Restarting OS X damages /etc/certificates/foo.concat.pem file
| Originator: | pepi.zawodsky | ||
| Number: | rdar://24054910 | Date Originated: | 05-Jan-2016 12:41 PM |
| Status: | Open | Resolved: | |
| Product: | OS X Server | Product Version: | 5.0.15 |
| Classification: | Serious Bug | Reproducible: | Always |
Summary: Restarting OS X damages /etc/certificates/foo.concat.pem file Steps to Reproduce: Configure a certificate for OS X Server to use with jabber/messages server. This _should_ create a .key.pem, .concat.pem, .cert.pem and a .chain.pem file. which it doesn't always do. There are multiple RDARs pertaining to this. Let's pretend, just for a moment, that the admin manually fixed this and these files exist. Messages now starts and can be connected to using TLS 1.0 (which is appallingly bad transport security). Now reboot the server and try to login to Messages again. Expected Results: Messages service should just start and allow transport encrypted logins. Actual Results: Messages service launches without TLS only, and just uses plaintext. It silently fails to enable TLS. This is due to the fact that upon restart, OS X recreates the cert files it seems and fails at doing so again. This results in the .concat.pem feil, which _should_ contain the leaf cert and key im pem format, to only contain the leaf certificate. Obviously this fails to launch the prehistoric jabberd with encryption support and it silently drops down to plaintext. Regression: I think this worked some time in the past with server 3 or 2… It certainly worked with 10.6. Notes: Certigicate in use is sissued by StartSSL. Not that it makes any difference to use any other cert vendor.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!