FTPS ovr SSL Certificates setup

Hello all,
I did quite some research on SDN to get articles on setting up all configuration to do an FTPS over SSL.
Here is where i Stand:
I have downloaded the Partner's certificate and have got it into PIs Trusted Keystore,
but when i try to execute the scenario i get an error in the AE: Failed in the Certificate Chain.
Can anybody help me with this?
Thanks in advance

Have you checked this thread [Configure FTPS sender and reciver communication channel.; also check page 20 of this article
[https://www.sdn.sap.com/irj/scn/elearn?rid=/library/uuid/a09f3d8e-d478-2910-9eb8-caa6516dd7d9&overridelayout=true]

Similar Messages

SSL Certificate setup for Web/Address Book/iCal in 10.7 Lion?

I know nothing about certificates. I plan to use my Mini server to help manage my family's computers which are pretty spread out across the U.S. My plan is to use profile manager for device management, host a couple websites (one secure for home security cams) and share address books and calendars. This is as much a geek gadget project as it is "useful" so I understand I may be creating some work for myself
Anyway, can someone walk me through the correct setup for certificates? My research is showing me a LOT of options/parameters. Due to the expense, i don't want to create one just to find it won't serve my purposes.
Also, I think i'm going with RapidSSL...$50 is the cheapest I've come across...hopefully the offer what I need?

I have just spent 30 minutes on the phone to a pleseant chap in Athens, and now have a solution.
We tried several options and the final one worked - so simple.
Click on the apple symbol > system preferences > iCloud > disable contact sync > keep contacts
Check search, in my case it worked for the first time in several weeks :-)
then re-enable contact sync as follows:
Click on the apple symbol > system preferences > iCloud > re-tick contacts > merge contacts
Search still works
Hallelujah!

File Adapter FTP SSL SSL Certificate Exception

After reviewing the results of searching on this error, I do not find anything that fits my situation:
SAP File Adapter (PI 7.1) using FTP with FTPS connection security.
I am not using X.509 certificate for client authentication.
My connection is using a non-public certificate.
I have added the SSL certificate to TrustedCAs and DEFAULT keystores.
I am getting the following error:
Message processing failed. Cause: com.sap.engine.interfaces.messaging.api.exception.MessagingException: Error when getting an FTP connection from connection pool: com.sap.aii.af.lib.util.concurrent.ResourcePoolException: Unable to create new pooled resource: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
Since I am using an non-public certificate, it will not validate. Even adding to the TrustedCAs and DEFAULT keystore it seems the configuration is still attempting to validate the certificate.
Any recommendations?

Hi,
The main reasons for this error are:
1. The correct server certificate could not be present in the TrustedCA
keystore view of NWA. Please ensure you have done all the steps
described in these two URLs:
Security Configuration at Message Level
http://help.sap.com/saphelp_nwpi71/helpdata/EN/ea/c91141e109ef6fe1000000
0a1550b0/frameset.htm
2. The server certificate chain contains expired certificate. Check for
it (that was the cause for other customers as well) and if it's the case
renew it or extend the validation.
3. Some other people have reported similar problem and mainly the
problem was that the certificate chain was not in correct
order. Basically the server certificate chain should be in order
Own->Intermedite->Root. To explain in detail, if your server certificate
is A which is issued by an intermediate CA B and then B's certificate is
issued by the C which is the root CA (having a self signed certificate).
Then your certificate chain contains 3 elements A->B->C. So you need to
have the right order of certificate in the chain. If the order is B
first followed by A followed by C, then the IAIK library used by PI
cannot verify the server as trusted. Please generate the certificate in
the right order and then import this certificate in the TrustedCA
keystore view and try again. Please take this third steps as the
principal one.
Hope it solves your querie.
Regards,
Caio Cagnani

E-Mail Setup fails with self-signed SSL certificat...

