Reply
Thread Tools
Posts: 48 | Thanked: 191 times | Joined on Jan 2016 @ Münsterland, Germany
#1
Hey Community,

recently I discovered a N950 in my employers device archive.
Now I'd like to use this awesome device daily to replace my not so good WindowsPhone.

I've already been capable of bringing the N950 into Openmode.

I've got two Questions:

1) How to install custom CA's (cacert.org)
2) How to enable Mail for Exchange (Question might depend on Q1)


Ok, let's talk about more details:

I fail when trying to install new Root-Certificates (those of cacert.org)

When downloading and installing the certificate, I can see the certificate and it is added in the certificatemanager, but the /var/log/syslog says:

Code:
certificate_install: aegis_storage.cpp(1935): ERROR commit: access denied, cannot commit '/var/lib/aegis/ps/Ss/certman.ssl-ca'

I use cacert to secure my Mail, Calender and Contacts which are "hosted" with horde and can be accessed with ActiveSync.(Exchange)

Unfortunately I'm not able to connect to the "Exchange" Server with Mail-For-Exchange.
We could connect successfully with a N900 (with and without cacert certificates), Windows Phone and Android devices, so the server should not be the Problem.
MFE reports "Invalid host address for Mail for Exchange Server".

Code:
Jan 19 19:37:46 (2016) mfeplugin[2461]: [Debug] Connecting to URL:  "https://xxxxxxxxxxxxx:443/Microsoft-Server-ActiveSync"
Jan 19 19:37:46 (2016) icd2 0.213.4+0m8[1173]: Duplicate filter: Do not add filter for app :1.272
Jan 19 19:37:46 (2016) mfeplugin[2461]: [Debug] QNetworkReplyImpl::_q_startOperation was called more than once
Jan 19 19:37:47 (2016) wlancond[1009]: High signal
Jan 19 19:37:49 (2016) mfeplugin[2461]: [Error] CertManager: ssl error "The issuer certificate of a locally looked up certificate could not be found" : "The issuer certificate of a locally looked up certificate could not be found"
Jan 19 19:37:49 (2016) mfeplugin[2461]: [Error] Certificate info:
Jan 19 19:37:49 (2016) mfeplugin[2461]: [Error] Subject:  O= "CAcert Inc." CN= "CAcert Class 3 Root" L= "" OU= "http://www.CAcert.org" C= "" ST= ""
Jan 19 19:37:49 (2016) mfeplugin[2461]: [Error]  Issuer:  O= "Root CA" CN= "CA Cert Signing Authority" L= "" OU= "http://www.cacert.org" C= "" ST= ""
Jan 19 19:37:49 (2016) mfeplugin[2461]: [Error]   Valid: from "Mon May 23 17:48:02 2011" to "Thu May 20 17:48:02 2021"
Jan 19 19:37:49 (2016) mfeplugin[2461]: [Error]  Serial: 672138
Jan 19 19:37:49 (2016) mfeplugin[2461]: [Error] Version: 3
Jan 19 19:37:50 (2016) mfeplugin[2461]: [Debug] User acceptance result for certificate "CAcert Class 3 Root" = 0
Jan 19 19:37:50 (2016) mfeplugin[2461]: [Error] CertManager: server certificate "CAcert Class 3 Root" has been accepted by user
Jan 19 19:37:50 (2016) mfeplugin[2461]: [Debug] CertManager: ssl error "The root CA certificate is not trusted for this purpose" : "The root CA certificate is not trusted for this purpose"
Jan 19 19:37:50 (2016) mfeplugin[2461]: [Debug] CertManager: server certificate "CAcert Class 3 Root" has been already accepted by user
Jan 19 19:37:50 (2016) mfeplugin[2461]: [Debug] void MfeCheckCredentialsDialog::onSendFinished(QNetworkReply*) replyError= 0 "Unknown error"
Jan 19 19:37:50 (2016) mfeplugin[2461]: [Debug] error( 0 )= 3

What I already tried:
  • Accepting the certificate when MfE asked me if I'd trust the cert
  • Adding root and class3 cert to /var/lib/aegis/certs/common-ca/ and to /var/lib/aegis/certs/user/*-ca
  • rehashing of /var/lib/aegis/certs/common-ca/ with c_rehash as suggested in http://talk.maemo.org/showthread.php?t=94484

But, as of now: no success


Do you have any ideas how to get this working?

