Zammad: Exchange Integration SSL Error with self-signed root certificate authority

Created on 18 Sep 2017  ·  12Comments  ·  Source: zammad/zammad
  • Used Zammad version: 2.0.x
  • Used Zammad installation source: /stable/installer/ubuntu/16.04.repo
  • Operating system: Ubuntu 16.04 LTS
  • Browser + version: Firefox 55.0.3

Expected behavior:

Setup Exchange Configuration not sucessfull

Actual behavior:

Setup Exchange Configuration Connection SSL Connect Error
Error Message: SSL_connect returned=1 errno=0 state=error: certificate verify failed

Steps to reproduce the behavior:

My company uses a AD certificate authority.
The Exchange 2013 Servers are using a self-signed certificate from this root ca.
I put my root ca as a crt file to the /usr/local/share/ca-certificates folder
update-ca-certificates --fresh
I can see Replacing debian:MyRootCa.pem
Done.

Why rails isn't using the local openssl root ca files?

Thanks
Felix

bug integration verified
Source
picture Felix1356

Most helpful comment

Imho disabling SSL checks should be optional and not be enabled by default.

picture monotek on 25 Sep 2017
👍32

All 12 comments

@Felix1356 have you verified the certificate chain (Exchange -> maybe some intermediate -> Root CA) is complete and verifies ok on your zammad machine?

babakkazemi picture babakkazemi on 21 Sep 2017

Hi @Felix1356 - can you provide a screenshot in which step of the configuration wizard this is displayed?

thorsteneckel picture thorsteneckel on 21 Sep 2017

As I've got the same Problem here's the Screenshot

zammad-exchange

MenneBakker picture MenneBakker on 21 Sep 2017

Thanks @EDVLeer !

Just for my record:

Autodiscover:

client = Autodiscover::Client.new(...)

# Ignore SSL Errors
client.autodiscover(ignore_ssl_errors: true)

Viewpoint:

cli = Viewpoint::EWSClient.new endpoint, user, pass

# There are also various options you can pass to EWSClient.

# If you are testing in an environment using a self-signed certificate you can pass a connection parameter to ignore SSL verification by passing http_opts: {ssl_verify_mode: 0}.
thorsteneckel picture thorsteneckel on 21 Sep 2017

@thorsteneckel JFI https://github.com/zammad/zammad/commit/51766d51a9d43f11c71f738f7c64fc0eade9c5ff is only for autodiscover (initiated by T#109098).

martini picture martini on 25 Sep 2017

Autodiscover works fine with these modifications

MenneBakker picture MenneBakker on 25 Sep 2017
1 👍1

Imho disabling SSL checks should be optional and not be enabled by default.

monotek picture monotek on 25 Sep 2017
👍32

disabling SSL checks it's a no go.

sidescraper picture sidescraper on 25 Sep 2017

Imho disabling SSL checks should be optional and not be enabled by default.

disabling SSL checks it's a no go.

JFI: We will change it. Just working on it....

martini picture martini on 25 Sep 2017

If Zammad would make use of the systems trusted CAs we should be fine.

MenneBakker picture MenneBakker on 25 Sep 2017

Thanks for your working solution @martini ! I'll will handle the optional functionality as stated by @monotek after my vacation.

thorsteneckel picture thorsteneckel on 28 Sep 2017

Vacation? Again?! 😂

But seriously... Should be done before next stable release.

monotek picture monotek on 28 Sep 2017
😄1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

MrGeneration picture MrGeneration  ·  3Comments
sthag picture sthag  ·  3Comments
BigAndini picture BigAndini  ·  3Comments
martini picture martini  ·  3Comments
em-ex picture em-ex  ·  3Comments