Entourage 2004 - Untrusted Root Certificate install with Tiger(Mac OS 10.4)

[Brian Friday]

Hello,

I'm using a certificate generated from the people at http://certs.ipsca.com
with my smtp server to allow secure (ssl) transactions. Unfortunately while
I have followed the instructions found here in article 887413
(http://support.microsoft.com/default.aspx?scid=kb;en-us;887413) on the
microsoft knowledge base it still fails.

Basically my Keychain access area lists the root cert (placed in the
X509Anchors keychain) as installed and trusted, the intermediate cert
(placed in the "Microsoft_Intermediate_Certificates" keychains) as installed
and valid, and the actual server cert (placed into the
"Microsoft_Entity_Certificates" keychain) as installed and valid.


Yet Entourage still throws up the message:

Unable to establish as secure connection to the server.name.here because
the correct root certificate is not installed.

If you continue, the information you view and send will not be secure.

The interesting thing is if you select "okay" rather than cancel Entourage
will connect securely and it will also send messages using SSL. This will
continue without further errors until you shut entourage down. Then when it
is started again you are presented with the dialog above... Rinse wash and
repeat.

Anyone have any tips? I've gotten all the smtp settings functional and
because it is actually using ssl to send post error I'm hard pressed to
believe that is the problem.

Any help would be appreciated.

Thanks,

Brian Friday

 

[Paul Berkowitz]

Did you follow the second set of instructions that show you how to verify
that both the root and intermediate certificates are seen by the Microsoft
Cert Manager? Select each and click View button. You will see whether they
are marked as Valid (trusted). If not, you'll need to go back to the issuing
authority and ask about it. If you don't see them at all in the correct
view, use the Import button to browse to and import them, then verify
(view).

--
Paul Berkowitz
MVP MacOffice
Entourage FAQ Page: <http://www.entourage.mvps.org/faq/index.html>
AppleScripts for Entourage: <http://macscripter.net/scriptbuilders/>

Please "Reply To Newsgroup" to reply to this message. Emails will be
ignored.

PLEASE always state which version of Microsoft Office you are using -
**2004**, X or 2001. It's often impossible to answer your questions
otherwise.

 

[Brian Friday]

Yes, all certs are viewable in the Microsoft Cert Manager

Under Apple Trusted Root Certificate Authorities
- IPS SERVIDORES
self-signed root certificate
expires - december 29 2009
and says with a green check mark "This Certificate is valid"

Under Intermediate Certificate Authorities
- ipsCA CLASEA1 Certificate
intermediate certificate authority
Expires - december 29, 2025
and says with a green check mark "This certificate is valid"

Under Individuals
- smtp.server.here
issued by ipsCA CLASEA1 Certificate
expires - 5/14/07
and says with a green check mark "This certificate is valid"

While the directions refer only to the first two, I tried the ssl smtp with
the individual certificate installed and having it not installed. Both fail
with the bad root certificate error.

 

[Brian Friday]

Realized I hadn't put version information in. I'm using Entourage 2004
version 11.1.0 (040913).

 

[Paul Berkowitz]

I've never heard of anyone entering an SMTP server as an individual
certificate, although maybe I'm misunderstanding.

You need to go to Tools/Accounts/[the account in question/Edit/Security and
click Select, then choose the certificate to be the digital signature
certificate for this account. (If it's not clear which is which, toggle the
popup and click View until you find the right one.) Have you done that?

In addition, it sounds as if you need to go to the Sending server section of
the Account settings for that account, click "Advanced sending options",
"requires secure connection (SSL)" and - if necessary - override the
standard port with whatever port your IT person might specify. It seems
you've done this already?

Sometimes error messages are stupid, telling you the wrong error. Could that
be the case here?

--
Paul Berkowitz
MVP MacOffice
Entourage FAQ Page: <http://www.entourage.mvps.org/faq/index.html>
AppleScripts for Entourage: <http://macscripter.net/scriptbuilders/>

Please "Reply To Newsgroup" to reply to this message. Emails will be
ignored.

PLEASE always state which version of Microsoft Office you are using -
**2004**, X or 2001. It's often impossible to answer your questions
otherwise.

 

[Brian Friday]

Sadly I am the IT person who I'd contact to ask questions about.

Settings for SSL are that we have the requires SSL check and port has been
shifted to 465 (the pure ssl port). That is exactly what we've had to do on
the outlook windows clients and they have performed flawlessly.

I'm not sure the individual server certificate is needed as well.. I don't
think it should be since as long as the root/signing certs are in that
should be sufficent. But wanting to check all points I did my tests with the
server cert and without the server cert both without success. Unless the
terminology is completely obtuse, I understand the digital ID to be the
individual encrypting their messages prior to sending (ie S/MIME).

Given that Entourage actually completes and sends the message via SSL if you
press okay to the dialog box. I believe this is one of those "erroneous
error messages" but that doesn't help me much as telling end users "just
click okay all the time". Isn't exactly the "fix" I'd like to give them.

