maemo.org - Talk

maemo.org - Talk (https://talk.maemo.org/index.php)
-   MeeGo / Harmattan (https://talk.maemo.org/forumdisplay.php?f=45)
-   -   cacert on N950 in OpenMode and MfE (https://talk.maemo.org/showthread.php?t=96373)

xelo 2016-01-19 18:49
cacert on N950 in OpenMode and MfE
 
Hey Community,

recently I discovered a N950 in my employers device archive.
Now I'd like to use this awesome device daily to replace my not so good WindowsPhone.

I've already been capable of bringing the N950 into Openmode.

I've got two Questions:

1) How to install custom CA's (cacert.org)
2) How to enable Mail for Exchange (Question might depend on Q1)


Ok, let's talk about more details:

I fail when trying to install new Root-Certificates (those of cacert.org)

When downloading and installing the certificate, I can see the certificate and it is added in the certificatemanager, but the /var/log/syslog says:

Code:
certificate_install: aegis_storage.cpp(1935): ERROR commit: access denied, cannot commit '/var/lib/aegis/ps/Ss/certman.ssl-ca'

I use cacert to secure my Mail, Calender and Contacts which are "hosted" with horde and can be accessed with ActiveSync.(Exchange)

Unfortunately I'm not able to connect to the "Exchange" Server with Mail-For-Exchange.
We could connect successfully with a N900 (with and without cacert certificates), Windows Phone and Android devices, so the server should not be the Problem.
MFE reports "Invalid host address for Mail for Exchange Server".

Code:
Jan 19 19:37:46 (2016) mfeplugin[2461]: [Debug] Connecting to URL:  "https://xxxxxxxxxxxxx:443/Microsoft-Server-ActiveSync"
Jan 19 19:37:46 (2016) icd2 0.213.4+0m8[1173]: Duplicate filter: Do not add filter for app :1.272
Jan 19 19:37:46 (2016) mfeplugin[2461]: [Debug] QNetworkReplyImpl::_q_startOperation was called more than once
Jan 19 19:37:47 (2016) wlancond[1009]: High signal
Jan 19 19:37:49 (2016) mfeplugin[2461]: [Error] CertManager: ssl error "The issuer certificate of a locally looked up certificate could not be found" : "The issuer certificate of a locally looked up certificate could not be found"
Jan 19 19:37:49 (2016) mfeplugin[2461]: [Error] Certificate info:
Jan 19 19:37:49 (2016) mfeplugin[2461]: [Error] Subject:  O= "CAcert Inc." CN= "CAcert Class 3 Root" L= "" OU= "http://www.CAcert.org" C= "" ST= ""
Jan 19 19:37:49 (2016) mfeplugin[2461]: [Error]  Issuer:  O= "Root CA" CN= "CA Cert Signing Authority" L= "" OU= "http://www.cacert.org" C= "" ST= ""
Jan 19 19:37:49 (2016) mfeplugin[2461]: [Error]  Valid: from "Mon May 23 17:48:02 2011" to "Thu May 20 17:48:02 2021"
Jan 19 19:37:49 (2016) mfeplugin[2461]: [Error]  Serial: 672138
Jan 19 19:37:49 (2016) mfeplugin[2461]: [Error] Version: 3
Jan 19 19:37:50 (2016) mfeplugin[2461]: [Debug] User acceptance result for certificate "CAcert Class 3 Root" = 0
Jan 19 19:37:50 (2016) mfeplugin[2461]: [Error] CertManager: server certificate "CAcert Class 3 Root" has been accepted by user
Jan 19 19:37:50 (2016) mfeplugin[2461]: [Debug] CertManager: ssl error "The root CA certificate is not trusted for this purpose" : "The root CA certificate is not trusted for this purpose"
Jan 19 19:37:50 (2016) mfeplugin[2461]: [Debug] CertManager: server certificate "CAcert Class 3 Root" has been already accepted by user
Jan 19 19:37:50 (2016) mfeplugin[2461]: [Debug] void MfeCheckCredentialsDialog::onSendFinished(QNetworkReply*) replyError= 0 "Unknown error"
Jan 19 19:37:50 (2016) mfeplugin[2461]: [Debug] error( 0 )= 3

What I already tried:
  • Accepting the certificate when MfE asked me if I'd trust the cert
  • Adding root and class3 cert to /var/lib/aegis/certs/common-ca/ and to /var/lib/aegis/certs/user/*-ca
  • rehashing of /var/lib/aegis/certs/common-ca/ with c_rehash as suggested in http://talk.maemo.org/showthread.php?t=94484

But, as of now: no success


Do you have any ideas how to get this working?