Hi, one of my e-mails is with a small provider who just moved the mail server to Imap and SSL. In Thunderbird, everything works fine, setup on my Nokia C-6-fails with an unspecific error message (and trows away the settings). I asked the provider, and it seems that the problem comes up because the Nokia e-mail application doesn't asked me if I want to accept the certificate but instead rejects it. Is there a workaround to this problem? Is there a way to setup the mail account without using the wizard? Or to take over the settings from Thunderbird? Or a way to put the certificate in the right place manually? In Opera mobile I have no trouble with self-signed SSL certificates. Thanks Cave

Any one around who can help? Self-Signed certificates are rather common, after all. I would be grateful cave

Cisco ASA 5505 and comodo SSL certificate

Hey All,
I am having an issue with setting up the SSL certificate piece of the Cisco AnyConnect VPN. I purchased the certificate and installed it via the ASDM under Configuration > Remote Access VPN > Certificate Management > Identity Certificates. I also placed the CA 2 piece under the CA Certificates. I have http redirect to https and under my browser it is green.
Once the AnyConnect client installs and automatically connects i get no errors or anything. The minute I disconnect and try to reconnect again, I get the "Untrusted VPN Server Certificate!" which isn't true because the connection information is https://vpn.mydomain.com and the SSL Cert is setup as vpn.mydomain.com.
On that note it lists the IP address instead of the vpn.mydomain.com as the untrusted piece of this. Now obviously I don't have the IP address as part of the SSL cert, just the web address. On the web side I have an A record setup to go from vpn.mydomain.com to the IP address of the Cisco ASA.
What am I missing here? I can post config if anyone needs it.
(My Version of ASA Software is 9.0 (2) and ASDM Version 7.1 (2))

It's AnyConnect version 3.0. I don't know about the EKU piece. I didn't know that was required. I will attach my config.
ASA Version 9.0(2)
hostname MyDomain-firewall-1
domain-name MyDomain.com
enable password omitted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd omitted
names
name 10.0.0.13.1 MyDomain-Inside description MyDomain Inside
name 10.200.0.0 MyDomain_New_IP description MyDomain_New
name 10.100.0.0 MyDomain-Old description Inside_Old
name XXX.XXX.XX.XX Provider description Provider_Wireless
name 10.0.13.2 Cisco_ASA_5505 description Cisco ASA 5505
name 192.168.204.0 Outside_Wireless description Outside Wireless for Guests
ip local pool MyDomain-Employee-Pool 192.168.208.1-192.168.208.254 mask 255.255.255.0
ip local pool MyDomain-Vendor-Pool 192.168.209.1-192.168.209.254 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address Cisco_ASA_5505 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address Provider 255.255.255.252
boot system disk0:/asa902-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.0.3.21
domain-name MyDomain.com
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network MyDomain-Employee
subnet 192.168.208.0 255.255.255.0
description MyDomain-Employee
object-group network Inside-all
description All Networks
network-object MyDomain-Old 255.255.254.0
network-object MyDomain_New_IP 255.255.192.0
network-object host MyDomain-Inside
access-list inside_access_in extended permit ip any4 any4
access-list split-tunnel standard permit host 10.0.13.1
pager lines 24
logging enable
logging buffered errors
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-712.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static Inside-all Inside-all destination static RVP-Employee RVP-Employee no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XX.XX 1
route inside MyDomain-Old 255.255.254.0 MyDomain-Inside 1
route inside MyDomain_New_IP 255.255.192.0 MyDomain-Inside 1
route inside Outside_Wireless 255.255.255.0 MyDomain-Inside 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
action terminate
dynamic-access-policy-record "Network Access Policy Allow VPN"
description "Must have the Network Access Policy Enabled to get VPN access"
aaa-server LDAP_Group protocol ldap
aaa-server LDAP_Group (inside) host 10.0.3.21
ldap-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
ldap-group-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=Cisco VPN,ou=Special User Accounts,ou=MyDomain,dc=MyDomainNET,dc=local
server-type microsoft
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http MyDomain_New_IP 255.255.192.0 inside
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint LOCAL-CA-SERVER
keypair LOCAL-CA-SERVER
no validation-usage
no accept-subordinates
no id-cert-issuer
crl configure
crypto ca trustpoint VPN
enrollment terminal
fqdn vpn.mydomain.com
subject-name CN=vpn.mydomain.com,OU=IT
keypair vpn.mydomain.com
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpool policy
crypto ca server
shutdown
crypto ca certificate chain LOCAL-CA-SERVER
certificate ca 01
    omitted
quit
crypto ca certificate chain VPN
certificate
    omitted
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate ca
    omitted
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint VPN
telnet timeout 5
ssh MyDomain_New_IP 255.255.192.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-filter updater-client enable
dynamic-filter use-database
dynamic-filter enable
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1
ssl trust-point VPN outside
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 3
anyconnect image disk0:/anyconnect-linux-2.4.1012-k9.pkg 4
anyconnect image disk0:/anyconnect-win-3.1.01065-k9.pkg 5
anyconnect profiles MyDomain-employee disk0:/MyDomain-employee.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 10.0.3.21
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
default-domain value MyDomain.com
group-policy MyDomain-Employee internal
group-policy MyDomain-Employee attributes
wins-server none
dns-server value 10.0.3.21
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value MyDomain.com
webvpn
anyconnect profiles value MyDomain-employee type user
username MyDomainadmin password omitted encrypted privilege 15
tunnel-group MyDomain-Employee type remote-access
tunnel-group MyDomain-Employee general-attributes
address-pool MyDomain-Employee-Pool
authentication-server-group LDAP_Group LOCAL
default-group-policy MyDomain-Employee
tunnel-group MyDomain-Employee webvpn-attributes
group-alias MyDomain-Employee enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:1c7e3d7ff324e4fd7567aa21a96a8b22
: end
asdm image disk0:/asdm-712.bin
asdm location MyDomain_New_IP 255.255.192.0 inside
asdm location MyDomain-Inside 255.255.255.255 inside
asdm location MyDomain-Old 255.255.254.0 inside
no asdm history enable