Best Regards
xelo

=========
Solution:

Certificates:
1. Additional certificates can be Installed with
Code:
acmcli -c common-ca -a  sha1HashOfPemEncodedCertificate.pem
This installs the certificate to
Code:
/var/lib/aegis/certs/common-ca/
2. In order to use this command, the device needs to use Inception and starts the command above using ariadne or it is runnig in OpenMode (See the mentioned Readme) and the developer shell is running with elevated rights
If neither develsh was elevated nor the device uses inception and ariadne, you will receive a
Code:
permission denied
MfE:

Not found yet (2016-01-24)

Last edited by xelo; 2016-01-24 at 16:23. Reason: Added partial solution to first Post
 

The Following User Says Thank You to xelo For This Useful Post:
peterleinchen's Avatar
Posts: 4,117 | Thanked: 8,901 times | Joined on Aug 2010 @ Ruhrgebiet, Germany
#2
short answer:

using web "facilities" to insert certs did not work on N900 (nor do I expect on N9/50)
copying certs manually to /var/lib/aegis/certs/common-ca will also not work


I would go like:
download cert in pem or convert into pem
put it wherever you like
and install it with /usr/bin/acmcli to common-ca (will need to dig for exact command...)
possibly c_refhash (as you already found out)
--edit
you might do it in as root with devel-su
AND possibly in "develsh" (giving some more rights), as I do not expect you to run that device in OpenMode?


P.S.: what I do not understand on N9/50 is why we have
/var/lib/aegis/certs (/common-ca)
and also
/etc/ssl/certs
Both seem to have the same certs installed (with different hashes/links)? So possibly we need this here, too?
__________________
SIM-Switcher, automated SIM switching with a Double (Dual) SIM adapter
--
Thank you all for voting me into the Community Council 2014-2016!

Please consider your membership / supporting Maemo e.V. and help to spread this by following/copying this link to your TMO signature:
[MC eV] Maemo Community eV membership application, http://talk.maemo.org/showthread.php?t=94257

editsignature, http://talk.maemo.org/profile.php?do=editsignature
 

The Following 2 Users Say Thank You to peterleinchen For This Useful Post:
Posts: 48 | Thanked: 191 times | Joined on Jan 2016 @ Münsterland, Germany
#3
Thank's for your answer. I'll give it a shot later.

Originally Posted by peterleinchen View Post
short answer:
--edit
you might do it in as root with devel-su
AND possibly in "develsh" (giving some more rights), as I do not expect you to run that device in OpenMode?
I'm running the device in OpenMode


Edit 1:
I tried without success
Code:
# acmcli -C aegis-certman-common-ca::CertCACommonAdd -lc common-ca -a 16b5321bd4c7f3e0e68ef3bdd2b03aeeb23918d1.pem

ERROR: cannot add certificates (Permission denied)

# acmcli -c common-ca -a 16b5321bd4c7f3e0e68ef3bdd2b03aeeb23918d1.pem

ERROR: cannot add certificates (Permission denied)




Edit 2: So this happens in the log:

Code:
Jan 20 21:02:57 (2016) acmcli: aegis_storage.cpp(1436): ERROR add_file: access denied
Jan 20 21:02:57 (2016) acmcli: aegis_storage.cpp(1641): ERROR add_link: access denied
Jan 20 21:02:57 (2016) acmcli: aegis_storage.cpp(1935): ERROR commit: access denied, cannot commit '/var/lib/aegis/ps/Gs/certman.common-ca'
Jan 20 21:02:57 (2016) acmcli: certman_main.cpp(1051): ERROR aegis_certman_add_certs: add certs failed (Permission denied)


Now created a "private" common-ca and removed it again, which worked...
Code:
# /usr/bin/acmcli -p common-ca -a 16b5321bd4c7f3e0e68ef3bdd2b03aeeb23918d1.pem
Added 1 certificates

# /usr/bin/acmcli -p common-ca -r 16b5321bd4c7f3e0e68ef3bdd2b03aeeb23918d1
Removed certificate '16b5321bd4c7f3e0e68ef3bdd2b03aeeb23918d1'
Now I'm out of Ideas...

Edit 3:
Installed Inception from openrepos.
Code:
/usr/sbin/pasiv
ariadne /usr/bin/acmcli -c common-ca -a 16b5321bd4c7f3e0e68ef3bdd2b03aeeb23918d1.pem
Password for 'root': 
Added 1 certificates
Well that's a start.

