Need help with Apache self signed client certificates.

Similar Messages

• Is there a way to make a self-signed client certificate with keytool...

  Is there a way to make a self-signed client certificate with keytool
  that will install successfully into the personal store in IE?

  hi,
  It is possible to make a self-signed client certificate with keytool and i am successfully using in my dummy application.
  The first thing you need to do is create a keystore and generate the key pair. You could use a command such as the following:
  keytool -genkey -dname "cn=Mark Jones, ou=JavaSoft, o=Sun, c=US"
  -alias business -keypass kpi135 -keystore C:\working\mykeystore
  -storepass ab987c -validity 180
  (Please note: This must be typed as a single line. Multiple lines are used in the examples just for legibility purposes.)
  This command creates the keystore named "mykeystore" in the "working" directory on the C drive (assuming it doesn't already exist), and assigns it the password "ab987c". It generates a public/private key pair for the entity whose "distinguished name" has a common name of "Mark Jones", organizational unit of "JavaSoft", organization of "Sun" and two-letter country code of "US". It uses the default "DSA" key generation algorithm to create the keys, both 1024 bits long.
  It creates a self-signed certificate (using the default "SHA1withDSA" signature algorithm) that includes the public key and the distinguished name information. This certificate will be valid for 180 days, and is associated with the private key in a keystore entry referred to by the alias "business". The private key is assigned the password "kpi135".
  Also please go through the http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html
  This would help u better.
  bye,
  Arun

• Need help with Apache on OS X Server 10.4.8

  I am unable to get mod_rewrite to work... Additionaly, bonjour is not working at all.
  I am wondering if there are any known issues (that I could not find) and/or helpful solutions. I was considering doing a recompile based on the instructions found at http://lists.apple.com/archives/macos-x-server/2005/Apr/msg01171.html
  I am not sure if these instructions are valide for the 10.4.8 environment... os if anyone knows fore-sure please do let me know.

  Sorry, I thought the goal was to get the RewriteRules working - recompiling Apache seemed like the harder approach to me (with no chance of it working if the flaw was in the RewriteRule statement itself )
  That said, the instructions you reference will probably work. As will downloading the source from apache.org and running their standard build. It won't be the same as the build as shipped by Apple, though.
  The issue is that everyone's instructions on how to build apache (including the one you reference) suits a particular individual's needs/expectations of what s/he wants. In this case they wanted SSL, but you might or might not want/need that. You might need other modules they didn't include, though, so there's no guarantee their build will work for you.
  In any case you're not going to get the custom Apple modules including 'apple_auth', 'apple_spotlight', 'hfs_apple' or 'spnego_apple'. These are developed by Apple and included in their build but are not part of the standard Apache distribution. You might find the source for them in the Darwin source but I've never looked.
  So, in summary, there are so many ways to build apache, with so many combinations of features and modules, it's impossible to say whether that'll work for you since everyone's situation is different.