Dreamweaver (on Windows 7) wont connect to IIS (v7) Server using "FTP over SSL/TLS..."

I am evauating wether to purchase Dreamweaver CS6...
Dreamweaver CS6 trial (on Windows 7) wont connect to IIS (v7) Server using "FTP over SSL/TLS (explicit encryption)". I have a NEW Godaddy SSL certificate installed on the IIS server.
On connecting Dreamweaver states: "Server Certificate has expired or contains invalid data"
I have tried:
-ALL the Dreamweaver Server setup options
-Using multiple certificates (tried 2048 bit and 4096 bit Godaddy SSL certificates)
-Made sure the certificate 'issued to' domain name matches my domain name.
I am able to connect no problem using Filezilla, with equivalent Filezilla setting "Require explicit FTP over TLS". I can also connect fine using Microsoft Expression web.

Thanks for your prompt reply.
My comments:
1) You should update your tread (forums.adobe.com/thread/889530) to reflect that it still occurs on CS6 (I had already read it but figured it was an old tread and thus should be fixed by now).
2) You said “These warnings will also pop up for your users if you have a store saying the SSL certificate does not match the domain/ip and this can make users checking out in a storefront very nervous” . This does not seem to be correct – my https pages display properly using the same Godaddy certificate … using IE:
3) Godaddy is not my host (I use Amazon AWS) – but the SSL certificate is from them.

How do I update an SSL certificate? (Includes How-To info :)

OK, I have an IPSCA certificate installed in my (10.5.2) server. I used the 90 day trial period, so it's set to expire next week.
It's worked very well, though, so I decide to pay for the full one (at only $59 for two years I figured it was a good price!)
I forgot about how much crap Apple put me through to get the original installed.
OK, here I go!
1 - review initial install: obtain CA file, Chain CA file, generate Key file and CSR, submit CSR to CA, get CRT back from them.
2 - To install above in Leopard, go to server admin, get to certificates, and import certificate. Use CA (NOT Chain CA, save that for later), .key, and .CRT, with password to .key.
3 - In /etc/certificates, store the Chain CA as a .chcrt file
4 - Now you have a certificate setup. You can enable SSL in http (note to use the ChainCRT in your site's config file for apache!) and IMAP (just by selecting the certificate name from the list in the mail->advanced->security area) but for SMTP the .key file must have NO password. So I generated a second .key file with no password just for SMTP. Stupid. But it works fine.
OK, there ya go! You can connect and SSL is fine!
Oh, but wait! Your security certificate is about to expire! Apple is very useful and puts one of those stupid yellow exclamation marks beside the epiration date! So they knew this would happen! Joy!
Here's where it went down the toilet. I'm fairly sure this is because Apple Keychains just plain don't work well with OpenSSL certificates, but what can you do????
To update your certificate:
1 - select the certificate entry in the certificates section of service manager.
2 - click and select "Add new or updated certificate from signing authority" (I forget the exact text, but it's the one from the bottom, NOT the "Import" one)
3 - Paste in the .CRT contents
4 - Wait for a very long time (over VNC this is not pleasant)
5 - Your new certificate should now be reflected in the valid not-before and not-after dates! Hooray!
BUT WAIT! THERE'S BUGS!
A - Apple's decided that I have a new certificate, but that this new certificate self-signed. I can't for the life of me figure out how to get rid of the self-signed part on my new certificate. And of course there's no log information and no way to find out what the **** is going on.
B - Apple accepted the certificate in the Server Manager, but neglected to update /etc/certificates! This is very very bad: it looks from the GUI like everything's fine (except for the self signing) but when I connect to the web service, apache insists I still have the old (about to expire) certificate!
These are just plain ridiculous things. Did Apple not test the functionality in their own products????
I know the certificates are fine, because with both the original (about to expire) and the new one, I can run "openssl verify -CAfile <ca_file> <crt_file>" and know that they're OK. They're NOT self-signed, they're signed by IPSCA, and Apple had no problems with this for one, but not the other!
Any suggestions?
I have a workaround for bug "B" above: copy the "new" .crt file into /etc/certificates, overwriting the old one, and restart web/mail. When I connect now it accepts the certificate with no problem whatsoever (and I can see when I investigate the certificate in Mail.app or in firefox that it IS signed by the CA, not self-signed)