The log complained about a bunch of broken Certs
Code:
Jan 20 21:46:26 (2016) acmcli: certman_main.cpp(184): ERROR Invalid certificate '/C=ES/L=C/ Muntaner 244 Barcelona/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068/emailA
ddress=ca@firmaprofesional.com'
Jan 20 21:46:26 (2016) acmcli: certman_main.cpp(184): ERROR Invalid certificate '/C=NO/O=Buypass AS-983163327/CN=Buypass Class 3 CA 1'
Jan 20 21:46:26 (2016) acmcli: certman_main.cpp(184): ERROR Invalid certificate '/C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden Root CA'
Jan 20 21:46:26 (2016) acmcli: certman_main.cpp(184): ERROR Invalid certificate '/CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1/C=TR/L=ANKAR
A/O=(c) 2005 T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E.'
Jan 20 21:46:26 (2016) acmcli: certman_main.cpp(184): ERROR Invalid certificate '/CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1/C=TR/L=Ankar
a/O=T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E. (c) Kas\xC4\xB1m 2005'
Jan 20 21:46:30 (2016) acmcli: certman_main.cpp(184): ERROR Invalid certificate '/C=ES/L=C/ Muntaner 244 Barcelona/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068/emailA
ddress=ca@firmaprofesional.com'
Jan 20 21:46:30 (2016) acmcli: certman_main.cpp(184): ERROR Invalid certificate '/C=NO/O=Buypass AS-983163327/CN=Buypass Class 3 CA 1'
Jan 20 21:46:30 (2016) acmcli: certman_main.cpp(184): ERROR Invalid certificate '/C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden Root CA'
Jan 20 21:46:30 (2016) acmcli: certman_main.cpp(184): ERROR Invalid certificate '/CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1/C=TR/L=ANKAR
A/O=(c) 2005 T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E.'
Jan 20 21:46:30 (2016) acmcli: certman_main.cpp(184): ERROR Invalid certificate '/CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1/C=TR/L=Ankar
a/O=T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E. (c) Kas\xC4\xB1m 2005'
Now I can open Websites which are signed by withe cacert root. Without a Complaining webbrowser...

Achieved Today: Added cacert Root

Last edited by xelo; 2016-01-20 at 20:51.
 
Community Council | Posts: 677 | Thanked: 1,227 times | Joined on Sep 2010 @ Mbabane
#4
Originally Posted by xelo View Post
Hey Community,

recently I discovered a N950 in my employers device archive.
Now I'd like to use this awesome device daily to replace my not so good WindowsPhone.
Thief!!!
 
Posts: 48 | Thanked: 191 times | Joined on Jan 2016 @ Münsterland, Germany
#5
Originally Posted by sicelo View Post
Thief!!!
collaborator... =)
 

The Following 2 Users Say Thank You to xelo For This Useful Post:
Posts: 48 | Thanked: 191 times | Joined on Jan 2016 @ Münsterland, Germany
#6
Okay, back to topic: Mail For Exchange.

I tried to add the account again.
No success: MfE fails again with a "Invalid Host Address for Mail for Exchange Server". But It stopped complaining about the Missing/Invalid Certificates.

Code:
Jan 20 21:54:33 (2016) mfeplugin[5404]: [Debug] virtual void MfeCheckCredentialsDialog::createContent()
Jan 20 21:54:34 (2016) mfeplugin[5404]: [Debug] void MfeCheckCredentialsDialog::onAppeared() already online
Jan 20 21:54:34 (2016) mfeplugin[5404]: [Debug] void MfeCheckCredentialsDialog::sendRequest()
Jan 20 21:54:34 (2016) mfeplugin[5404]: [Debug] Connecting to URL:  "https://xxxxxx:443/Microsoft-Server-ActiveSync"
Jan 20 21:54:34 (2016) icd2 0.213.4+0m8[1189]: Duplicate filter: Do not add filter for app :1.757
Jan 20 21:54:34 (2016) mfeplugin[5404]: [Debug] QNetworkReplyImpl::_q_startOperation was called more than once
Jan 20 21:54:37 (2016) mfeplugin[5404]: [Debug] void MfeCheckCredentialsDialog::onSendFinished(QNetworkReply*) replyError= 0 "Unknown error"
Jan 20 21:54:37 (2016) mfeplugin[5404]: [Debug] error( 0 )= 3

Last edited by xelo; 2016-01-20 at 21:06.
 
peterleinchen's Avatar
Posts: 4,117 | Thanked: 8,901 times | Joined on Aug 2010 @ Ruhrgebiet, Germany
#7
Let MfE step back (need to power up my N950-in-use and have a look) and first get your certs done!

I gave you the hint already:
devel-su
develsh

acmcli -c common-ca -e -a myCert.pem

and Boom!

After that check again.
Please make a copy of
/var/lib/aegis/certs/common-ca
and
/et/ssl/certs
so you can diff them later.
I have no idea if cert will be added to /etc/ssl/certs, too.
__________________
SIM-Switcher, automated SIM switching with a Double (Dual) SIM adapter
--
Thank you all for voting me into the Community Council 2014-2016!

Please consider your membership / supporting Maemo e.V. and help to spread this by following/copying this link to your TMO signature:
[MC eV] Maemo Community eV membership application, http://talk.maemo.org/showthread.php?t=94257

editsignature, http://talk.maemo.org/profile.php?do=editsignature

Last edited by peterleinchen; 2016-01-20 at 21:32. Reason: added option -e
 

The Following User Says Thank You to peterleinchen For This Useful Post:
peterleinchen's Avatar
Posts: 4,117 | Thanked: 8,901 times | Joined on Aug 2010 @ Ruhrgebiet, Germany
#8
Powered on and ...

what are your settings in MfE account (obfuscate)?
__________________
SIM-Switcher, automated SIM switching with a Double (Dual) SIM adapter
--
Thank you all for voting me into the Community Council 2014-2016!

