Menu

Main Menu
Talk Get Daily Search

Member's Online

    User Name
    Password

    cacert on N950 in OpenMode and MfE

    Reply
    Page 1 of 3 | 1   2     3   | Next
    xelo | # 1 | 2016-01-19, 18:49 | Report

    Hey Community,

    recently I discovered a N950 in my employers device archive.
    Now I'd like to use this awesome device daily to replace my not so good WindowsPhone.

    I've already been capable of bringing the N950 into Openmode.

    I've got two Questions:

    1) How to install custom CA's (cacert.org)
    2) How to enable Mail for Exchange (Question might depend on Q1)


    Ok, let's talk about more details:

    I fail when trying to install new Root-Certificates (those of cacert.org)

    When downloading and installing the certificate, I can see the certificate and it is added in the certificatemanager, but the /var/log/syslog says:

    Code:
    certificate_install: aegis_storage.cpp(1935): ERROR commit: access denied, cannot commit '/var/lib/aegis/ps/Ss/certman.ssl-ca'

    I use cacert to secure my Mail, Calender and Contacts which are "hosted" with horde and can be accessed with ActiveSync.(Exchange)

    Unfortunately I'm not able to connect to the "Exchange" Server with Mail-For-Exchange.
    We could connect successfully with a N900 (with and without cacert certificates), Windows Phone and Android devices, so the server should not be the Problem.
    MFE reports "Invalid host address for Mail for Exchange Server".

    Code:
    Jan 19 19:37:46 (2016) mfeplugin[2461]: [Debug] Connecting to URL:  "https://xxxxxxxxxxxxx:443/Microsoft-Server-ActiveSync"
    Jan 19 19:37:46 (2016) icd2 0.213.4+0m8[1173]: Duplicate filter: Do not add filter for app :1.272
    Jan 19 19:37:46 (2016) mfeplugin[2461]: [Debug] QNetworkReplyImpl::_q_startOperation was called more than once
    Jan 19 19:37:47 (2016) wlancond[1009]: High signal
    Jan 19 19:37:49 (2016) mfeplugin[2461]: [Error] CertManager: ssl error "The issuer certificate of a locally looked up certificate could not be found" : "The issuer certificate of a locally looked up certificate could not be found"
    Jan 19 19:37:49 (2016) mfeplugin[2461]: [Error] Certificate info:
    Jan 19 19:37:49 (2016) mfeplugin[2461]: [Error] Subject:  O= "CAcert Inc." CN= "CAcert Class 3 Root" L= "" OU= "http://www.CAcert.org" C= "" ST= ""
    Jan 19 19:37:49 (2016) mfeplugin[2461]: [Error]  Issuer:  O= "Root CA" CN= "CA Cert Signing Authority" L= "" OU= "http://www.cacert.org" C= "" ST= ""
    Jan 19 19:37:49 (2016) mfeplugin[2461]: [Error]   Valid: from "Mon May 23 17:48:02 2011" to "Thu May 20 17:48:02 2021"
    Jan 19 19:37:49 (2016) mfeplugin[2461]: [Error]  Serial: 672138
    Jan 19 19:37:49 (2016) mfeplugin[2461]: [Error] Version: 3
    Jan 19 19:37:50 (2016) mfeplugin[2461]: [Debug] User acceptance result for certificate "CAcert Class 3 Root" = 0
    Jan 19 19:37:50 (2016) mfeplugin[2461]: [Error] CertManager: server certificate "CAcert Class 3 Root" has been accepted by user
    Jan 19 19:37:50 (2016) mfeplugin[2461]: [Debug] CertManager: ssl error "The root CA certificate is not trusted for this purpose" : "The root CA certificate is not trusted for this purpose"
    Jan 19 19:37:50 (2016) mfeplugin[2461]: [Debug] CertManager: server certificate "CAcert Class 3 Root" has been already accepted by user
    Jan 19 19:37:50 (2016) mfeplugin[2461]: [Debug] void MfeCheckCredentialsDialog::onSendFinished(QNetworkReply*) replyError= 0 "Unknown error"
    Jan 19 19:37:50 (2016) mfeplugin[2461]: [Debug] error( 0 )= 3

    What I already tried:
    • Accepting the certificate when MfE asked me if I'd trust the cert
    • Adding root and class3 cert to /var/lib/aegis/certs/common-ca/ and to /var/lib/aegis/certs/user/*-ca
    • rehashing of /var/lib/aegis/certs/common-ca/ with c_rehash as suggested in http://talk.maemo.org/showthread.php?t=94484

    But, as of now: no success


    Do you have any ideas how to get this working?