• Need help with Apache-WL 5.1 config

  I have an WL application which is invoked anytime a url that starts
  with /app. This is configured as follows:
  <Location /app>
  SetHandler weblogic-handler
  </Location>
  What my customers now want is to create new urls which will invoke my
  application. For example, one customer wants the following url:
  /airline/atlanta
  Which will need to map to the following url:
  /app/URLServlet/airline/atlanta
  I have tried to create a "RewriteRule", but found that apache looked
  for the result in the docroot instead of transferring it to WL.
  The following shows my "Rewrite config":
  RewriteEngine on
  RewriteLog "/var/apache/logs/rewrites"
  RewriteLogLevel 3
  RewriteRule ^/airline/atlanta /app/URLServlet$1
  WebLogicHost rome
  WebLogicPort 7101
  <Location /app>
  SetHandler weblogic-handler
  </Location>
  The following is from the rewrite log file:
  172.16.1.108 - - [12/Dec/2000:18:11:42 -0500]
  [atlanta.atl.globaleventures.com/sid#757d0][rid#b7938/initial] (2) init
  rewrite engine with requested uri /airline/atlanta
  172.16.1.108 - - [12/Dec/2000:18:11:42 -0500]
  [atlanta.atl.globaleventures.com/sid#757d0][rid#b7938/initial] (3)
  applying pattern '^/airline/atlanta' to uri '/airline/atlanta'
  172.16.1.108 - - [12/Dec/2000:18:11:42 -0500]
  [atlanta.atl.globaleventures.com/sid#757d0][rid#b7938/initial] (2)
  rewrite /airline/atlanta -> /app/URLServlet$1
  172.16.1.108 - - [12/Dec/2000:18:11:42 -0500]
  [atlanta.atl.globaleventures.com/sid#757d0][rid#b7938/initial] (2) local
  path result: /app/URLServlet$1
  172.16.1.108 - - [12/Dec/2000:18:11:42 -0500]
  [atlanta.atl.globaleventures.com/sid#757d0][rid#b7938/initial] (2)
  prefixed with document_root to /var/apache/htdocs/app/URLServlet$1
  172.16.1.108 - - [12/Dec/2000:18:11:42 -0500]
  [atlanta.atl.globaleventures.com/sid#757d0][rid#b7938/initial] (1)
  go-ahead with /var/apache/htdocs/app/URLServlet$1 [OK]
  And of course, there is no such thing in the docroot.
  Any thoughts? Please help.
  [bryon.vcf]

  I have a similar problem. Does anyone out there know how Apache URL
  rewriting interacts with mod_wl?
  My situation is that I want to pass a piece of information (which virtual
  host the request came in on) to weblogic. It appears that RewriteRule with
  the [QSA] option is perfect for this, except that for some reason the
  servlet request reports the original URL, not the rewritten one. I put in a
  rule that says
  RewriteRule ^(.*jsp)$ $1?VHOST=mydomain.com [QSA]
  and the rewrite log shows that the rule is applied, but
  HttpServletRequest.getQueryString() still returns null.
  Has anyone passed any information like this from Apache to Weblogic?
  Thanks,
  Greg Abbas
  "Bryon G. Rigg" wrote:
  I have an WL application which is invoked anytime a url that starts
  with /app. This is configured as follows:
  <Location /app>
  SetHandler weblogic-handler
  </Location>
  What my customers now want is to create new urls which will invoke my
  application. For example, one customer wants the following url:
  /airline/atlanta
  Which will need to map to the following url:
  /app/URLServlet/airline/atlanta
  I have tried to create a "RewriteRule", but found that apache looked
  for the result in the docroot instead of transferring it to WL.
  The following shows my "Rewrite config":
  RewriteEngine on
  RewriteLog "/var/apache/logs/rewrites"
  RewriteLogLevel 3
  RewriteRule ^/airline/atlanta /app/URLServlet$1
  WebLogicHost rome
  WebLogicPort 7101
  <Location /app>
  SetHandler weblogic-handler
  </Location>
  The following is from the rewrite log file:
  172.16.1.108 - - [12/Dec/2000:18:11:42 -0500]
  [atlanta.atl.globaleventures.com/sid#757d0][rid#b7938/initial] (2) init
  rewrite engine with requested uri /airline/atlanta
  172.16.1.108 - - [12/Dec/2000:18:11:42 -0500]
  [atlanta.atl.globaleventures.com/sid#757d0][rid#b7938/initial] (3)
  applying pattern '^/airline/atlanta' to uri '/airline/atlanta'
  172.16.1.108 - - [12/Dec/2000:18:11:42 -0500]
  [atlanta.atl.globaleventures.com/sid#757d0][rid#b7938/initial] (2)
  rewrite /airline/atlanta -> /app/URLServlet$1
  172.16.1.108 - - [12/Dec/2000:18:11:42 -0500]
  [atlanta.atl.globaleventures.com/sid#757d0][rid#b7938/initial] (2) local
  path result: /app/URLServlet$1
  172.16.1.108 - - [12/Dec/2000:18:11:42 -0500]
  [atlanta.atl.globaleventures.com/sid#757d0][rid#b7938/initial] (2)
  prefixed with document_root to /var/apache/htdocs/app/URLServlet$1
  172.16.1.108 - - [12/Dec/2000:18:11:42 -0500]
  [atlanta.atl.globaleventures.com/sid#757d0][rid#b7938/initial] (1)
  go-ahead with /var/apache/htdocs/app/URLServlet$1 [OK]
  And of course, there is no such thing in the docroot.
  Any thoughts? Please help.--
  Greg Abbas
  [email protected]
  http://www.abbas.org