 

[Chris Ridd]

Sadly I am the IT person who I'd contact to ask questions about.

Don't MS provide any other technical resources for "IT people"? I assumed
they would, given the amount of "if you're stuck ask your administrator"
'advice' in the docs

Settings for SSL are that we have the requires SSL check and port has been
shifted to 465 (the pure ssl port). That is exactly what we've had to do on
the outlook windows clients and they have performed flawlessly.

I'm not sure the individual server certificate is needed as well.. I don't
think it should be since as long as the root/signing certs are in that
should be sufficent. But wanting to check all points I did my tests with the
server cert and without the server cert both without success. Unless the
terminology is completely obtuse, I understand the digital ID to be the
individual encrypting their messages prior to sending (ie S/MIME).

Given that Entourage actually completes and sends the message via SSL if you
press okay to the dialog box. I believe this is one of those "erroneous
error messages" but that doesn't help me much as telling end users "just
click okay all the time". Isn't exactly the "fix" I'd like to give them.

It isn't an "erroneous error message". It is indicating, presumably
correctly, that the certificate being offered by your mail server is
apparently not signed by something you automatically trust. Hence the
message - do you want to trust the server?

The way to make your machine automatically trust that server is to install
all the required certs into X509Anchors. Certainly the top self-signed cert
needs to go in there.

Although this absolutely is possible to get right it can be quite awkward,
and debugging the exact trust failure is quite hard. It ought to be possible
for someone to write a little app using Security.framework that will help a
lot.

Unless you can persuade someone to do that, the next best thing to do is to
use openssl s_client to dump out the certificate chain it receives from your
server. Examine the output *very closely* and add relevant looking certs
into X509Anchors.

Cheers,

Chris

 

[Brian Friday]

Thanks Chris, but if you would look to last Thursday you'll see that I have
followed the below.

The reason I am using this group to report and hopefully solve (remote yes)
this problem is because that is where microsoft has initially directed me.

As to the openssl s_client that has already been done, heck I took the
original cert from the server itself rather than use this method, both using
the s_client and a copy of the original server certificate have failed. As
stated above the root certificate is available in the correct place, is
trusted and is valid. The intermediate certificate, is also valid, trusted
and correctly installed into the intermediate area.

*sigh*

Anyone else have thoughts or suggestions? While I'm a neophyte to Entourage
I do believe (google and microsoft search based) I have hit all the howto's,
wherefore's, etc.

 

[Chris Ridd]

Thanks Chris, but if you would look to last Thursday you'll see that I have
followed the below.

The reason I am using this group to report and hopefully solve (remote yes)
this problem is because that is where microsoft has initially directed me.

Uh oh

As to the openssl s_client that has already been done, heck I took the
original cert from the server itself rather than use this method, both using
the s_client and a copy of the original server certificate have failed. As
stated above the root certificate is available in the correct place, is
trusted and is valid. The intermediate certificate, is also valid, trusted
and correctly installed into the intermediate area.

Hm. I think the errors you're still getting suggest that the certificates
are *not* installed in the right place.

What does your certificate chain look like? Which ones in the chain are
installed in which keychain on your Mac?

Can you connect Safari to the SSL port on the mail server without any SSL
errors? It probably won't understand the HTTP request that Safari sends, but
the SSL stuff happens first.

How about Mail.app?

*sigh*

Anyone else have thoughts or suggestions? While I'm a neophyte to Entourage
I do believe (google and microsoft search based) I have hit all the howto's,
wherefore's, etc.

Keep trying. (Sorry.) It took me a while before I got Entourage working with
one of my mail servers, but it did work in the end after a certain amount of
messing around.

Cheers,

Chris

 

[Brian Friday]

Hm. I think the errors you're still getting suggest that the certificates
are *not* installed in the right place.

What does your certificate chain look like? Which ones in the chain are
installed in which keychain on your Mac?

In the root area is the root certificate for IPS, in the intermediate is the
intermediate certificate they have.
http://certs.ipsca.com/Support/SSLServerSUPPORT.asp lists the certificates
and the IPSSERVIDORES root certicate is in the apple root certificate chain
is valid is trusted. Likewise the ipsCACLASEA1 intermediate certificate is
also in the intermediate chain, trusted and valid.

Can you connect Safari to the SSL port on the mail server without any SSL
errors? It probably won't understand the HTTP request that Safari sends, but
the SSL stuff happens first.

https://smtp.server.here:465

Works, gives me a bunch of errors as it is a web client rather then an smtp
client but is correctly secured and doesn't present any dialog box from
safari indicating an unknown certificate. The server certificate correctly
shows the trust relationship and heirarchy of IPS SERVIDORES (the root
cert), which trusts the ipsCA CLASEA1 Certificate Authority which issued the
actual server certificate. The server certificate shows that it is valid as
well.

How about Mail.app?

Works flawlessly and doesn't give any error messages when attempting to use
the SSL port 465 for sending smtp traffic that is ssl encrypted.

- Brian