    Best Regards
    xelo

    =========
    Solution:

    Certificates:
    1. Additional certificates can be Installed with
    Code:
    acmcli -c common-ca -a  sha1HashOfPemEncodedCertificate.pem
    This installs the certificate to
    Code:
    /var/lib/aegis/certs/common-ca/
    2. In order to use this command, the device needs to use Inception and starts the command above using ariadne or it is runnig in OpenMode (See the mentioned Readme) and the developer shell is running with elevated rights
    If neither develsh was elevated nor the device uses inception and ariadne, you will receive a
    Code:
    permission denied
    MfE:

    Not found yet (2016-01-24)

    Edit | Forward | Quote | Quick Reply | Thanks

    Last edited by xelo; 2016-01-24 at 16:23. Reason: Added partial solution to first Post
    The Following User Says Thank You to xelo For This Useful Post:
    HtheB

     
    peterleinchen | # 2 | 2016-01-20, 15:05 | Report

    short answer:

    using web "facilities" to insert certs did not work on N900 (nor do I expect on N9/50)
    copying certs manually to /var/lib/aegis/certs/common-ca will also not work


    I would go like:
    download cert in pem or convert into pem
    put it wherever you like
    and install it with /usr/bin/acmcli to common-ca (will need to dig for exact command...)
    possibly c_refhash (as you already found out)
    --edit
    you might do it in as root with devel-su
    AND possibly in "develsh" (giving some more rights), as I do not expect you to run that device in OpenMode?


    P.S.: what I do not understand on N9/50 is why we have
    /var/lib/aegis/certs (/common-ca)
    and also
    /etc/ssl/certs
    Both seem to have the same certs installed (with different hashes/links)? So possibly we need this here, too?

    Edit | Forward | Quote | Quick Reply | Thanks
    The Following 2 Users Say Thank You to peterleinchen For This Useful Post:
    chenliangchen, xelo

     
    xelo | # 3 | 2016-01-20, 18:56 | Report

    Thank's for your answer. I'll give it a shot later.

    Originally Posted by peterleinchen View Post
    short answer:
    --edit
    you might do it in as root with devel-su
    AND possibly in "develsh" (giving some more rights), as I do not expect you to run that device in OpenMode?
    I'm running the device in OpenMode


    Edit 1:
    I tried without success
    Code:
    # acmcli -C aegis-certman-common-ca::CertCACommonAdd -lc common-ca -a 16b5321bd4c7f3e0e68ef3bdd2b03aeeb23918d1.pem
    
    ERROR: cannot add certificates (Permission denied)
    
    # acmcli -c common-ca -a 16b5321bd4c7f3e0e68ef3bdd2b03aeeb23918d1.pem
    
    ERROR: cannot add certificates (Permission denied)




    Edit 2: So this happens in the log:

    Code:
    Jan 20 21:02:57 (2016) acmcli: aegis_storage.cpp(1436): ERROR add_file: access denied
    Jan 20 21:02:57 (2016) acmcli: aegis_storage.cpp(1641): ERROR add_link: access denied
    Jan 20 21:02:57 (2016) acmcli: aegis_storage.cpp(1935): ERROR commit: access denied, cannot commit '/var/lib/aegis/ps/Gs/certman.common-ca'
    Jan 20 21:02:57 (2016) acmcli: certman_main.cpp(1051): ERROR aegis_certman_add_certs: add certs failed (Permission denied)


    Now created a "private" common-ca and removed it again, which worked...
    Code:
    # /usr/bin/acmcli -p common-ca -a 16b5321bd4c7f3e0e68ef3bdd2b03aeeb23918d1.pem
    Added 1 certificates
    
    # /usr/bin/acmcli -p common-ca -r 16b5321bd4c7f3e0e68ef3bdd2b03aeeb23918d1
    Removed certificate '16b5321bd4c7f3e0e68ef3bdd2b03aeeb23918d1'
    Now I'm out of Ideas...

    Edit 3:
    Installed Inception from openrepos.
    Code:
    /usr/sbin/pasiv
    ariadne /usr/bin/acmcli -c common-ca -a 16b5321bd4c7f3e0e68ef3bdd2b03aeeb23918d1.pem
    Password for 'root': 
    Added 1 certificates
    Well that's a start.

