monk541

Q: SSL certificate not used for Server Admin connections

I have a GoDaddy SSL certificate installed on OS X Server 10.11.4. It works fine for the web server (https). Connecting via Server.app offsite, produces a SSL warning and a self-signed certificate. There is a related error consistently in the logs:

 

servermgr_certs[]: -[CertsRequestHandler(KeychainOpenSSLExport) exportIdentity:]: SecKeychainItemExport(certificateChain) no certificate chain available, defaulting to a leaf cert only

 

Any suggestions? I've reinstalled the cert...

Mac mini, OS X El Capitan (10.11.4), OS X Server

Posted on Jun 7, 2016 11:15 AM

Close

Q: SSL certificate not used for Server Admin connections

  • All replies
  • Helpful answers

  • by Strontium90,Solvedanswer

    Strontium90 Strontium90 Jun 9, 2016 9:01 AM in response to monk541
    Level 5 (4,077 points)
    Servers Enterprise
    Jun 9, 2016 9:01 AM in response to monk541

    You need make Server.app aware of the 3rd party certificate.  Follow these steps:


    1:  Open Keychain Access.

    2:  Select the System keychain from the list of keychains.

    3:  Find the com.apple.servermgrd identity preference and double click it.

    4:  Select your 3rd party SSL certificate from the Preferred Certificate popup menu.

    5:  Press the Save Changes button.  You will be prompted to authenticate.

    6:  Reboot the server or restart the servermgrd process to activate the changes.

     

    Now when connecting to the server from a remote device using Server.app, you will connect using your 3rd party valid SSL cert and avoid the errors.

     

    Reid

    Apple Consultants Network

    Author - "El Capitan Server – Foundation Services"

    Author - "El Capitan Server – Control & Collaboration"

    Author - "El Capitan Server – Advanced Services"

    :: Exclusively available in Apple's iBooks Store

  • by John Lockwood,Helpful

    John Lockwood John Lockwood Jun 9, 2016 9:01 AM in response to monk541
    Level 6 (9,309 points)
    Servers Enterprise
    Jun 9, 2016 9:01 AM in response to monk541

    In addition to what Strontium90 says it is frequently the case with commercial SSL certificates that you need to install both the actual server certificate you have purchased and also an 'Intermediate CA' certificate. The root certificate for a purchased SSL certificate is usually already installed in your Mac by Apple. So the full 'chain' of certificates is typically :-

     

    root CA (usually built-in to OS X) -----> intermediate CA ----> server certificate

     

    You also of course need to install the private key that matches the server certificate. If you use Server.app to install the certificate - which is the approach I recommend, then the dialog box has three fields - one for each of intermediate CA, server certificate, and private key.

  • by monk541,

    monk541 monk541 Jun 9, 2016 9:03 AM in response to Strontium90
    Level 1 (4 points)
    Servers Enterprise
    Jun 9, 2016 9:03 AM in response to Strontium90

    Thank you, this resolved the issue.

     

    I had installed the certificate (and reinstalled) via the Server.app, setting it as the default certificate for services, but this certificate identity preference remained unchanged.

  • by monk541,

    monk541 monk541 Jun 9, 2016 9:05 AM in response to John Lockwood
    Level 1 (4 points)
    Servers Enterprise
    Jun 9, 2016 9:05 AM in response to John Lockwood

    I installed the intermediate CA when I reinstalled the SSL certificate, but that itself didn't fix the preference of servermgrd.