What about putting the CSAMC in your DMZ and allowing those ports through your firewall?
The nice thing is it allows hosts to communicate with the MC no matter where they are.
You'd have to open up 80 to the MC for software updates but we haven't had any problems in 6 years with that setup.
Tom

A fix for the Mozilla Firefox SSL Certificate Validation Security Weakness vulnerability? This appears to be an issue with not revalidating certificates when loading HTTPS pages from cache.

We have to close vulnerabilities for PCI & Cybertrust certification. We have upgraded users running Firefox to version 7.0.1 but we are still receiving the message: Mozilla Firefox SSL Certificate Validation Security Weakness. Researching the issue, it appears to be related to certificates not being revalidated when loading HTTPS pages from cache. The bug report I found is:
Bug 660749 - Firefox doesn't (re)validate certificates when loading a HTTPS page from the cache

cookies.squite answer is Today at 5:15 PM .
New profile, same problem.
We've already established it is not a add-ons problem but obviously there will be less add-ons in this new profile to help exclude.
Since there is two PC profiles on the PC, I tried the second profile, same problem. Used the RESET FF function on the second PC profile...same thing...even followed the instruct for uninstall &re-install...same problem.
(3) different virus scanners, no hard core problems.
Suspect how I have something in Windows setup that no one else is using?

Data Transfer Port ranges in FTPS with SSL in File Adapter

Hi,
I would appreciate if you could give me pointers reagrding the below issue.
We are on XI 3.0.
For one interface, I have to configure the FTP File adapter to pick up the files from external server.
The connection is secure and should be FTPS with SSL.
I have the certificate from the 3rd party and have it installed on our XI development server.
The change has been made in our firewall to allow the connection to the host IP and port 21 which is configured at the target party as Explicit FTPS port and they have allowed access to our Server IP in their firewall.
I have configured other FTPS connections and they worked fine but this is the only one that has been giving me so much trouble.
The error i get today is:
Error occurred while connecting to the FTP server "60.234.48.106:21": java.net.SocketException: Connection reset
Yesterday, i got the below error:
Error occurred while connecting to the FTP server "60.234.48.106:21": iaik.security.ssl.SSLException: Server certificate rejected by ChainVerifier
The Vendor has suggested to get the firewall ports 21 and 28000:30000 (data transfer) to be opened.
He has also provided with the certificate passphrase additionally to the user name and password needed to make the connection.
When i tried the connection from the XI development to the vendor server, via the Telnet, it looked like it worked.
Please advice.
Regards,
Archana

>
Archana Singhai wrote:
> Hi,
> I would appreciate if you could give me pointers reagrding the below issue.
> We are on XI 3.0.
> For one interface, I have to configure the FTP File adapter to pick up the files from external server.
> The connection is secure and should be FTPS with SSL.
> I have the certificate from the 3rd party and have it installed on our XI development server.
> The change has been made in our firewall to allow the connection to the host IP and port 21 which is configured at the target party as Explicit FTPS port and they have allowed access to our Server IP in their firewall.
> I have configured other FTPS connections and they worked fine but this is the only one that has been giving me so much trouble.
> The error i get today is:
> Error occurred while connecting to the FTP server "60.234.48.106:21": java.net.SocketException: Connection reset
> Yesterday, i got the below error:
> Error occurred while connecting to the FTP server "60.234.48.106:21": iaik.security.ssl.SSLException: Server certificate rejected by ChainVerifier
> The Vendor has suggested to get the firewall ports 21 and 28000:30000 (data transfer) to be opened.
> He has also provided with the certificate passphrase additionally to the user name and password needed to make the connection.
> When i tried the connection from the XI development to the vendor server, via the Telnet, it looked like it worked.
> Please advice.
> Regards,
> Archana
1. Open the port ranges. FTPS usually requires you to open ports in the range of 65024 through 65535 for Passive FTP data
connections
2. Use the CA name in the certificate. it should be same as of the host name of the FTPS server