• Some clients migrated from 2007 is presented with the self signed certificate in 2013

  I have migrated from 2007 to 2013. I did a couple of test migrations and on the ones with domain member computers Outlook is giving a certificate warning. The certificate they are presented with is the default self signed certificate on the 2013 server.
  Even though I have added a trusted public certificate to Exchange and checked of to use With IIS.
  I see that the default certificate is also checked of to use With IIS and it cant be removed in ECS. Shouldnt this be removed from IIS all together when adding a New certificate? And why does some Clients gets presented With the self signed and some With
  the Public? For instance owa is presented With the Public cert. Also and Outlook I tested from outside the domain.
  Regards

  Only the UCC certificate should be bound to IIS.
  Are any clients using POP or IMAP, which also use SMTP?  In this case clients can be presented with the "wrong" certificate as well.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

• How to access Flash Apps over https with a self signed certificate?

  I have a Flex app that needs to access data from a SOAP web service over https with a self signed certificate. The app needs to ignore the https warnings, just as a browser would warn & allow the user to proceed. Buying a valid signed certificate is not an option for us.
  It works fine over http.
  How can I achieve this?
  I read that URLRequest has a property: authenticate, that I can set to false. However, this property is available only for Adobe AIR applications from what I can see. This doesn't seem available for Flex apps.
  I have tried this in both Flex 3 & the latest Flash Builder 4. Have the same issue in both cases.
  Help appreciated.
  Thanks

  You'd really need to ask in the Flex or Flash Builder forums as this is a front end code modification and Flash Player can't do any of that.

• I need help with the Web Application Certificate

  Greets,
  The title says it all really. I need help with the Web Application Certificate.
  I've followed the instructions from here:
  https://www.novell.com/documentation....html#b13qz9rn
  I can get as far as item 3.c
  3. Getting Your Certificate Officially Signed
  C. Select the self-signed certificate, then click File > Certification Request > Import CA Reply.
  I can get the certificate in to the Filr appliance but from there I'm stuck.
  Any help much appreciated.

  Originally Posted by bentinker
  Greets,
  The title says it all really. I need help with the Web Application Certificate.
  I've followed the instructions from here:
  https://www.novell.com/documentation....html#b13qz9rn
  I can get as far as item 3.c
  ok when you have you self signed certificate and you requested an official certificate with the corresponding CSR then you just need to go back to the digital certificates console. To import the official certificate, select the self signed certificate, then click File > Certification Request > Import CA Reply. Then a new windows pops out to select the certificate from your trusted authority from your local hard disk. Find the file (.cer worked for me) and click ok. As soon as you do this in the digital certificates console the self signed certificate will change the information that now it is officially signed. Look at the second column and you should see the name of your trusted authority under "issue from"
  I personally had a lot of issues across all platforms. Especially Firefox and Chrome for android. Needed to pack all the root cert, intermediate cert and signed cert into one file and import as CA reply. Not even sure if this is correct now. But at least it works.