Best Regards
xelo

=========
Solution:

Certificates:
1. Additional certificates can be Installed with
Code:
acmcli -c common-ca -a  sha1HashOfPemEncodedCertificate.pem
This installs the certificate to
Code:
/var/lib/aegis/certs/common-ca/
2. In order to use this command, the device needs to use Inception and starts the command above using ariadne or it is runnig in OpenMode (See the mentioned Readme) and the developer shell is running with elevated rights
If neither develsh was elevated nor the device uses inception and ariadne, you will receive a
Code:
permission denied
MfE:

Not found yet (2016-01-24)

peterleinchen 2016-01-20 15:05
Re: cacert on N950 in OpenMode and MfE
 
short answer:

using web "facilities" to insert certs did not work on N900 (nor do I expect on N9/50)
copying certs manually to /var/lib/aegis/certs/common-ca will also not work


I would go like:
download cert in pem or convert into pem
put it wherever you like
and install it with /usr/bin/acmcli to common-ca (will need to dig for exact command...)
possibly c_refhash (as you already found out)
--edit
you might do it in as root with devel-su
AND possibly in "develsh" (giving some more rights), as I do not expect you to run that device in OpenMode?


P.S.: what I do not understand on N9/50 is why we have
/var/lib/aegis/certs (/common-ca)
and also
/etc/ssl/certs
Both seem to have the same certs installed (with different hashes/links)? So possibly we need this here, too?

xelo 2016-01-20 18:56
Re: cacert on N950 in OpenMode and MfE
 
Thank's for your answer. I'll give it a shot later.

Quote:
Originally Posted by peterleinchen (Post 1495643)
short answer:
--edit
you might do it in as root with devel-su
AND possibly in "develsh" (giving some more rights), as I do not expect you to run that device in OpenMode?
I'm running the device in OpenMode


Edit 1:
I tried without success
Code:
# acmcli -C aegis-certman-common-ca::CertCACommonAdd -lc common-ca -a 16b5321bd4c7f3e0e68ef3bdd2b03aeeb23918d1.pem

ERROR: cannot add certificates (Permission denied)

# acmcli -c common-ca -a 16b5321bd4c7f3e0e68ef3bdd2b03aeeb23918d1.pem

ERROR: cannot add certificates (Permission denied)




Edit 2: So this happens in the log:

Code:
Jan 20 21:02:57 (2016) acmcli: aegis_storage.cpp(1436): ERROR add_file: access denied
Jan 20 21:02:57 (2016) acmcli: aegis_storage.cpp(1641): ERROR add_link: access denied
Jan 20 21:02:57 (2016) acmcli: aegis_storage.cpp(1935): ERROR commit: access denied, cannot commit '/var/lib/aegis/ps/Gs/certman.common-ca'
Jan 20 21:02:57 (2016) acmcli: certman_main.cpp(1051): ERROR aegis_certman_add_certs: add certs failed (Permission denied)


Now created a "private" common-ca and removed it again, which worked...
Code:
# /usr/bin/acmcli -p common-ca -a 16b5321bd4c7f3e0e68ef3bdd2b03aeeb23918d1.pem
Added 1 certificates

# /usr/bin/acmcli -p common-ca -r 16b5321bd4c7f3e0e68ef3bdd2b03aeeb23918d1
Removed certificate '16b5321bd4c7f3e0e68ef3bdd2b03aeeb23918d1'
Now I'm out of Ideas...

Edit 3:
Installed Inception from openrepos.
Code:
/usr/sbin/pasiv
ariadne /usr/bin/acmcli -c common-ca -a 16b5321bd4c7f3e0e68ef3bdd2b03aeeb23918d1.pem
Password for 'root':
Added 1 certificates
Well that's a start.

The log complained about a bunch of broken Certs
Code:
Jan 20 21:46:26 (2016) acmcli: certman_main.cpp(184): ERROR Invalid certificate '/C=ES/L=C/ Muntaner 244 Barcelona/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068/emailA
ddress=ca@firmaprofesional.com'
Jan 20 21:46:26 (2016) acmcli: certman_main.cpp(184): ERROR Invalid certificate '/C=NO/O=Buypass AS-983163327/CN=Buypass Class 3 CA 1'
Jan 20 21:46:26 (2016) acmcli: certman_main.cpp(184): ERROR Invalid certificate '/C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden Root CA'
Jan 20 21:46:26 (2016) acmcli: certman_main.cpp(184): ERROR Invalid certificate '/CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1/C=TR/L=ANKAR
A/O=(c) 2005 T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E.'
Jan 20 21:46:26 (2016) acmcli: certman_main.cpp(184): ERROR Invalid certificate '/CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1/C=TR/L=Ankar
a/O=T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E. (c) Kas\xC4\xB1m 2005'
Jan 20 21:46:30 (2016) acmcli: certman_main.cpp(184): ERROR Invalid certificate '/C=ES/L=C/ Muntaner 244 Barcelona/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068/emailA
ddress=ca@firmaprofesional.com'
Jan 20 21:46:30 (2016) acmcli: certman_main.cpp(184): ERROR Invalid certificate '/C=NO/O=Buypass AS-983163327/CN=Buypass Class 3 CA 1'
Jan 20 21:46:30 (2016) acmcli: certman_main.cpp(184): ERROR Invalid certificate '/C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden Root CA'
Jan 20 21:46:30 (2016) acmcli: certman_main.cpp(184): ERROR Invalid certificate '/CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1/C=TR/L=ANKAR
A/O=(c) 2005 T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E.'
Jan 20 21:46:30 (2016) acmcli: certman_main.cpp(184): ERROR Invalid certificate '/CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1/C=TR/L=Ankar
a/O=T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E. (c) Kas\xC4\xB1m 2005'
Now I can open Websites which are signed by withe cacert root. Without a Complaining webbrowser...

