Z-Push Zimbra Backend / Support Requests / #144 Attachment get failure Self signed certificate Zimbra

#144 Attachment get failure Self signed certificate Zimbra

Milestone: unconfirmed

Status: closed

Owner: LiverpoolFCfan

Labels: None

Priority: 1

Updated: 2016-09-20

Created: 2016-09-11

Creator: sbourdette

Private: No

Hi LiverpoolFC, I need some support for troubleshooting.

I'm unable to download attachment from my mobile.

Z-push 2.3.1
Zimbrabackend 65
Zimbra 8.6

It's a SSL certificate verification failure.
On my Zimbra server i use a selfsigned certificate with the external fqdn. zimbra.domain.com

My zimbra is always behind a apache reverse proxy.

Z-push is configured to access zimbra directly with an internal fqdn zimbra.domain.int

so when z-push try to get attachment i have a ssl exception du to the fqdn mismatch.

11/09/2016 22:51:00 [20410] [WARN] [xxx@domain.com] /usr/share/z-push/backend/zimbra/zimbraHttpStreamWrapper.php:68 fopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (2)
11/09/2016 22:51:00 [20410] [WARN] [xxx@domain.com] /usr/share/z-push/backend/zimbra/zimbraHttpStreamWrapper.php:67 fopen(): Failed to enable crypto (2)
11/09/2016 22:51:00 [20410] [WARN] [xxx@domain.com] /usr/share/z-push/backend/zimbra/zimbraHttpStreamWrapper.php:68 fopen(https://zimbra.domain.int/service/content/get?id=116943&amp;part=2): failed to open stream: operation failed (2)

How can i force to ignore the fqdn ?

I try to add 'verify_peer_name' => false in zimbraHttpStreamWrapper.php at line 64 but it doesn't seems to work.
Is there any parameter for this ?

$opts = array('http' =>
    array(
        'method'  => 'GET',
        'header'  => 'Content-type: application/x-www-form-urlencoded' . "\r\n" . 'Cookie: ' .  'ZM_AUTH_TOKEN=' . $authToken . "\r\n" ,
      'verify_peer_name' => false,
    )
);

Discussion

sbourdette - 2016-09-11

When I put the extenal fqdn as zimbra backend it works .

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

LiverpoolFCfan - 2016-09-11

Why do you want to configure it with an internal domain name?

Z-push accesses zimbra the same way any external user would do. If you try to short circuit that route there are many issues you can run into with attachments/images/briefcase/etc. as you have already seen.

With zimbra 8.6 are you not using the zimbra nginx proxy? Why do you have apache in front?

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

sbourdette - 2016-09-12

You are right. I'm using Zimbra Proxy too.

But I have several server behind one public IP so I need to have a single exposed webserver on port 80 and 443.

This is why I need this reverse proxy.

I have configured zpush to use zimbra external path and it work. But the network route is not optimized.

Regards

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

LiverpoolFCfan - 2016-09-12

Is z-push also behind this apache reverse proxy?
What port does zimbra proxy listen on?

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

LiverpoolFCfan - 2016-09-20

status: open --> closed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

LiverpoolFCfan - 2016-09-20

Works as intended. Non-standard setups are beyond the scope of troubleshooting. Closing ticket.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Attachment get failure Self signed certificate Zimbra

Group

Searches

Help

#144 Attachment get failure Self signed certificate Zimbra

Discussion