How to use SSL certificates in OSX Server

I have setup OSX server with a host name that is pointed properly to my OSX server. My question is about using certificates that were purchased through my domain registrar.
I bought a cert and after the validation process, I was given a link to download 4 certificate files.
AddTrustExternalCARoot.crt
DV_NetworkSolutionsDVServerCA2.crt
DV_USERTrustRSACertificationAuthority.crt
[domain name].crt
So after downloading these and opening them one by one, I installed them in the keychain as a system cert.
The part I cant figure out is how to use the domain cert instead of the one that the server creates upon completion of setup (the self signed one).
On the certificate selection in the sidebar, I can choose Import a certificate identity, but when I drag my domain cert into the box, it shows up as a non-identity cert and the Import button is still grayed out. I dragged all four certs there and all of them show as non-identity certs.
If I go down the path of the Get a Trusted Certificate, it takes me through the CSR request which I dont think I need since i have my certificates already.
Am I missing a step? Or do I need to export from the keychain, then import into the server application? Seems like the new certificates should show up in the server application. Any help would be greatly appreciated.

I got the answer and wanted to post for anyone that happened to have this question.
During the SSL cert setup, it asks where your domain is hosted and since it was hosted by Network Solutions, I chose that option which doesnt do the CSR request. I had to choose Other/VPS.
Once I did that, I was able to generate a CSR in the server application and get my certificate issued again by pasting the request code on my registrars website. Once I received those certs, I dragged my domain cert into the Pending one listed in the certificate list.
Also I chose Apache/ModSSL as the type of server. Hope that helps and new people like myself in setting up the server application.

[solved] dovecot errors after renewing SSL certificate

System:
OS X Server (Mountain Lion) 2.2
Using a single SSL Certificate for all services.
Symptom:
Users can't log into their IMAP accounts hosted on OS X Server (Mountain Lion) after renewing SSL Certificate
Diagnostics:
Give you an indication whether it's this problem. Some or all may apply:
Log shows all kinds of dovecot errors. e.g.
dovecotd[nnn]: master: Error: service(config): command startup failed, throttling
config: Fatal: Error in configuration file /Library/Server/Mail/Config/dovecot/dovecot.conf: ssl enabled, but ssl_cert not set
dovecotd[nnn]: master: Error: service(config): command startup failed, throttling
/Library/Server/Mail/Config/dovecot/conf.d/10-ssl.conf shows commented out lines:
ssl_cert
ssl_key
ssl_ca
Solution:
Go to the Certificates pane of the Server App and choose Secure Services Using: Custom
Set IMAP and POP server certificates to to None
Keep an eye on what the server App is doing to /Library/Server/Mail/Config/dovecot/conf.d/10-ssl.conf
Now set Secure Services Using: <My single SSL Certificate for all services>
Keep an eye on what the server App is doing to /Library/Server/Mail/Config/dovecot/conf.d/10-ssl.conf and you should now see all the ssl* settings as you would expect, and pointing to the correct SSL certificate in /etc/certificates
Hope this works for you too!

I had something similar happen. When I do anything with SSL certificates it deletes any regular websites. Only the sites that are setup for https are listed.
Couldn't understand why my website wasn't working and it turned out that the system had deleted it. The web server had multiple host set and I had to rebuild all the ones that had used port 80. All the ones that use 443 were fine.
Hope this helps.

FTP over SSL connectivity in File Adapter

Hi All,
I request your suggestion on my problem. I have a scenario idoc to file where I am connecting to my vendor server throught SFTP (Ftp over SSL). In this my vendor specifically told that to obtain secure FTP connectivity to their server they require a pre-approved Secure FTP client be used to access the service.
So as per this requirement first our XI server need to coneect to the pre-approved client and the connectivity will happen to the vender server. He list the pre-approved client as below
*Cleo Lexicom 2.1
*TrailBlazer ZMOD FTP Client V3R1 PTF Level PFT3100034
*QualEDI for Windows, 32-bit version
*Ascential DataStage TX, Release 7.5
*Future 3 - Advanced Communication Module Plus (ACM Plus)
*eBridge FTPS Communicator for GXS version 5.3
*Ipswitch Inc's WS_FTP Professional version 8.02.
·Robo-FTP version 3.2
Please let me know will this be possible from our file adapter. Currently as per this requirement we open up the port of XI server for SFTP connecvity but through this we can have host to host connection over SFTP and not sure whether we can connect to client software and from their to vendor sever.
Kindly needful your suggestion/solution on this.
Regards,
Dhill