Achieved Today: Added cacert Root

sicelo 2016-01-20 20:43
Re: cacert on N950 in OpenMode and MfE
 
Quote:
Originally Posted by xelo (Post 1495507)
Hey Community,

recently I discovered a N950 in my employers device archive.
Now I'd like to use this awesome device daily to replace my not so good WindowsPhone.
Thief!!!
:D

xelo 2016-01-20 20:52
Re: cacert on N950 in OpenMode and MfE
 
Quote:
Originally Posted by sicelo (Post 1495700)
Thief!!!
:D
collaborator... =)

xelo 2016-01-20 20:58
Re: cacert on N950 in OpenMode and MfE
 
Okay, back to topic: Mail For Exchange.

I tried to add the account again.
No success: MfE fails again with a "Invalid Host Address for Mail for Exchange Server". But It stopped complaining about the Missing/Invalid Certificates.

Code:
Jan 20 21:54:33 (2016) mfeplugin[5404]: [Debug] virtual void MfeCheckCredentialsDialog::createContent()
Jan 20 21:54:34 (2016) mfeplugin[5404]: [Debug] void MfeCheckCredentialsDialog::onAppeared() already online
Jan 20 21:54:34 (2016) mfeplugin[5404]: [Debug] void MfeCheckCredentialsDialog::sendRequest()
Jan 20 21:54:34 (2016) mfeplugin[5404]: [Debug] Connecting to URL:  "https://xxxxxx:443/Microsoft-Server-ActiveSync"
Jan 20 21:54:34 (2016) icd2 0.213.4+0m8[1189]: Duplicate filter: Do not add filter for app :1.757
Jan 20 21:54:34 (2016) mfeplugin[5404]: [Debug] QNetworkReplyImpl::_q_startOperation was called more than once
Jan 20 21:54:37 (2016) mfeplugin[5404]: [Debug] void MfeCheckCredentialsDialog::onSendFinished(QNetworkReply*) replyError= 0 "Unknown error"
Jan 20 21:54:37 (2016) mfeplugin[5404]: [Debug] error( 0 )= 3

peterleinchen 2016-01-20 21:23
Re: cacert on N950 in OpenMode and MfE
 
Let MfE step back (need to power up my N950-in-use and have a look) and first get your certs done!

I gave you the hint already:
devel-su
develsh

acmcli -c common-ca -e -a myCert.pem

and Boom! :)

After that check again.
Please make a copy of
/var/lib/aegis/certs/common-ca
and
/et/ssl/certs
so you can diff them later.
I have no idea if cert will be added to /etc/ssl/certs, too.

peterleinchen 2016-01-20 21:30
Re: cacert on N950 in OpenMode and MfE
 
Powered on and ...

what are your settings in MfE account (obfuscate)?

xelo 2016-01-21 08:06
Re: cacert on N950 in OpenMode and MfE
 
Quote:
Originally Posted by peterleinchen (Post 1495712)
Let MfE step back (need to power up my N950-in-use and have a look) and first get your certs done!

I gave you the hint already:
devel-su
develsh

acmcli -c common-ca -e -a myCert.pem
Thanks for the clarification.
I gave this approach a shot.

Code:
~ $ devel-su
Password:
BusyBox v1.20.0.git (MeeGo 3:1.20-0.2+0m8) built-in shell (ash)
Enter 'help' for a list of built-in commands.

~ # develsh
BusyBox v1.20.0.git (MeeGo 3:1.20-0.2+0m8) built-in shell (ash)
Enter 'help' for a list of built-in commands.

~ # acmcli -c common-ca -e -a /home/user/MyDocs/Downloads/16b5321bd4c7f3e0e68ef3bdd2b03aeeb23918d1.pem
ERROR: cannot add certificates (Permission denied)
Maybe my OpenMode ist not working as expected?

Code:
~ # accli -I

Current mode: open
IMEI:
Credentials:
        UID::root
        GID::root
        CAP::chown
        CAP::dac_read_search
        CAP::fowner
        CAP::fsetid
        CAP::kill
        CAP::linux_immutable
        CAP::net_bind_service
        CAP::net_broadcast
        CAP::net_admin
        CAP::net_raw
        CAP::ipc_lock
        CAP::ipc_owner
        CAP::sys_ptrace
        CAP::sys_pacct
        CAP::sys_boot
        CAP::sys_nice
        CAP::sys_resource
        CAP::sys_time
        CAP::sys_tty_config
        CAP::lease
        CAP::audit_write
        CAP::audit_control
        CAP::setfcap
        GRP::root
        GRP::dialout
        GRP::video
        GRP::pulse-access
        GRP::users
        GRP::metadata-users
        GRP::gallerycoredata-users
        GRP::calendar
        AID::.develsh.
        tracker::tracker-extract-access
        tracker::tracker-miner-fs-access
        libaccounts-noa::accesssvt
        package-manager::packagemanager_limited
        package-manager::packagemanager_private
        icd2::icd2-plugin
        Cellular
        TrackerReadAccess
        TrackerWriteAccess
        Location
        FacebookSocial
        develsh::develsh

Installing the Certificate with inception / ariadne works, as stated in Message #3 above.