• Problem with placing self-signed certificate in trust store on WLS 10.3

  I have had some problems setting up two-way SSL on WLS 10.3.2.
  1. I have not been able to use the java properties listed on
  http://weblogic-wonders.com/weblogic/2010/11/09/enforce-weblogic-to-use-sun-ssl-implementation-rather-than-certicom/
  to use the native Java SSL implementation rather than the certicom. Has anyone else had success using these?
  -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol
  -Dssl.SocketFactory.provider=com.sun.net.ssl.internal.SSLSocketFactoryImpl
  -DUseSunHttpHandler=true
  -Dweblogic.wsee.client.ssl.usejdk=true (for webservice clients)
  2. When I use the ValidateCertChain to validate my keystore with the self-signed certificate I get the message
  CA cert not marked with critical BasicConstraint indicating it is a CA
  Certificate chain is invalid
  which I read was a problem with certificates generated by keytool, yet I find I was not able to circumvent this
  by setting the property weblogic.security.SSL.enforceConstraints to off in the WLS server environment.
  Has anyone else noticed this?
  3. The error I get is
  ####<Feb 15, 2011 1:12:21 PM EST> <Debug> <SecuritySSL> <hostname> <server
  <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1297793541204> <BEA-000000> <Exception during hands
  hake, stack trace follows
  java.lang.NullPointerException
  at com.certicom.security.cert.internal.x509.X509V3CertImpl.checkValidity(Unknown Source)
  at com.certicom.security.cert.internal.x509.X509V3CertImpl.checkValidity(Unknown Source)
  at com.certicom.tls.interfaceimpl.CertificateSupport.findInTrusted_Validity(Unknown Source)
  ####<Feb 15, 2011 1:12:21 PM EST> <Debug> <SecuritySSL> <hostname> <server> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tunin
  g)'> <<WLS Kernel>> <> <> <1297793541207> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 40
  java.lang.Exception: New alert stack
  at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
  at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
  Are there other conditions besides the issue about the missing Basic Constraint field that can raise an
  alert with type 40?
  4. Steps I used to generate jks keystore for inclusion in trust keystore (actual values substituted):
  ** keytool -genkey -alias mykey -keystore mykeystore -validity 35600 \
  -dname "cn=Common Name, ou=Common Name, o=Org, l=location, s=state, c=US" \
  -storepass mypass -keypass mypass
  ** exported a DER format head certificate of mykey into mykey.cer.der
  ** keytool -import -trustcacerts -keystore DemoTrust.jks -alias mykey -file mykey.cer.der
  Any comments appreciated and thanks for this forum.

  Faisal,
  Certicom has an internal restriction that a Date must be notBefore 1970 and notAfter 2105 inclusive.The Java-generated key is valid until Wed Mar 14 11:03:59 EDT 2108. Your knowledge of this area is
  quite impressive, thank you so much for this!

• How to generate self-signed CA certificate, client certifacate in pkcs12

  Based on the requirement, i need to generate self-signed CA certificate, client certificate, keystore type all in PKCS12 format.
  Below is the successful process of generating them in DER format
  1. openssl req -x509 -newkey rsa:1024 -keyout cakey.pem -out cacert.pem -days 2190 -config openssl.cnf
  2. keytool -genkey -alias client -keyalg RSA -keystore client-keystore.jks
  3. keytool -certreq -keystore client-keystore.jks -storepass clientkeystore -alias client -file client.cert.req
  4. openssl ca -config openssl.cnf -out client.pem -days 2190 -infiles client.cert.req
  5. openssl x509 -outform DER -in client.pem -out client.cert
  openssl x509 -outform DER -in cacert.pem -out cacert.cert
  6. keytool -import -file cacert.cert -keystore client-keystore.jks -storepass clientkeystore -alias ca
  keytool -import -file client.cert -keystore client-keystore.jks -storepass clientkeystore -alias client
  So, i try to create them in PKCS12 format
  1. openssl req -x509 -newkey rsa:1024 -keyout cakey.pem -out cacert.pem -days 2190 -config openssl.cnf
  2. keytool -genkey -alias client -keyalg RSA -keystore client-keystore.jks -storetype pkcs12
  3. keytool -certreq -keystore client-keystore.jks -storetype pkcs12 -storepass clientkeystore -alias client -file client.cert.req
  4. openssl ca -config openssl.cnf -out client.pem -days 2190 -infiles client.cert.req
  5. openssl pkcs12 -export -out cacert.p12 -in cacert.pem -inkey cakey.pem -name "CA Certificate"
  cacert.p12 successfully created. but,
  openssl pkcs12 -export -out client.p12 -in client.pem -inkey cakey.pem -name "Client Certificate"
  error message said "No certificate matches private key"
  I have no idea that which step goes wrong....any advice or suggestion? importantly is to convert into pkcs12 format.
  Thanks

