![]() |
cacert on N950 in OpenMode and MfE
Hey Community,
recently I discovered a N950 in my employers device archive. Now I'd like to use this awesome device daily to replace my not so good WindowsPhone. I've already been capable of bringing the N950 into Openmode. I've got two Questions: 1) How to install custom CA's (cacert.org) 2) How to enable Mail for Exchange (Question might depend on Q1) Ok, let's talk about more details: I fail when trying to install new Root-Certificates (those of cacert.org) When downloading and installing the certificate, I can see the certificate and it is added in the certificatemanager, but the /var/log/syslog says: Code:
certificate_install: aegis_storage.cpp(1935): ERROR commit: access denied, cannot commit '/var/lib/aegis/ps/Ss/certman.ssl-ca' I use cacert to secure my Mail, Calender and Contacts which are "hosted" with horde and can be accessed with ActiveSync.(Exchange) Unfortunately I'm not able to connect to the "Exchange" Server with Mail-For-Exchange. We could connect successfully with a N900 (with and without cacert certificates), Windows Phone and Android devices, so the server should not be the Problem. MFE reports "Invalid host address for Mail for Exchange Server". Code:
Jan 19 19:37:46 (2016) mfeplugin[2461]: [Debug] Connecting to URL: "https://xxxxxxxxxxxxx:443/Microsoft-Server-ActiveSync" What I already tried:
But, as of now: no success Do you have any ideas how to get this working? Best Regards xelo ========= Solution: Certificates: 1. Additional certificates can be Installed with Code:
acmcli -c common-ca -a sha1HashOfPemEncodedCertificate.pem Code:
/var/lib/aegis/certs/common-ca/ If neither develsh was elevated nor the device uses inception and ariadne, you will receive a Code:
permission denied Not found yet (2016-01-24) |
Re: cacert on N950 in OpenMode and MfE
short answer:
using web "facilities" to insert certs did not work on N900 (nor do I expect on N9/50) copying certs manually to /var/lib/aegis/certs/common-ca will also not work I would go like: download cert in pem or convert into pem put it wherever you like and install it with /usr/bin/acmcli to common-ca (will need to dig for exact command...) possibly c_refhash (as you already found out) --edit you might do it in as root with devel-su AND possibly in "develsh" (giving some more rights), as I do not expect you to run that device in OpenMode? P.S.: what I do not understand on N9/50 is why we have /var/lib/aegis/certs (/common-ca) and also /etc/ssl/certs Both seem to have the same certs installed (with different hashes/links)? So possibly we need this here, too? |
Re: cacert on N950 in OpenMode and MfE
Thank's for your answer. I'll give it a shot later.
Quote:
Edit 1: I tried without success Code:
# acmcli -C aegis-certman-common-ca::CertCACommonAdd -lc common-ca -a 16b5321bd4c7f3e0e68ef3bdd2b03aeeb23918d1.pem Edit 2: So this happens in the log: Code:
Jan 20 21:02:57 (2016) acmcli: aegis_storage.cpp(1436): ERROR add_file: access denied Now created a "private" common-ca and removed it again, which worked... Code:
# /usr/bin/acmcli -p common-ca -a 16b5321bd4c7f3e0e68ef3bdd2b03aeeb23918d1.pem Edit 3: Installed Inception from openrepos. Code:
/usr/sbin/pasiv The log complained about a bunch of broken Certs Code:
Jan 20 21:46:26 (2016) acmcli: certman_main.cpp(184): ERROR Invalid certificate '/C=ES/L=C/ Muntaner 244 Barcelona/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068/emailA Achieved Today: Added cacert Root |
Re: cacert on N950 in OpenMode and MfE
Quote:
:D |
Re: cacert on N950 in OpenMode and MfE
Quote:
|
Re: cacert on N950 in OpenMode and MfE
Okay, back to topic: Mail For Exchange.