Code:
~ # ariadne acmcli -c common-ca -e -a /home/user/MyDocs/Downloads/16b5321bd4c7f3e0e68ef3bdd2b03aeeb23918d1.pem
Password for 'root':
16b5321bd4c7f3e0e68ef3bdd2b03aeeb23918d1

Quote:
Originally Posted by peterleinchen (Post 1495713)
Powered on and ...

what are your settings in MfE account (obfuscate)?
I'm setting Mail, Username and Password.
Then I go to Manual Setup (Server does not support autodiscover) and add the HostName, Port 443

Code:
E-Mail: mail@domain.tld
User: mail@domain.tld
Pass: PASSWORD
Domain: Nothing
Server Address: horde.domain.tld
Secure: YES
Port:443
I also tried:
Code:
E-Mail: mail@domain.tld
User: mail
Pass: PASSWORD
Domain: domain.tld
Server Address: horde.domain.tld
Secure: YES
Port:443
If you like I can provide you an account for testing purposes on Saturday.

sicelo 2016-01-21 08:36
Re: cacert on N950 in OpenMode and MfE
 
1 Attachment(s)
Quote:
Originally Posted by xelo (Post 1495754)
We already tested that with a testaccount on sicelo's N900. Which seems to work.
Which works is more correct :) It did work. MfE on N900 successfully added the account and synced. Device that already had cacert CA worked right away, while device without the cert first gave a warning which you are able to ignore.
Attachment 38085
So, it synced without the root cert being on N900 at all.

peterleinchen 2016-01-21 10:27
Re: cacert on N950 in OpenMode and MfE
 
@xelo

Your output looks exactly like on my stock kernel N950.
And on my OpenMode N9 the output is much longer (incl. certs/aegis stuff).
So I would say your device is in OpenMode but has been booted with the stock kernel. Once you have booted it (which does not require flashing) with an open mode kernel it will stay in OpenMode until a full reflash. But if you can access all functionality depends on the kernel you have flashed/booted afterwards.
Please post the output of
uname -a

Have you flashed the open kernel?
Or using ubiboot?
Or ...


About MfE:
???
Looks like it should at least accept the configs.
Can you reach the site
https://xxxxxx:443/Microsoft-Server-ActiveSync
in your normal browser inside the intranet?
And outside the intranet (internet)?
You should see some MS stuff or a message like
"The page cannot be displayed because the HTTP version is not supported."

I am not sure as this has been done by me ages ago.
possibly you need to give your domain/workgroup/windows/exchange user name instead of the e-mail address name as user!
At least this looks like in my settings on N950.

P.S.:
yep, we may do some testing (but it will be possible mainly in the evening/night only).
Meanwhile you should enable PMs (private messages) in your ControlPanel

sicelo 2016-01-21 10:35
Re: cacert on N950 in OpenMode and MfE
 
*although we're also interested" ... so PM, um :)

By the way, just saying this 'for' xelo ... this is actually Horde's ActiveSync plugin, not MS Exchange server. this is what the URL gives:

"Trying to access the ActiveSync endpoint from a browser. Not Supported."

xelo 2016-01-21 12:50
Re: cacert on N950 in OpenMode and MfE
 
Quote:
Originally Posted by peterleinchen (Post 1495769)
@xelo
Please post the output of
uname -a

Have you flashed the open kernel?
Or using ubiboot?
Code:
~ $ uname -a
Linux RM680 2.6.32.54-dfl61-20121301 #1 PREEMPT Sat Mar 2 23:11:21 EET 2013 armv7l GNU/Linux
Afaik I flashed an Open Kernel.
I'm not using Ubiboot.
I could repeat flashing on Saturday. Right now I've no Problems to return everything back to stock-settings.


Quote:
Originally Posted by sicelo (Post 1495771)
*although we're also interested" ... so PM, um :)
All findings would be reported back to this thread. No worries :)

Quote:
Originally Posted by sicelo (Post 1495771)
By the way, just saying this 'for' xelo ... this is actually Horde's ActiveSync plugin, not MS Exchange server. this is what the URL gives:

"Trying to access the ActiveSync endpoint from a browser. Not Supported."
Sicelo is right.

peterleinchen 2016-01-21 13:12
Re: cacert on N950 in OpenMode and MfE
 
Quote:
Originally Posted by xelo (Post 1495781)
Code:
~ $ uname -a
Linux RM680 2.6.32.54-dfl61-20121301 #1 PREEMPT Sat Mar 2 23:11:21 EET 2013 armv7l GNU/Linux
This is the stock kernel!
Take a look at ubiboot thread and juice's instructions.
Or just flash an OpenMode kernel.