Hi,
Thank you, Yes I have used FTPS only please find the below details given in the communication channel.
FTP Connection Parameters
Server: ServerName
Port : 6366 (specified by vendor)
Data connection : Passive
Timeout(secs) : 65
Connection Security: FTPS (FTP Using SSL/TLS) for Control and Data Connection
Command Order: AUTH TLS, USER, PASS, PBSZ, PROT
Keystore: service_ssl
X-509 Certificate and Private Key: ssl-credentials
User Name : Vendor user name
Password: Vendor given password
Connect Mode: Permanantly
Transfer Mode: Text
Maximum Concurrency: 1
and also as per he list given by vendeor we can use *Ipswitch Inc's WS_FTP Professional version 8.02.
Note: We have Deploying the SAP Java Cryptographic Toolkit and also CA certificate used to sign the server certificate added to the TrustedCAs keystore view.
So If possible i request you to kindly provide the details how we need to specify the client software between our XI server and Vender server as you mentioned in your solution.
Please let me know your mail id, i will forward the screenshot of my communication channel.
Kindly appreciate your help on this.
Regards,
Dhill.

How to use FTPs in SSL Sockets?

hello Guy's
can i transfer file using FTPs in ssl....
need an urgent help in this reguard...

Hi,
you need to get new certificate for iWS. It not possible to use same certificate, which one you got for weblogic server.
I hope this helps.
Thanks,
Dakshin.
Developer Technical Support
Sun Microsystems
http://www.sun.com/developers/support.

Why is the SSL Certificate "Edit" button disabled in Server Settings?

I just setup my Lion server and am attempting to create a self-signed certificate. All of the directions start with "Run the Server app, go to your server, click the setting tabs, and push the 'Edit' button next to SSL Certificate". Well, I can't because the button is disabled.
I have two theories. The first is that my network setup is messed up somehow. My server name is "server.mydomain.private". When I click on Configure Network, it shows that name and the proper IP address.
My second theory is that the SSL Certificate requires some other service, maybe Open Directory.
Anyway, I'm stumped. Any suggestions are welcome.

venblr, I saw that one too, tried it, but it didn't work. I think I deleted a certificate or something, which caused the problem in the first place. I'm going to finish reading some Lion Server books before starting from scratch by reinstalling Lion and then LIon Server. (I have a screen snap of earlier work and it shows the SSL Certificate "Edit" button enabled.)

Exchange 2013 autodiscover finds external & internal SSL certificate causing autodiscover to fail

Hi:I'm currently working on a windows 2012 server, with exchange 2013, lets say our internal domain is "cars.com" and ALSO the case for our external domain. We have purchased an SSL wildcard positive certificate
*.cars.com so that we could configure Outlook Anywhere, we have created the needed DNS records at godaddy and our internal server, OWA, ECP it all works if you go to  <a href="https://bird.cars.com/owa">https://bird.cars.com/owa</a>
because we have a DNS record for bird in godaddy and out local server, so all of that is working like a pro ! here comes the tricky part, our website is registered in godaddy but hosted by someone else a company called poetic systems; when we test the connection
with the remote connectivity analyzer website we get a very peculiar error that says SSL certificate not valid, now it provides the name of the certificate it found and is not ours, we found that the hosting company is listening in port 443, therefore, it
is pulling their self signed certificate also, does anyone have a fix for this, I have done this same setup before for other companies and this is the first time a situation like this happens. I REALLY NEED HELP !!!!!

Hi,
According to your description, there is a certificate error when you test Outlook Anywhere connection by ExRCA.
If I misunderstand your meaning, please feel free to let me know.
And to understand more about the issue, I’d like to confirm the following information:
What’s detail error page?
Check the Outlook Anywhere configuration: get-outlookanywhere |fl
Check the certificate : get-exchangecertificate |fl
If you have any question, please feel free to let me know.
Thanks,
Angela Shi
TechNet Community Support

FTPS ovr SSL Certificates setup

Similar Messages

Maybe you are looking for