    The log complained about a bunch of broken Certs
    Code:
    Jan 20 21:46:26 (2016) acmcli: certman_main.cpp(184): ERROR Invalid certificate '/C=ES/L=C/ Muntaner 244 Barcelona/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068/emailA
    ddress=ca@firmaprofesional.com'
    Jan 20 21:46:26 (2016) acmcli: certman_main.cpp(184): ERROR Invalid certificate '/C=NO/O=Buypass AS-983163327/CN=Buypass Class 3 CA 1'
    Jan 20 21:46:26 (2016) acmcli: certman_main.cpp(184): ERROR Invalid certificate '/C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden Root CA'
    Jan 20 21:46:26 (2016) acmcli: certman_main.cpp(184): ERROR Invalid certificate '/CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1/C=TR/L=ANKAR
    A/O=(c) 2005 T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E.'
    Jan 20 21:46:26 (2016) acmcli: certman_main.cpp(184): ERROR Invalid certificate '/CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1/C=TR/L=Ankar
    a/O=T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E. (c) Kas\xC4\xB1m 2005'
    Jan 20 21:46:30 (2016) acmcli: certman_main.cpp(184): ERROR Invalid certificate '/C=ES/L=C/ Muntaner 244 Barcelona/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068/emailA
    ddress=ca@firmaprofesional.com'
    Jan 20 21:46:30 (2016) acmcli: certman_main.cpp(184): ERROR Invalid certificate '/C=NO/O=Buypass AS-983163327/CN=Buypass Class 3 CA 1'
    Jan 20 21:46:30 (2016) acmcli: certman_main.cpp(184): ERROR Invalid certificate '/C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden Root CA'
    Jan 20 21:46:30 (2016) acmcli: certman_main.cpp(184): ERROR Invalid certificate '/CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1/C=TR/L=ANKAR
    A/O=(c) 2005 T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E.'
    Jan 20 21:46:30 (2016) acmcli: certman_main.cpp(184): ERROR Invalid certificate '/CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1/C=TR/L=Ankar
    a/O=T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E. (c) Kas\xC4\xB1m 2005'
    Now I can open Websites which are signed by withe cacert root. Without a Complaining webbrowser...

    Achieved Today: Added cacert Root

    Edit | Forward | Quote | Quick Reply | Thanks

    Last edited by xelo; 2016-01-20 at 20:51.

     
    sicelo | # 4 | 2016-01-20, 20:43 | Report

    Originally Posted by xelo View Post
    Hey Community,

    recently I discovered a N950 in my employers device archive.
    Now I'd like to use this awesome device daily to replace my not so good WindowsPhone.
    Thief!!!

    Edit | Forward | Quote | Quick Reply | Thanks

     
    xelo | # 5 | 2016-01-20, 20:52 | Report

    Originally Posted by sicelo View Post
    Thief!!!
    collaborator... =)

    Edit | Forward | Quote | Quick Reply | Thanks
    The Following 2 Users Say Thank You to xelo For This Useful Post:
    eekkelund, sicelo

     
    xelo | # 6 | 2016-01-20, 20:58 | Report

    Okay, back to topic: Mail For Exchange.

    I tried to add the account again.
    No success: MfE fails again with a "Invalid Host Address for Mail for Exchange Server". But It stopped complaining about the Missing/Invalid Certificates.

    Code:
    Jan 20 21:54:33 (2016) mfeplugin[5404]: [Debug] virtual void MfeCheckCredentialsDialog::createContent()
    Jan 20 21:54:34 (2016) mfeplugin[5404]: [Debug] void MfeCheckCredentialsDialog::onAppeared() already online
    Jan 20 21:54:34 (2016) mfeplugin[5404]: [Debug] void MfeCheckCredentialsDialog::sendRequest()
    Jan 20 21:54:34 (2016) mfeplugin[5404]: [Debug] Connecting to URL:  "https://xxxxxx:443/Microsoft-Server-ActiveSync"
    Jan 20 21:54:34 (2016) icd2 0.213.4+0m8[1189]: Duplicate filter: Do not add filter for app :1.757
    Jan 20 21:54:34 (2016) mfeplugin[5404]: [Debug] QNetworkReplyImpl::_q_startOperation was called more than once
    Jan 20 21:54:37 (2016) mfeplugin[5404]: [Debug] void MfeCheckCredentialsDialog::onSendFinished(QNetworkReply*) replyError= 0 "Unknown error"
    Jan 20 21:54:37 (2016) mfeplugin[5404]: [Debug] error( 0 )= 3

    Edit | Forward | Quote | Quick Reply | Thanks

    Last edited by xelo; 2016-01-20 at 21:06.

     
    peterleinchen | # 7 | 2016-01-20, 21:23 | Report

    Let MfE step back (need to power up my N950-in-use and have a look) and first get your certs done!

    I gave you the hint already:
    devel-su
    develsh

    acmcli -c common-ca -e -a myCert.pem

    and Boom!

    After that check again.
    Please make a copy of
    /var/lib/aegis/certs/common-ca
    and
    /et/ssl/certs
    so you can diff them later.
    I have no idea if cert will be added to /etc/ssl/certs, too.