Quote:
Originally Posted by sicelo (Post 1495771)
*although we're also interested" ... so PM, um :)
Quote:
Originally Posted by xelo (Post 1495781)
All findings would be reported back to this thread. No worries :)
Yes, of course.
PM only for privacy data exchange :D

xelo 2016-01-21 13:34
Re: cacert on N950 in OpenMode and MfE
 
Quote:
Originally Posted by peterleinchen (Post 1495784)
This is the stock kernel!
Splendid. This explains to me why develsh did not have sufficient rights to add the certificate.

It does not explain the not-working MFE.

I cannot offer you a testaccount or flash the Open kernel before saturday.

peterleinchen 2016-01-21 13:40
Re: cacert on N950 in OpenMode and MfE
 
Quote:
Originally Posted by xelo (Post 1495787)
...
I cannot offer you a testaccount or flash the Open kernel before saturday.
I am not in a hurry :D:D:D

xelo 2016-01-23 10:45
Re: cacert on N950 in OpenMode and MfE
 
Peterleinchen: I've send you some login information.



Edit:

Flashed different kernels today:
  • zImage-2.6.32.54-dfl61-20121301
  • zImage_2.6.32.54-openmode_l2fix

But Installing Certificates did still not work:
"Permission denied"

So next try: Clean Flash and I'm going to start over.

peterleinchen 2016-01-23 22:19
Re: cacert on N950 in OpenMode and MfE
 
Before clean flashing read ubiboot thread - instruction - wiki.
flash back-to-back

But before even that use develsh (I needed that too even with open kernel().

--
strange, strange

Get the same message about invalid host address and find this in logs
Code:
Jan 23 23:59:05 (2016) mfeplugin[32201]: [Debug] Connecting to URL:  "https://:443/Microsoft-Server-ActiveSync"
and as I did not obfuscate: looks like server name/address is not handed over from UI!?

I can log in on web portal.
And got the cert warning once at first connect where I said 'yes, forever'.

---
some progress?
Code:
Jan 24 00:09:24 (2016) mfeplugin[32252]: [Debug] Connecting to URL:  "https://xxx.xxx.xxx.xxx:443/Microsoft-Server-ActiveSync"
Jan 24 00:09:28 (2016) mfeplugin[32252]: [Debug] CertManager: ssl error"The host name did not match any ofthe valid hosts for this certificate" : "The host name did not match any of the valid hosts for this certificate"
Jan 24 00:09:28 (2016) mfeplugin[32252]: [Debug] CertManager: server certificate "*.crater.uberspace.de" has been already accepted by user
So, as you see: I changed from server name to IP address and it went further. I was asked to accept another cert '*.crater.uberspace.de'
Then it failed with same UI message.
But according to logs it may now be prob regarding certs, or?

xelo 2016-01-24 12:02
Re: cacert on N950 in OpenMode and MfE
 
Quote:
Originally Posted by peterleinchen (Post 1496091)
Before clean flashing read ubiboot thread - instruction - wiki.
flash back-to-back

But before even that use develsh (I needed that too even with open kernel().
Maybe I got something wrong with develsh:

Do you mean:
1. run devel-su
2. run develsh
(now I've a shell in a shell)

Quote:
Originally Posted by peterleinchen (Post 1496091)
Get the same message about invalid host address and find this in logs

Code:
Jan 23 23:59:05 (2016) mfeplugin[32201]: [Debug] Connecting to URL:  "https://:443/Microsoft-Server-ActiveSync"
and as I did not obfuscate: looks like server name/address is not handed over from UI!?
I figured that this happens, when "/rpc.php" was appended to the Host address. When /rpc.php is not used, the UI adds the correct URL.

Quote:
Originally Posted by peterleinchen (Post 1496091)
some progress?
Code:
Jan 24 00:09:24 (2016) mfeplugin[32252]: [Debug] Connecting to URL:  "https://xxx.xxx.xxx.xxx:443/Microsoft-Server-ActiveSync"
Jan 24 00:09:28 (2016) mfeplugin[32252]: [Debug] CertManager: ssl error"The host name did not match any ofthe valid hosts for this certificate" : "The host name did not match any of the valid hosts for this certificate"
Jan 24 00:09:28 (2016) mfeplugin[32252]: [Debug] CertManager: server certificate "*.crater.uberspace.de" has been already accepted by user
So, as you see: I changed from server name to IP address and it went further. I was asked to accept another cert '*.crater.uberspace.de'
Then it failed with same UI message.
But according to logs it may now be prob regarding certs, or?
Yes, that's some progress.

I'm running Horde on a shared space. Which works fine with android, windows phone, zPush, etc...
Instead of the webadress, use the hostname I gave you in PM. When cacert root is installed certificate validation should not fail then. The root certificate of my hoster seems to be missing in Harmattan.