  Your last step should be to import the signed certificate back into your client PKCS#12 keystore, client-keystore.jks.
  This file contains the private key used to create your signing requets originally, and must be matched when importing the signed certificate back in.
  I think you will need to follow steps 5 & 6 in your DER example to complete the client PKCS12 keystore (including -storetype pkcs12 argument on the import statement).
  Another way is to simply convert the keystore created in your DER example into a pkcs#12, by using JRE1.6 command:
  keytool importkeystore -srckeystore [jks keystore] -srckeystoretype jks -destkeystore [pkcs12 keystore] -destkeystorestype pkcs12

• E-Mail Setup fails with self-signed SSL certificat...

  Hi, one of my e-mails is with a small provider who just moved the mail server to Imap and SSL. In Thunderbird, everything works fine, setup on my Nokia C-6-fails with an unspecific error message (and trows away the settings). I asked the provider, and it seems that the problem comes up because the Nokia e-mail application doesn't asked me if I want to accept the certificate but instead rejects it. Is there a workaround to this problem? Is there a way to setup the mail account without using the wizard? Or to take over the settings from Thunderbird? Or a way to put the certificate in the right place manually? In Opera mobile I have no trouble with self-signed SSL certificates. Thanks Cave

  Any one around who can help? Self-Signed certificates are rather common, after all. I would be grateful cave

• FormsCentral retiring in July???!!!  Are you freaking kidding me?  My clients use this feature all the time.  What do you suggest I do now?  What service do I go with that is comparable to it?  I need help with this asap!

  FormsCentral retiring in July???!!!  Are you freaking kidding me?  My clients use this feature all the time.  What do you suggest I do now?  What service do I go with that is comparable to it?  I need help with this asap!

  I would suggest checking out http://www.logiforms.com. They have really good PDF support for both hosted PDF's and generating PDFs. You can:
  populate PDF forms from a web form submission
  Merge multiple PDF's together using conditional logic
  Include uploaded images in the generated PDF
  Get Electronic signatures on PDF's
  Use conditional logic when creating PDF's
  Convert HTML to PDF. You design in HTML and CSS and use form field wildcards and generate the PDF
  More of the PDF features are explained here:
  PDF Form Creator | PDF Form Maker | V3.Logiforms.com
  They are also offering a 25% discount to anyone coming from Forms Central...

