riddamark

Q: At a complete loss. OSX server replacing SSL certs on its own

Hey guys

 

I am at a complete loss over an issue I am experiencing with OSX server. The OS version is 10.11.2.

 

Symptoms: None of the services that the server runs that use an SSL cert work correctly because the public ssl cert it presents is invalid cert. If I replace the cert and it get it working correctly so everything is peachy again with no errors, exactly every hour, at the same time it breaks again.

 

What’s happening on the server:-

 

The server is replacing the SSL cert every hour with an invalid one. It seems to be trying to sign it itself which will obviously not work. I have never seen anything like this before. I am completely stumped. Why on earth this functionality even EXISTS is beyond me. I expect this is an automated process that tries to do things for you going horribly wrong. The first thing I see in the logs is profile manager starting a ruby process.

 

It started doing this last Thursday and no, no configuration changes were made on that day. This server is not internet facing and I have rolled it back to a backup from Wednesday and it started doing it again… somehow. Automatic updates are turned OFF. The only thing that did happen was there was a power cut that day but this server did not lose power, it was plugged into a UPS.

 

I have pasted a link to some logs and the public cert, what its supposed to look like and one that the apple server just makes up on its own, as you can see, the cert chain is completely broken. (this was done with openssl s_client –connect host:port

I have googled and googled this and found nothing.

 

I do not understand what I am seeing here.

 

http://pastebin.com/BLVXeGs0

Posted on May 9, 2016 7:22 AM

Close

Q: At a complete loss. OSX server replacing SSL certs on its own

  • All replies
  • Helpful answers

  • by Linc Davis,

    Linc Davis Linc Davis May 9, 2016 9:45 AM in response to riddamark
    Level 10 (207,926 points)
    Applications
    May 9, 2016 9:45 AM in response to riddamark

    You're trying to use a wildcard certificate. Not recommended.

  • by riddamark,

    riddamark riddamark May 9, 2016 10:45 AM in response to Linc Davis
    Level 1 (4 points)
    Servers Enterprise
    May 9, 2016 10:45 AM in response to Linc Davis

    Why is that not recommended? Since when? Is there some sort of documentation you can point me at that states this? Its worked fine for the last year until now. I am not trying to sound rude or anything but if this is the case I will be stunned.

  • by Linc Davis,

    Linc Davis Linc Davis May 9, 2016 11:07 AM in response to riddamark
    Level 10 (207,926 points)
    Applications
    May 9, 2016 11:07 AM in response to riddamark

    I don't recommend it because Internet standards only provide for wildcard certification of Web services, for one thing, and because there is no provision for it in the Server app. Since it's not officially supported, even if you get it to work, it could be broken by any update from Apple. I suggest you do a web search for the experiences of others. If you do that, you'll know more about the subject than I do.

     

    My view is that OS X Server is optimized for simplicity, not flexibility. If want to be able to configure an enterprise server any way you want, you should use some other platform. Apple is out of the server business.

  • by pterobyte,

    pterobyte pterobyte May 10, 2016 3:20 AM in response to riddamark
    Level 6 (11,101 points)
    Servers Enterprise
    May 10, 2016 3:20 AM in response to riddamark

    You will need two certificates. One for services that do not support wildcard certs and one for other services that do. Next assign accordingly and you should be good to go. The wildcard cert is typically only needed for Websites anyway since other services can all rely on the same host name.

     

    That said, while it won't solve your issues, I'd upgrade to 10.11.4 and Server 5.1 as it support TLS 1.2 and gets rid of some insecure ciphers.

  • by toop68,

    toop68 toop68 May 11, 2016 11:59 AM in response to riddamark
    Level 1 (27 points)
    Servers Enterprise
    May 11, 2016 11:59 AM in response to riddamark

    I've seen this also happening on my own Server -- My public certificate was still valid for ,, not complete sure,, for a month or so. The server app decided it was time to renew that certificate, and replaced a good functioning public certificate for a self signed look a like.. Created a case with Apple support but that went Nowhere.. In the end I renewed the public certificate at my public certificate provider. Used the brand-new certificate and the problems of server replacing the certificate were gone.

     

    just popped into my mind again.. in the end its the part of Open Directory that was the badass in this story. if you can create a trusted certificate place that on your OD services one with a long enough validity, then you still can use your about to expire certificate for other services and server app will leave it at that