The shared space uses ServerNameIndication (SNI) to detect the "Server" which shall answer.


uuuuuh wait. What if MFE does not always send the "server-name" "host" header with each request? This would cause the process to fail.

xelo 2016-01-24 15:14
Re: cacert on N950 in OpenMode and MfE
 
okay.

I did a clean reflash today, like described in
http://www.swagman.org:8008/juice/ubiboot/README

and used the zImage_2.6.32.54-openmode_l2fix kernel.

I did not install ubiboot.

Still uname -a says (in develsh):
Code:
~ # uname -a
Linux RM680 2.6.32.54-dfl61-20121301 #1 PREEMPT Sat Mar 2 23:11:21 EET 2013 armv7l GNU/Linux
and installing the root-certificate with acmcli is not possible.
Code:
~ # acmcli -c common-ca -a 16b5321bd4c7f3e0e68ef3bdd2b03aeeb23918d1.pem
ERROR: cannot add certificates (Permission denied)

coderus 2016-01-24 15:19
Re: cacert on N950 in OpenMode and MfE
 
openmode kernel is not giving you max privileges by default, you still need to use privileged develsh or opensudo. it just gives you easier way to install shells with high privileges. for example for getting develsh with high privileges you need to
Code:
AEGIS_FIXED_ORIGIN=com.nokia.maemo apt-get install --reinstall develsh
first. and then it will have high privileges.

xelo 2016-01-24 16:05
Re: cacert on N950 in OpenMode and MfE
 
Quote:
Originally Posted by coderus (Post 1496142)
openmode kernel is not giving you max privileges by default, you still need to use privileged develsh or opensudo. it just gives you easier way to install shells with high privileges. for example for getting develsh with high privileges you need to
Code:
AEGIS_FIXED_ORIGIN=com.nokia.maemo apt-get install --reinstall develsh
first. and then it will have high privileges.

That did the trick: Thank you coderus.

Code:
~ # acmcli -c common-ca -a 16b5321bd4c7f3e0e68ef3bdd2b03aeeb23918d1.pem
Added 1 certificates

EDIT: Added the information gathered so far to my first Post.

xelo 2016-01-24 17:39
Re: cacert on N950 in OpenMode and MfE
 
Okay... I tried to add my old Outlook.com account. And it worked... more or less.

This is the log output:

Code:
Jan 24 18:35:08 (2016) mfeplugin[2513]: [Debug] Accounts::Service* MfeAccountSetupContext::getMfeService(const QString&, const QString&) "mfemail"
Jan 24 18:35:08 (2016) mfeplugin[2513]: [Debug] bool SyncContacts::checkContactsSyncAvailable(Accounts::Manager*, Accounts::AccountId)
Jan 24 18:35:08 (2016) mfeplugin[2513]: [Debug] bool SyncContacts::checkContactsSyncAvailable(Accounts::Manager*, Accounts::AccountId)
Jan 24 18:35:08 (2016) mfeplugin[2513]: [Debug] bool SyncGAL::checkGALSyncAvailable(Accounts::Manager*, Accounts::AccountId)
Jan 24 18:35:09 (2016) mfeplugin[2513]: [Debug] libqtcontacts-tracker: initializing libqtcontacts-tracker 4.19.2-1+0m8 for /usr/lib/AccountSetup/bin/mfeplugin [2513]
Jan 24 18:35:09 (2016) mfeplugin[2513]: [Debug] bool SyncGAL::checkGALSyncAvailable(Accounts::Manager*, Accounts::AccountId)
Jan 24 18:35:09 (2016) mfeplugin[2513]: [Warning] Contacts plugin "/usr/lib/qt4/plugins/contacts/libqtcontacts-simcard.so" has the same name as currently loaded plugin "simcard" ; ignored
Jan 24 18:35:09 (2016) mfeplugin[2513]: [Warning] Contacts plugin "/usr/lib/qt4/plugins/contacts/libqtcontacts-social.so" has the same name as currently loaded plugin "social" ; igno
red
Jan 24 18:35:09 (2016) mfeplugin[2513]: [Warning] Contacts plugin "/usr/lib/qt4/plugins/contacts/libqtcontacts_activesync.so" has the same name as currently loaded plugin "activesync
" ; ignored
Jan 24 18:35:09 (2016) mfeplugin[2513]: [Warning] Contacts plugin "/usr/lib/qt4/plugins/contacts/libqtcontacts_aggregated.so" has the same name as currently loaded plugin "aggregated
" ; ignored
Jan 24 18:35:09 (2016) mfeplugin[2513]: [Warning] Contacts plugin "/usr/lib/qt4/plugins/contacts/libqtcontacts_telepathy.so" has the same name as currently loaded plugin "telepathy"
; ignored
Jan 24 18:35:09 (2016) mfeplugin[2513]: [Warning] Contacts plugin "/usr/lib/qt4/plugins/contacts/libqtcontacts_tracker.so" has the same name as currently loaded plugin "tracker" ; ig
nored
Jan 24 18:35:09 (2016) mfeplugin[2513]: [Error] Empty certificate id
Jan 24 18:35:09 (2016) mfeplugin[2513]: [Error] Empty certificate id
Jan 24 18:35:09 (2016) mfeplugin[2513]: [Debug] kdedate/ksystemtimezone.cpp: 314 - localzone "/usr/share/zoneinfo/Europe/Berlin"
Jan 24 18:35:09 (2016) mfeplugin[2513]: [Debug] kdedate/ksystemtimezone.cpp: 342 - readConfig(): local zone= "Europe/Berlin"
Jan 24 18:35:09 (2016) mfeplugin[2513]: [Debug] kdedate/ksystemtimezone.cpp: 394 - readZoneTab( "/usr/share/tzdata-calendar/zone-and-aliases.tab" )
Jan 24 18:35:09 (2016) mfeplugin[2513]: [Debug] sqlitestorage.cpp: 234 - time of origin is  "1970-01-01T00:00:00Z" 0
Jan 24 18:35:09 (2016) mfeplugin[2513]: [Warning] sqlitestorage.cpp: 278 - database "/home/user/.calendar/db" opened
Jan 24 18:35:09 (2016) mfeplugin[2513]: [Debug] sqlitestorage.cpp: 2829 - loaded notebook "b1376da7-5555-1111-2222-227549c4e570" "Geburtstage" from database
Jan 24 18:35:09 (2016) mfeplugin[2513]: [Debug] sqlitestorage.cpp: 2829 - loaded notebook "66666666-7777-8888-9999-000000000000" "Notes" from database
Jan 24 18:35:09 (2016) mfeplugin[2513]: [Debug] sqlitestorage.cpp: 2829 - loaded notebook "11111111-2222-3333-4444-555555555555" "qtn_caln_personal_caln" from database
Jan 24 18:35:09 (2016) mfeplugin[2513]: [Debug] next calendar color  QColor(ARGB 1, 0.160784, 0.490196, 0.819608)
Jan 24 18:35:09 (2016) mfeplugin[2513]: [Debug] next calendar color  QColor(ARGB 1, 0.160784, 0.490196, 0.819608)
Jan 24 18:35:09 (2016) mfeplugin[2513]: [Debug] virtual void MfeServiceSelectionAppPage::createContent() Content created
Jan 24 18:35:09 (2016) mfeplugin[2513]: [Debug] Accounts::Service* MfeAccountSetupContext::getMfeService(const QString&, const QString&) "mfemail"
Jan 24 18:35:09 (2016) mfeplugin[2513]: [Error] Empty certificate id
Jan 24 18:35:09 (2016) mfeplugin[2513]: [Error] Empty certificate id
Jan 24 18:35:10 (2016) mfeplugin[2513]: [Debug] void MfeAccountAppPage::omServiceSelectionPageAppeared() QGraphicsObject(0)
Jan 24 18:35:31 (2016) mfeplugin[2513]: [Debug] virtual void MfeCheckCredentialsDialog::createContent()
Jan 24 18:35:31 (2016) mfeplugin[2513]: [Debug] void MfeCheckCredentialsDialog::onAppeared() already online
Jan 24 18:35:31 (2016) mfeplugin[2513]: [Debug] void MfeCheckCredentialsDialog::sendRequest()
Jan 24 18:35:31 (2016) mfeplugin[2513]: [Debug] Connecting to URL:  "https://m.hotmail.com:443/Microsoft-Server-ActiveSync"
Jan 24 18:35:31 (2016) icd2 0.213.4+0m8[1197]: Duplicate filter: Do not add filter for app :1.398
Jan 24 18:35:31 (2016) mfeplugin[2513]: [Debug] QNetworkReplyImpl::_q_startOperation was called more than once