Please consider your membership / supporting Maemo e.V. and help to spread this by following/copying this link to your TMO signature:
[MC eV] Maemo Community eV membership application, http://talk.maemo.org/showthread.php?t=94257

editsignature, http://talk.maemo.org/profile.php?do=editsignature
 
Posts: 48 | Thanked: 191 times | Joined on Jan 2016 @ Münsterland, Germany
#9
Originally Posted by peterleinchen View Post
Let MfE step back (need to power up my N950-in-use and have a look) and first get your certs done!

I gave you the hint already:
devel-su
develsh

acmcli -c common-ca -e -a myCert.pem
Thanks for the clarification.
I gave this approach a shot.

Code:
~ $ devel-su
Password: 
BusyBox v1.20.0.git (MeeGo 3:1.20-0.2+0m8) built-in shell (ash)
Enter 'help' for a list of built-in commands.

~ # develsh
BusyBox v1.20.0.git (MeeGo 3:1.20-0.2+0m8) built-in shell (ash)
Enter 'help' for a list of built-in commands.

~ # acmcli -c common-ca -e -a /home/user/MyDocs/Downloads/16b5321bd4c7f3e0e68ef3bdd2b03aeeb23918d1.pem
ERROR: cannot add certificates (Permission denied)
Maybe my OpenMode ist not working as expected?

Code:
~ # accli -I

Current mode: open
IMEI: 
Credentials:
        UID::root
        GID::root
        CAP::chown
        CAP::dac_read_search
        CAP::fowner
        CAP::fsetid
        CAP::kill
        CAP::linux_immutable
        CAP::net_bind_service
        CAP::net_broadcast
        CAP::net_admin
        CAP::net_raw
        CAP::ipc_lock
        CAP::ipc_owner
        CAP::sys_ptrace
        CAP::sys_pacct
        CAP::sys_boot
        CAP::sys_nice
        CAP::sys_resource
        CAP::sys_time
        CAP::sys_tty_config
        CAP::lease
        CAP::audit_write
        CAP::audit_control
        CAP::setfcap
        GRP::root
        GRP::dialout
        GRP::video
        GRP::pulse-access
        GRP::users
        GRP::metadata-users
        GRP::gallerycoredata-users
        GRP::calendar
        AID::.develsh.
        tracker::tracker-extract-access
        tracker::tracker-miner-fs-access
        libaccounts-noa::accesssvt
        package-manager::packagemanager_limited
        package-manager::packagemanager_private
        icd2::icd2-plugin
        Cellular
        TrackerReadAccess
        TrackerWriteAccess
        Location
        FacebookSocial
        develsh::develsh

Installing the Certificate with inception / ariadne works, as stated in Message #3 above.

Code:
~ # ariadne acmcli -c common-ca -e -a /home/user/MyDocs/Downloads/16b5321bd4c7f3e0e68ef3bdd2b03aeeb23918d1.pem
Password for 'root': 
16b5321bd4c7f3e0e68ef3bdd2b03aeeb23918d1

Originally Posted by peterleinchen View Post
Powered on and ...

what are your settings in MfE account (obfuscate)?
I'm setting Mail, Username and Password.
Then I go to Manual Setup (Server does not support autodiscover) and add the HostName, Port 443

Code:
E-Mail: mail@domain.tld
User: mail@domain.tld
Pass: PASSWORD
Domain: Nothing
Server Address: horde.domain.tld
Secure: YES
Port:443
I also tried:
Code:
E-Mail: mail@domain.tld
User: mail
Pass: PASSWORD
Domain: domain.tld
Server Address: horde.domain.tld
Secure: YES
Port:443
If you like I can provide you an account for testing purposes on Saturday.

Last edited by xelo; 2016-01-21 at 08:34. Reason: Added Config.
 
Community Council | Posts: 677 | Thanked: 1,227 times | Joined on Sep 2010 @ Mbabane
#10
Originally Posted by xelo View Post
We already tested that with a testaccount on sicelo's N900. Which seems to work.
Which works is more correct It did work. MfE on N900 successfully added the account and synced. Device that already had cacert CA worked right away, while device without the cert first gave a warning which you are able to ignore.
Name:  Screenshot-20160116-182451.jpg
Views: 351
Size:  22.7 KB
So, it synced without the root cert being on N900 at all.
 

The Following 2 Users Say Thank You to sicelo For This Useful Post:
Reply

Tags
activesync, harmattan

Thread Tools

 
Forum Jump


All times are GMT. The time now is 10:01.