Certificate Problems

[suppersppy]

Version: 2008
Operating System: Mac OS X 10.5 (Leopard)
Processor: Intel
Email Client: Exchange

I am following up this question <http://www.officeformac.com/ProductForums/Entourage/7511/4>

It's taken quite some time but I got the IT people to help out and output a root certificate. As far as I can tell it is indeed a root certificate and I have it installed in the x509, the system, and the log-in keychain and I have it marked as always trust but nothing changed. I get the same error message from entourage and messenger. So what's my next step in troubleshooting this?

 

[Corentin Cras-Méneur]

I am following up this question
<http://www.officeformac.com/ProductForums/Entourage/7511/4>
Hi,

It's taken quite some time but I got the IT people to help out and
output a root certificate. As far as I can tell it is indeed a root
certificate and I have it installed in the x509, the system, and the
log-in keychain and I have it marked as always trust but nothing
changed. I get the same error message from entourage and messenger. So
what's my next step in troubleshooting this?

If it is indeed the root certificate, then it's a problem I have never
encountered so far.

If you connect to the server through your Web Browser (in https), do you
get any warninga?

Corentin

 

[suppersppy]

I hadn't been getting anything but when I saw your message I went and visited the site in Safari and got the "Safari can't identify the website..." message. I clicked show certificate then dropped down the trust section chose always trust before continuing. Logging out then back in I no longer get an error message but it didn't change the behavior for messenger or entourage. This hadn't been happening previously but I did remove and re-add various certificates in the interim.

 

[Corentin Cras-Méneur]

I hadn't been getting anything but when I saw your message I went and
visited the site in Safari and got the "Safari can't identify the
website..." message.

Which indicates it is not properly added in your keychain.

I clicked show certificate then dropped down the
trust section chose always trust before continuing.

Unfortunately, this method only corrects the issue for Safari (and now
you can't test it back). Importing the certificate corrects the issue
for all applications.

Corentin

 

[suppersppy]

All right at least that's something to work on. First I went to my keychain and deleted the item that safari had added in order to get testing back. That worked fine and now I am back to getting those errors when I go to the server. It seems like the first thing to do is verify that I have the correct certificate from IT. How should I go about doing that?

BTW thanks so much for your help. You have been awesome and a real life saver.

 

[William Smith [MVP]]

All right at least that's something to work on. First I went to my
keychain and deleted the item that safari had added in order to get
testing back. That worked fine and now I am back to getting those
errors when I go to the server. It seems like the first thing to do
is verify that I have the correct certificate from IT. How should I
go about doing that?

BTW thanks so much for your help. You have been awesome and a real
life saver.

When viewing your account in OWA you should see a small lock icon
somewhere in the browser indicating that you're connected to a secure
connection.

Click the lock icon and you'll see the certificate. Then look in the
details of the certificate for the URL of the root certificate. If you
see it there then click on it and download it.

You should then be able to drag the downloaded file onto Keychain Access
and import it. If necessary, twiddle the disclosure triangle next to
Trust and be sure you trust it for SSL connections.

Hope this helps!

--

bill

Entourage Help Page <http://entourage.mvps.org/>
Entourage Help Blog <http://blog.entourage.mvps.org/>
YouTalk <http://nine.pairlist.net/mailman/listinfo/youtalk>
Twitter: follow <http://twitter.com/meck>

 

[suppersppy]

I had tried that before but had not been able to actually download the file. So this time I copied the url then wrote a very simple html page so that I could right click and download link target. It worked and I got the certificate on my desktop. I then removed the other certificate and double clicked on the new one and chose x509, then login, then system, then I opened the microsoft cert manager and let it add it where it wanted to. Nothing I tried could get it installed in x509 or system keychain. I did get it in the login keychain plus the cert manager added it to the microsoft_intermediate_certificates keychain. I marked as always trust in all of those places. All this had no effect on messenger but it did change the error message I get with entourage.

Typically I get "Unable to establish a secure connection to servername because the correct root certificate is not installed." With the new certificate I get "unable to establish a secure connection to servername because the server name or IP address does not match the name or IP address on the server's certificate."

One thing I noticed is that when I connect to the OWA typically I connect to exchange2.domainname but I saw that the error message mentioned exchange2.local.domanname. So I tried changing the URL that my browser was accessing for OWA to include the .local. It connected just fine but now the certificate gives a warning saying it's not valid because of a hostname mismatch.