I tried to add the account again. No success: MfE fails again with a "Invalid Host Address for Mail for Exchange Server". But It stopped complaining about the Missing/Invalid Certificates. Code:
Jan 20 21:54:33 (2016) mfeplugin[5404]: [Debug] virtual void MfeCheckCredentialsDialog::createContent() |
Re: cacert on N950 in OpenMode and MfE
Let MfE step back (need to power up my N950-in-use and have a look) and first get your certs done!
I gave you the hint already: devel-su develsh acmcli -c common-ca -e -a myCert.pem and Boom! :) After that check again. Please make a copy of /var/lib/aegis/certs/common-ca and /et/ssl/certs so you can diff them later. I have no idea if cert will be added to /etc/ssl/certs, too. |
Re: cacert on N950 in OpenMode and MfE
Powered on and ...
what are your settings in MfE account (obfuscate)? |
Re: cacert on N950 in OpenMode and MfE
Quote:
I gave this approach a shot. Code:
~ $ devel-su Code:
~ # accli -I Installing the Certificate with inception / ariadne works, as stated in Message #3 above. Code:
~ # ariadne acmcli -c common-ca -e -a /home/user/MyDocs/Downloads/16b5321bd4c7f3e0e68ef3bdd2b03aeeb23918d1.pem Quote:
Then I go to Manual Setup (Server does not support autodiscover) and add the HostName, Port 443 Code:
E-Mail: mail@domain.tld Code:
E-Mail: mail@domain.tld |
Re: cacert on N950 in OpenMode and MfE
1 Attachment(s)
Quote:
Attachment 38085 So, it synced without the root cert being on N900 at all. |
Re: cacert on N950 in OpenMode and MfE
@xelo
Your output looks exactly like on my stock kernel N950. And on my OpenMode N9 the output is much longer (incl. certs/aegis stuff). So I would say your device is in OpenMode but has been booted with the stock kernel. Once you have booted it (which does not require flashing) with an open mode kernel it will stay in OpenMode until a full reflash. But if you can access all functionality depends on the kernel you have flashed/booted afterwards. Please post the output of uname -a Have you flashed the open kernel? Or using ubiboot? Or ... About MfE: ??? Looks like it should at least accept the configs. Can you reach the site https://xxxxxx:443/Microsoft-Server-ActiveSync in your normal browser inside the intranet? And outside the intranet (internet)? You should see some MS stuff or a message like "The page cannot be displayed because the HTTP version is not supported." I am not sure as this has been done by me ages ago. possibly you need to give your domain/workgroup/windows/exchange user name instead of the e-mail address name as user! At least this looks like in my settings on N950. P.S.: yep, we may do some testing (but it will be possible mainly in the evening/night only). Meanwhile you should enable PMs (private messages) in your ControlPanel |
Re: cacert on N950 in OpenMode and MfE
*although we're also interested" ... so PM, um :)
By the way, just saying this 'for' xelo ... this is actually Horde's ActiveSync plugin, not MS Exchange server. this is what the URL gives: "Trying to access the ActiveSync endpoint from a browser. Not Supported." |
Re: cacert on N950 in OpenMode and MfE
Quote:
Code:
~ $ uname -a I'm not using Ubiboot. I could repeat flashing on Saturday. Right now I've no Problems to return everything back to stock-settings. Quote:
Quote:
|
Re: cacert on N950 in OpenMode and MfE
Quote:
Take a look at ubiboot thread and juice's instructions. Or just flash an OpenMode kernel. Quote:
Quote:
PM only for privacy data exchange :D |
Re: cacert on N950 in OpenMode and MfE
Quote:
It does not explain the not-working MFE. I cannot offer you a testaccount or flash the Open kernel before saturday. |
Re: cacert on N950 in OpenMode and MfE
Quote:
|
Re: cacert on N950 in OpenMode and MfE
Peterleinchen: I've send you some login information.