    Edit | Forward | Quote | Quick Reply | Thanks

    Last edited by peterleinchen; 2016-01-20 at 21:32. Reason: added option -e
    The Following User Says Thank You to peterleinchen For This Useful Post:
    xelo

     
    peterleinchen | # 8 | 2016-01-20, 21:30 | Report

    Powered on and ...

    what are your settings in MfE account (obfuscate)?

    Edit | Forward | Quote | Quick Reply | Thanks

     
    xelo | # 9 | 2016-01-21, 08:06 | Report

    Originally Posted by peterleinchen View Post
    Let MfE step back (need to power up my N950-in-use and have a look) and first get your certs done!

    I gave you the hint already:
    devel-su
    develsh

    acmcli -c common-ca -e -a myCert.pem
    Thanks for the clarification.
    I gave this approach a shot.

    Code:
    ~ $ devel-su
    Password: 
    BusyBox v1.20.0.git (MeeGo 3:1.20-0.2+0m8) built-in shell (ash)
    Enter 'help' for a list of built-in commands.
    
    ~ # develsh
    BusyBox v1.20.0.git (MeeGo 3:1.20-0.2+0m8) built-in shell (ash)
    Enter 'help' for a list of built-in commands.
    
    ~ # acmcli -c common-ca -e -a /home/user/MyDocs/Downloads/16b5321bd4c7f3e0e68ef3bdd2b03aeeb23918d1.pem
    ERROR: cannot add certificates (Permission denied)
    Maybe my OpenMode ist not working as expected?

    Code:
    ~ # accli -I
    
    Current mode: open
    IMEI: 
    Credentials:
            UID::root
            GID::root
            CAP::chown
            CAP::dac_read_search
            CAP::fowner
            CAP::fsetid
            CAP::kill
            CAP::linux_immutable
            CAP::net_bind_service
            CAP::net_broadcast
            CAP::net_admin
            CAP::net_raw
            CAP::ipc_lock
            CAP::ipc_owner
            CAP::sys_ptrace
            CAP::sys_pacct
            CAP::sys_boot
            CAP::sys_nice
            CAP::sys_resource
            CAP::sys_time
            CAP::sys_tty_config
            CAP::lease
            CAP::audit_write
            CAP::audit_control
            CAP::setfcap
            GRP::root
            GRP::dialout
            GRP::video
            GRP::pulse-access
            GRP::users
            GRP::metadata-users
            GRP::gallerycoredata-users
            GRP::calendar
            AID::.develsh.
            tracker::tracker-extract-access
            tracker::tracker-miner-fs-access
            libaccounts-noa::accesssvt
            package-manager::packagemanager_limited
            package-manager::packagemanager_private
            icd2::icd2-plugin
            Cellular
            TrackerReadAccess
            TrackerWriteAccess
            Location
            FacebookSocial
            develsh::develsh

    Installing the Certificate with inception / ariadne works, as stated in Message #3 above.

    Code:
    ~ # ariadne acmcli -c common-ca -e -a /home/user/MyDocs/Downloads/16b5321bd4c7f3e0e68ef3bdd2b03aeeb23918d1.pem
    Password for 'root': 
    16b5321bd4c7f3e0e68ef3bdd2b03aeeb23918d1

    Originally Posted by peterleinchen View Post
    Powered on and ...

    what are your settings in MfE account (obfuscate)?
    I'm setting Mail, Username and Password.
    Then I go to Manual Setup (Server does not support autodiscover) and add the HostName, Port 443

    Code:
    E-Mail: mail@domain.tld
    User: mail@domain.tld
    Pass: PASSWORD
    Domain: Nothing
    Server Address: horde.domain.tld
    Secure: YES
    Port:443
    I also tried:
    Code:
    E-Mail: mail@domain.tld
    User: mail
    Pass: PASSWORD
    Domain: domain.tld
    Server Address: horde.domain.tld
    Secure: YES
    Port:443
    If you like I can provide you an account for testing purposes on Saturday.

    Edit | Forward | Quote | Quick Reply | Thanks

    Last edited by xelo; 2016-01-21 at 08:34. Reason: Added Config.

     
    sicelo | # 10 | 2016-01-21, 08:36 | Report

    Originally Posted by xelo View Post
    We already tested that with a testaccount on sicelo's N900. Which seems to work.
    Which works is more correct It did work. MfE on N900 successfully added the account and synced. Device that already had cacert CA worked right away, while device without the cert first gave a warning which you are able to ignore.
    Name:  Screenshot-20160116-182451.jpg
Views: 402
Size:  22.7 KB
    So, it synced without the root cert being on N900 at all.

    Edit | Forward | Quote | Quick Reply | Thanks
    The Following 2 Users Say Thank You to sicelo For This Useful Post:
    peterleinchen, xelo

     
    Page 1 of 3 | 1   2     3   | Next
vBulletin® Version 3.8.8
Normal Logout