• Need help with log4j logging tool (org.apache.log4j.*) to log into database

  Hi,
  I need help with log4j logging tool (org.apache.log4j.*) to log into database using JDBCAppender. Have look at my logger code and corresponding log4j.properties file stated below. I'm running this program using Eclipse IDE and it's giving me the following error (highlighted in red) at the end:
  log4j: Parsing for [root] with value=[debug, stdout, Roll, CRSDBAPPENDER].
  log4j: Level token is [debug].
  log4j: Category root set to DEBUG
  log4j: Parsing appender named "stdout".
  log4j: Parsing layout options for "stdout".
  log4j: Setting property [conversionPattern] to [%x %d{HH:mm:ss,SSS} %5p [%t] (%c:%-4L %M) - %m%n].
  log4j: End of parsing for "stdout".
  log4j: Parsed "stdout" options.
  log4j: Parsing appender named "Roll".
  log4j: Parsing layout options for "Roll".
  log4j: Setting property [conversionPattern] to [%x %d{yyyy.MM.dd HH:mm:ss,SSS} %5p [%t] (%c:%-4L %M) - %m%n].
  log4j: End of parsing for "Roll".
  log4j: Setting property [file] to [HelloWorld.log].
  log4j: Setting property [maxBackupIndex] to [10].
  log4j: Setting property [maxFileSize] to [20KB].
  log4j: setFile called: HelloWorld.log, true
  log4j: setFile ended
  log4j: Parsed "Roll" options.
  log4j: Parsing appender named "CRSDBAPPENDER".
  {color:#ff0000}
  Can't find class HelloWorld{color}
  import org.apache.log4j.*;
  public class HelloWorld {
  static Logger log = Logger.getLogger(HelloWorld.class.getName());
  public static void main(String[] args) {
  try{
  // Now, try a few logging methods
  MDC.put("myComputerName", "Ravinder");
  MDC.put("crsServerName", "ARNDEV01");
  log.debug("Start of main()");
  log.info("Just testing a log message with priority set to INFO");
  log.warn("Just testing a log message with priority set to WARN");
  log.error("Just testing a log message with priority set to ERROR");
  log.fatal("Just testing a log message with priority set to FATAL");
  catch(Exception e){
  e.printStackTrace();
  ------------------------- log4j.properties file ------------------------------
  #### Use three appenders - log to console, file and database
  log4j.rootCategory=debug, stdout, Roll, CRSDBAPPENDER
  log4j.debug=true
  # Print only messages of priority WARN or higher for your category
  # log4j.category.your.category.name=WARN
  # Specifically inherit the priority level
  # log4j.category.your.category.name=INHERITED
  #### stdout - First appender writes to console
  log4j.appender.stdout=org.apache.log4j.ConsoleAppender
  log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
  log4j.appender.stdout.layout.ConversionPattern=%x %d{HH:mm:ss,SSS} %5p [%t] (%c:%-4L %M) - %m%n
  #### Roll - Second appender writes to a file
  log4j.appender.Roll=org.apache.log4j.RollingFileAppender
  ##log4j.appender.Roll.File=${InstanceName}.log
  log4j.appender.Roll.File=HelloWorld.log
  log4j.appender.Roll.MaxFileSize=20KB
  log4j.appender.Roll.MaxBackupIndex=10
  log4j.appender.Roll.layout=org.apache.log4j.PatternLayout
  log4j.appender.Roll.layout.ConversionPattern=%x %d{yyyy.MM.dd HH:mm:ss,SSS} %5p [%t] (%c:%-4L %M) - %m%n
  #### CRSDBAPPENDER - third appender writes to the database
  log4j.appender.CRSDBAPPENDER=org.apache.log4j.jdbc.JDBCAppender
  log4j.appender.CRSDBAPPENDER.Driver=net.sourceforge.jtds.jdbc.Driver
  log4j.appender.CRSDBAPPENDER.URL=jdbc:jtds:sqlserver:/arncorp15:1433;DatabaseName=LOG
  log4j.appender.CRSDBAPPENDER.USER=sa
  log4j.appender.CRSDBAPPENDER.PASSWORD=p8ss3doff
  log4j.appender.CRSDBAPPENDER.layout=org.apache.log4j.PatternLayout
  log4j.appender.CRSDBAPPENDER.sql=INSERT INTO LOG (computername, crsservername, logtime, loglevel, threadname, filename, linenumber, logtext) VALUES ('%X{myComputerName}', '%X{crsServerName}', '%d{dd MMM yyyy HH:mm:ss,SSS}', '%p', '%t', '%F', '%L', '%m')
  #log4j.appender.CRSDBAPPENDER.sql=INSERT INTO LOG(COMPUTERNAME,CRSSERVERNAME,LOGTIME,LOGLEVEL,THREADNAME,FILENAME,LINENUMBER,LOGTEXT) select host_name(),'${CRSServerName}${InstanceName}','%d','%5p','%t','%F','%L','%m%n'
  #log4j.appender.CRSDBAPPENDER.sql=INSERT INTO LOG (computername, crsservername, logtime, loglevel, threadname, filename, linenumber, logtext) VALUES ("%X{myComputerName}", "%X{crsServerName}", "%d{dd MMM yyyy HH:mm:ss,SSS}", "%p", "%t", "%F", "%L", "%m")
  ------------------------------- end of log4j.properties file ------------------------------
  Here is the directory structure of my program. My log4j.properties file and HelloWorld.class file are residing in folder HelloWorld\bin.
  HelloWorld\bin
  HelloWorld\lib
  HelloWorld\src
  Please note - The same program works fine for console and file appender when I comment the database appender part in my properties file.
  Thanks
  Ravinder

