

    Screen Shot 2014-02-04 at 13.57.49.PNG

    You can see the certificate is valid in background.  It is a multi-domain thing, so not sure what to type 'Host name' so tried all valid names and all have the same response when I hit continue... which is:

     

    Screen Shot 2014-02-04 at 13.58.12.PNG

    Any ideas?

     

    [Forgot to add above - if I untick the "Ask host for certificate" box, I get second screen without the dialog appearing, but no more useful result.  Just the empty dialog box.   Not sure which is less useful]

     

    Message was edited by: Gavin Lawrie  - Added one more line to bottom of message.

first Previous Page 3 of 8 last Next