Bottom line is that using the certificate from the OWA didn't work but it did give me a new error message. What's next?

 

[Corentin Cras-Méneur]

I had tried that before but had not been able to actually download the
file. So this time I copied the url then wrote a very simple html page
so that I could right click and download link target. It worked and I
got the certificate on my desktop.

In safari, cliking the lock on the top right corner displays the
certificate. You can then select it and drag it to the desktop.
Be careful though... It might not be the *Root* certificate and you
really need the root certificate for Entourage.

In that very same dialog box, you can display the details and firther
down the list of details, you can usually find the link to the root
certificate that you need to import.

I then removed the other certificate
and double clicked on the new one and chose x509, then login, then

X509Anchors are only for Tiger. Leopard requires that the certificate be
imported into the login keychain. X509Anchors are depreciated.

system, then I opened the microsoft cert manager and let it add it where
it wanted to.

This app is just a front-end for the Keychain. No need to do this.

Nothing I tried could get it installed in x509 or system
keychain. I did get it in the login keychain plus the cert manager added
it to the microsoft_intermediate_certificates keychain. I marked as
always trust in all of those places. All this had no effect on messenger
but it did change the error message I get with entourage.

It's probably not the root certificate.

Typically I get "Unable to establish a secure connection to servername
because the correct root certificate is not installed." With the new
certificate I get "unable to establish a secure connection to servername
because the server name or IP address does not match the name or IP
address on the server's certificate."

Even worse. This is not the certificate for the exact domain name you
need (eg: www.whatever.com instead of webmail.whatever.com).

One thing I noticed is that when I connect to the OWA typically I
connect to exchange2.domainname but I saw that the error message
mentioned exchange2.local.domanname. So I tried changing the URL that my
browser was accessing for OWA to include the .local. It connected just
fine but now the certificate gives a warning saying it's not valid
because of a hostname mismatch.

Make sure you get the root certificate for the exact domain name
corresponding to the server you need to use in Entourage.
Try connecting to https://exchange2.local.domanname to see if this
triggers a certificate warning where you could get the link to the
certificate you need.

Corentin

 

[suppersppy]

I keep trying to add it to the x509 keychain because it's my understanding that messenger is hard coded to look for the x509 keychain even though leopard has largely done away with it.

Connecting to <https://exchange2.local.domainname> does trigger a warning and allows me to look for the url. The problem is that it's the same url regardless of wether its <https://exchange2.local.domainname> or <https://exchange2.domainname> the only difference being that <https://exchange2.local.domainname> gives a warning saying it's not valid because of a hostname mismatch.

 

[Corentin Cras-Méneur]

Connecting to <https://exchange2.local.domainname> does trigger a
warning and allows me to look for the url. The problem is that it's the
same url regardless of wether its <https://exchange2.local.domainname>
or <https://exchange2.domainname> the only difference being that
<https://exchange2.local.domainname> gives a warning saying it's not
valid because of a hostname mismatch.

I suspect that https://exchange2.local.domainname redirects you to the
other address.

You really shouldn't have to go through all this trouble though. The
Exchange admins should be able to point you directly to the right
certificate :-<

It's also possible that they are incorrectly using the certificate for
https://exchange2.domainname on https://exchange2.local.domainname, in
which case there is nothing you can really do. It would be in their
hands to correct the problem,


Corentin

 

[suppersppy]

Okay, I am going to follow up with IT. They seem to be on board with helping out as long as I can be very specific in my requests and do all the research myself.

 

[Jensen, Casey]

We had this issue previously. It turned out that the certificate we had
wasn't actually a "Trusted authority" by entourage. So even going to webmail
and telling it to be "trusted" didn't do any good to resolve the problem. We
had to locate a Go Daddy class 2 cert - for us it was:
https://certs.godaddy.com/repository/gd_intermediate.crt

 

[suppersppy]

isn't there a potential security risk to putting a certificate out there like that?

 

[Corentin Cras-Méneur]

isn't there a potential security risk to putting a certificate out there like
that?

They are publicly available anyway. It's not the self certificate, it's
the public one.

Corentin

 

[suppersppy]

So I could just post the url for my OWA and it would pose no security risk but you guys could examine the certificate it presents and help me easier?

 

[Corentin Cras-Méneur]

So I could just post the url for my OWA and it would pose no security
risk but you guys could examine the certificate it presents and help me
easier?

Sure. I don't have a login and password. I can't get into the site
anyway.
The OWA address that's accessible from the outside is no secret,


Corentin