  try this :
  log4j.appender.PROJECT.Append=false

• Mail.app with a self-signed certificate in postfix/dovecot

  I thought I'd post this tidbit about getting Mail.app to work correctly with a self-signed certificate in a postfix/dovecot Linux installation; in my case under Debian Lenny. After setting this up, my Mail.app refused to connect to the outgoing server to deliver mail. In the postfix logs, I would see "SSL_accept error from ...: -1". The problem ended up being that postfix uses the default "snakeoil" self-signed certificate, while dovecot creates its own. If the IMAP and SMTP hosts are the same as they were in my case, when you accept the dovecot certificate upon the first IMAP connection, the SMTP connection with a different certificate will fail. This is because after the accept there is now a known certificate for that host, and the new certificate presented by postfix will not match. To fix this, either use different hosts for IMAP and SMTP, or use the same (perhaps the "snakeoil") certificate in both the postfix and dovecot configuration.

  Exactly the same problem, except I'm using FF v6 for Windows, not FF v4 as for the lead post. This is for a self-cert which IS trusted, although the error message says it isn't.

• Does Firefox Home work with custom servers with a self signed certificate?

  I've setup my own custom Firefox Sync server which has a self signed SSL certificate.
  When I try to connect to it using Firefox Home I get the error:
  Cannot Sync - Failed To Communicate With Server (1)
  Firefox on my Mac and Windows laptop Sync fine with my custom firefox sync server providing I create an exception first. But no such luck with my iPhone.

  Access your server with ssl using https://<servername> . Firefox will warn you about untrusted certificate, and suggest you to add an exception. This exception will work for firefox sync too.

• 1941w - Need help with IP address assigning, and relay wireless to a DHCP server.

  Hope someone can point me in the right direction -
  Basically have a Win08 R2 DHCP server, and a 1941w router.
  I've got the internet, got the lan clients getting DHCP ok (with ip helper-address set on the 0/0 internal interface).
  Also have the SSID, and wireless clients can connect - but no IPs are being handed out, also not sure if I understand or did the bridging correctly or assigned IPs to the vlan or bvi1 correctly.
  for ex:
  DHCP server IP:
  10.10.2.4
  Router Ethernet internal interface 0/0 IP:
  10.10.2.1
  with helper-address 10.10.2.4 (lan clients are resolving IPs correctly from the DHCP server)
  Vlan1 IP address:
  10.10.3.1
  Does this interface need the helper-address as well? (10.10.2.4)?
  wlan-ap 0 IP address:
  unnumbered
  interface BVI1 IP address (static):
  10.10.2.2
  am i totally off? not even sure if i have the vlan bridged to the 0/0 adapter or not correctly - but as I said, i can get a wireless client to connect with the SSID.
  would appreciate any advice/pointers, thanks

