Attachment get failure Self signed certificate Zimbra
Brought to you by:
gnosbush,
liverpoolfcfan
Hi LiverpoolFC, I need some support for troubleshooting.
I'm unable to download attachment from my mobile.
Z-push 2.3.1
Zimbrabackend 65
Zimbra 8.6
It's a SSL certificate verification failure.
On my Zimbra server i use a selfsigned certificate with the external fqdn. zimbra.domain.com
My zimbra is always behind a apache reverse proxy.
Z-push is configured to access zimbra directly with an internal fqdn zimbra.domain.int
so when z-push try to get attachment i have a ssl exception du to the fqdn mismatch.
11/09/2016 22:51:00 [20410] [WARN] [xxx@domain.com] /usr/share/z-push/backend/zimbra/zimbraHttpStreamWrapper.php:68 fopen(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (2) 11/09/2016 22:51:00 [20410] [WARN] [xxx@domain.com] /usr/share/z-push/backend/zimbra/zimbraHttpStreamWrapper.php:67 fopen(): Failed to enable crypto (2) 11/09/2016 22:51:00 [20410] [WARN] [xxx@domain.com] /usr/share/z-push/backend/zimbra/zimbraHttpStreamWrapper.php:68 fopen(https://zimbra.domain.int/service/content/get?id=116943&part=2): failed to open stream: operation failed (2)
How can i force to ignore the fqdn ?
I try to add 'verify_peer_name' => false in zimbraHttpStreamWrapper.php at line 64 but it doesn't seems to work.
Is there any parameter for this ?
$opts = array('http' => array( 'method' => 'GET', 'header' => 'Content-type: application/x-www-form-urlencoded' . "\r\n" . 'Cookie: ' . 'ZM_AUTH_TOKEN=' . $authToken . "\r\n" , 'verify_peer_name' => false, ) );
When I put the extenal fqdn as zimbra backend it works .
Why do you want to configure it with an internal domain name?
Z-push accesses zimbra the same way any external user would do. If you try to short circuit that route there are many issues you can run into with attachments/images/briefcase/etc. as you have already seen.
With zimbra 8.6 are you not using the zimbra nginx proxy? Why do you have apache in front?
You are right. I'm using Zimbra Proxy too.
But I have several server behind one public IP so I need to have a single exposed webserver on port 80 and 443.
This is why I need this reverse proxy.
I have configured zpush to use zimbra external path and it work. But the network route is not optimized.
Regards
Is z-push also behind this apache reverse proxy?
What port does zimbra proxy listen on?
Works as intended. Non-standard setups are beyond the scope of troubleshooting. Closing ticket.