Edit: Flashed different kernels today:
But Installing Certificates did still not work: "Permission denied" So next try: Clean Flash and I'm going to start over. |
Re: cacert on N950 in OpenMode and MfE
Before clean flashing read ubiboot thread - instruction - wiki.
flash back-to-back But before even that use develsh (I needed that too even with open kernel(). -- strange, strange Get the same message about invalid host address and find this in logs Code:
Jan 23 23:59:05 (2016) mfeplugin[32201]: [Debug] Connecting to URL: "https://:443/Microsoft-Server-ActiveSync" I can log in on web portal. And got the cert warning once at first connect where I said 'yes, forever'. --- some progress? Code:
Jan 24 00:09:24 (2016) mfeplugin[32252]: [Debug] Connecting to URL: "https://xxx.xxx.xxx.xxx:443/Microsoft-Server-ActiveSync" Then it failed with same UI message. But according to logs it may now be prob regarding certs, or? |
Re: cacert on N950 in OpenMode and MfE
Quote:
Do you mean: 1. run devel-su 2. run develsh (now I've a shell in a shell) Quote:
Quote:
I'm running Horde on a shared space. Which works fine with android, windows phone, zPush, etc... Instead of the webadress, use the hostname I gave you in PM. When cacert root is installed certificate validation should not fail then. The root certificate of my hoster seems to be missing in Harmattan. The shared space uses ServerNameIndication (SNI) to detect the "Server" which shall answer. uuuuuh wait. What if MFE does not always send the |
Re: cacert on N950 in OpenMode and MfE
okay.
I did a clean reflash today, like described in http://www.swagman.org:8008/juice/ubiboot/README and used the zImage_2.6.32.54-openmode_l2fix kernel. I did not install ubiboot. Still uname -a says (in develsh): Code:
~ # uname -a Code:
~ # acmcli -c common-ca -a 16b5321bd4c7f3e0e68ef3bdd2b03aeeb23918d1.pem |
Re: cacert on N950 in OpenMode and MfE
openmode kernel is not giving you max privileges by default, you still need to use privileged develsh or opensudo. it just gives you easier way to install shells with high privileges. for example for getting develsh with high privileges you need to
Code:
AEGIS_FIXED_ORIGIN=com.nokia.maemo apt-get install --reinstall develsh |
Re: cacert on N950 in OpenMode and MfE
Quote:
That did the trick: Thank you coderus. Code:
~ # acmcli -c common-ca -a 16b5321bd4c7f3e0e68ef3bdd2b03aeeb23918d1.pem EDIT: Added the information gathered so far to my first Post. |
Re: cacert on N950 in OpenMode and MfE
Okay... I tried to add my old Outlook.com account. And it worked... more or less.
This is the log output: Code:
Jan 24 18:35:08 (2016) mfeplugin[2513]: [Debug] Accounts::Service* MfeAccountSetupContext::getMfeService(const QString&, const QString&) "mfemail" It fails with the Message "Invalid Host Address" Code:
Jan 24 18:40:11 (2016) icd2 0.213.4+0m8[1197]: Duplicate filter: Do not add filter for app :1.410 Which I understand can be fixed with "MeMailSettings".and forcing EAS Version 2.5 Nevertheless, this does not solve the Problem with my Horde Server |
Re: cacert on N950 in OpenMode and MfE
This is my log now:
Code:
Jan 24 20:13:39 (2016) mfeplugin[32393]: [Debug] void MfeCheckCredentialsDialog::onAppeared() already online |
Re: cacert on N950 in OpenMode and MfE
Thanks peterleinchen:
now we can see that MFE --when trying to synchronize with Horde ActiveSync Plugin-- always terminates with: Code:
Jan 24 20:13:46 (2016) mfeplugin[32393]: [Debug] void MfeCheckCredentialsDialog::onSendFinished(QNetworkReply*) replyError= 0 "Unknown error" What can be the next steps for me: 1) I deploy another instance of Horde on a different server which does not require SNI 2) Capture Traffic of N950 with Wireshark Do you know of any workarounds apart of syncevolution which can be used to synchronize Contacts / addressbooks with CardDav / SyncML? |
Re: cacert on N950 in OpenMode and MfE
Quote:
|
Re: cacert on N950 in OpenMode and MfE
Short update:
Still didn't get MfE to work. Native Caldav Works, I'm syncing Contacts with SyncEvolution. |
All times are GMT. The time now is 01:08. |
vBulletin® Version 3.8.8