  of course - here is the router config:
  =======================================================
  Using 5591 out of 262136 bytes
  version 15.1
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service sequence-numbers
  hostname router
  boot-start-marker
  boot-end-marker
  security authentication failure rate 3 log
  security passwords min-length 6
  logging buffered 51200
  logging console critical
  enable secret 5 $1$JWwK$.04.NFg7tQ82UTy68/hyv.
  no aaa new-model
  service-module wlan-ap 0 bootimage autonomous
  no ipv6 cef
  no ip source-route
  ip cef
  no ip bootp server
  ip name-server 10.10.2.4
  multilink bundle-name authenticated
  crypto pki token default removal timeout 0
  crypto pki trustpoint TP-self-signed-975501586
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-975501586
  revocation-check none
  rsakeypair TP-self-signed-975501586
  crypto pki certificate chain TP-self-signed-975501586
  certificate self-signed 01 nvram:IOS-Self-Sig#3.cer
  license udi pid CISCO1941W-A/K9 sn FTX155085QG
  hw-module ism 0
  ip tcp synwait-time 10
  ip ssh time-out 60
  ip ssh authentication-retries 2
  interface Embedded-Service-Engine0/0
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  shutdown
  interface GigabitEthernet0/0
  description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$$FW_INSIDE$
  ip address 10.10.2.1 255.255.255.0
  ip helper-address 10.10.2.4
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  no mop enabled
  interface wlan-ap0
  description Service module interface to manage the embedded AP
  ip unnumbered GigabitEthernet0/0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  arp timeout 0
  no mop enabled
  no mop sysid
  interface GigabitEthernet0/1
  description $ES_WAN$$FW_OUTSIDE$
  ip address dhcp client-id GigabitEthernet0/1
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  no mop enabled
  interface Wlan-GigabitEthernet0/0
  description Internal switch interface connecting to the embedded AP
  no ip address
  interface Vlan1
  ip address 10.10.3.1 255.255.255.0
  ip helper-address 10.10.2.4
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip nat inside source list 1 interface GigabitEthernet0/1 overload
  logging trap debugging
  access-list 1 remark INSIDE_IF=GigabitEthernet0/0
  access-list 1 remark CCP_ACL Category=2
  access-list 1 permit 10.10.2.0 0.0.0.255
  no cdp run
  control-plane
  line con 0
  login local
  transport output telnet
  line aux 0
  login local
  transport output telnet
  line 2
  no activation-character
  no exec
  transport preferred none
  transport input all
  transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
  stopbits 1
  line 67
  no activation-character
  no exec
  transport preferred none
  transport input all
  transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
  line vty 0 4
  privilege level 15
  login local
  transport input telnet ssh
  line vty 5 15
  privilege level 15
  login local
  transport input telnet ssh
  scheduler allocate 20000 1000
  end
  =======================================================
  and the ap config:
  =======================================================
  Using 2067 out of 32768 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname ap
  enable secret 5 $1$xKDT$GdLGeA6h.H9LKL9l3dPmj.
  no aaa new-model
  dot11 syslog
  dot11 ssid WIFI1
     vlan 1
     authentication open
     authentication key-management wpa
     mbssid guest-mode
     wpa-psk ascii 7 044B1E030D2D43632A
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption vlan 1 mode ciphers aes-ccm
  broadcast-key vlan 1 change 30
  ssid WIFI1
  antenna gain 0
  station-role root
  interface Dot11Radio0.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 2
  bridge-group 2 subscriber-loop-control
  bridge-group 2 block-unknown-source
  no bridge-group 2 source-learning
  no bridge-group 2 unicast-flooding
  bridge-group 2 spanning-disabled
  interface Dot11Radio1
  no ip address
  no ip route-cache
  encryption vlan 1 mode ciphers aes-ccm
  broadcast-key vlan 1 change 30
  ssid WIFI1
  antenna gain 0
  dfs band 3 block
  channel dfs
  station-role root
  interface Dot11Radio1.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 2
  bridge-group 2 subscriber-loop-control
  bridge-group 2 block-unknown-source
  no bridge-group 2 source-learning
  no bridge-group 2 unicast-flooding
  bridge-group 2 spanning-disabled
  interface GigabitEthernet0
  description  the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
  no ip address
  no ip route-cache
  interface GigabitEthernet0.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface BVI1
  ip address 10.10.2.2 255.255.255.0
  no ip route-cache
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  bridge 1 route ip
  line con 0
  no activation-character
  line vty 0 4
  login local
  end
  ============================================