Jan 24 18:35:32 (2016) mfeplugin[2513]: [Debug] void MfeCheckCredentialsDialog::onSendFinished(QNetworkReply*) replyError= 0 "Unknown error"
Jan 24 18:35:32 (2016) mfeplugin[2513]: [Debug] error( 0 )= 0
Jan 24 18:35:32 (2016) mfeplugin[2513]: [Debug] Accounts::Service* MfeAccountSetupContext::getMfeService(const QString&, const QString&) "mfemail"
Jan 24 18:35:32 (2016) mfeplugin[2513]: [Warning] libqtcontacts-tracker: engine.cpp:1591: Not cleaning up obsolete resources for nao:hasTag property since the property's range is too
 generic (rdfs:Resource).
Jan 24 18:35:32 (2016) mfeplugin[2513]: [Warning] libqtcontacts-tracker: engine.cpp:1591: Not cleaning up obsolete resources for nao:hasTag property since the property's range is too
 generic (rdfs:Resource).
Jan 24 18:35:33 (2016) mfeplugin[2513]: [Debug] void MfeAccountAppPage::onDone()
Jan 24 18:35:33 (2016) mfeplugin[2513]: [Debug] void MfeAccountAppPage::onSyncStateChanged(const AccountsUI::SyncState&) state = 0
Jan 24 18:35:33 (2016) mfeplugin[2513]: [Debug] virtual void MfeAccountSetupContext::store()
Jan 24 18:35:33 (2016) mfeplugin[2513]: [Debug] QString MfeUtils::checkSettings(const MfeUtils::Settings&)
Jan 24 18:35:33 (2016) mfeplugin[2513]: [Debug] Accounts::Service* MfeAccountSetupContext::getMfeService(const QString&, const QString&) "mfemail"
Jan 24 18:35:33 (2016) mfeplugin[2513]: [Warning] unsupproted datatype
Jan 24 18:35:33 (2016) mfeplugin[2513]: [Debug] Accounts::Service* MfeAccountSetupContext::getMfeService(const QString&, const QString&) "mfecalendar"
Jan 24 18:35:33 (2016) mfeplugin[2513]: [Debug] ../../../lib/SignOn/identityimpl.cpp 105 updateState Updating state:  PendingRegistration
Jan 24 18:35:33 (2016) mfeplugin[2513]: [Debug] ../../../lib/SignOn/identityimpl.cpp 223 storeCredentials Storing credentials
Jan 24 18:35:33 (2016) mfeplugin[2513]: [Debug] ../../../lib/SignOn/identityimpl.cpp 105 updateState Updating state:  Ready
Jan 24 18:35:33 (2016) mfeplugin[2513]: [Debug] ../../../lib/SignOn/dbusoperationqueuehandler.cpp 131 execQueuedOperations Executing cached oparation: SIGNATURE: storeCredentials(Ide
ntityInfo)
Jan 24 18:35:33 (2016) mfeplugin[2513]: [Debug] ../../../lib/SignOn/dbusoperationqueuehandler.cpp 135 execQueuedOperations
Jan 24 18:35:33 (2016) mfeplugin[2513]: [Debug] ../../../lib/SignOn/identityimpl.cpp 223 storeCredentials Storing credentials
Jan 24 18:35:33 (2016) mfeplugin[2513]: [Debug] ../../../lib/SignOn/identityimpl.cpp 796 sendRequest
Jan 24 18:35:34 (2016) mfeplugin[2513]: [Debug] ../../../lib/SignOn/identityimpl.cpp 105 updateState Updating state:  NeedsUpdate
Jan 24 18:35:34 (2016) mfeplugin[2513]: [Debug] ../../../lib/SignOn/identityimpl.cpp 714 infoUpdated  SERVER INFO UPDATED. NeedsUpdate " 0 " 
Jan 24 18:35:34 (2016) mfeplugin[2513]: [Debug] ../../../lib/SignOn/identityimpl.cpp 627 storeCredentialsReply stored id: 2 old id: 0
Jan 24 18:35:34 (2016) mfeplugin[2513]: [Debug] SSO stored id:  2
Jan 24 18:35:34 (2016) mfeplugin[2513]: [Debug] Accounts::Service* MfeAccountSetupContext::getMfeService(const QString&, const QString&) "mfemail"
Jan 24 18:35:34 (2016) mfeplugin[2513]: GLIB DEBUG default - exec_transaction: Accounts DB is now locked
Jan 24 18:35:34 (2016) mfeplugin[2513]: GLIB DEBUG default - exec_transaction: Accounts DB is now unlocked
Jan 24 18:35:34 (2016) mfeplugin[2513]: GLIB DEBUG default - exec_transaction: Accounts DB is now locked
Jan 24 18:35:34 (2016) mfeplugin[2513]: GLIB DEBUG default - exec_transaction: Accounts DB is now unlocked
Jan 24 18:35:34 (2016) mfeplugin[2513]: [Debug] void MfeServiceSelectionAppPage::onContextStored() the account is stored sync request is not sent
Jan 24 18:35:34 (2016) mfeplugin[2513]: [Debug] void MfeAccountAppPage::onSyncStateChanged(const AccountsUI::SyncState&) state = 2
Jan 24 18:35:34 (2016) signonpluginprocess: ../../../../src/plugins/password/passwordplugin.cpp 35 PasswordPlugin
Jan 24 18:35:34 (2016) signonpluginprocess: ../../../../lib/plugins/signon-plugins-common/SignOn/blobiohandler.cpp 95 receiveData 227
Jan 24 18:35:34 (2016) signonpluginprocess: ../../../../src/plugins/password/passwordplugin.cpp 66 process
Jan 24 18:35:34 (2016) signonpluginprocess: ../../../../src/plugins/password/passwordplugin.cpp 130 replyResult Result Emitted
Jan 24 18:35:34 (2016) signonpluginprocess: ../../../../lib/plugins/signon-plugins-common/SignOn/blobiohandler.cpp 65 sendData 104
Jan 24 18:35:34 (2016) mfeplugin[2513]: [Debug] int main(int, char**) plugin stopped
Jan 24 18:35:34 (2016) mfeplugin[2513]: [Debug] virtual MfePluginProcess::~MfePluginProcess()
Jan 24 18:35:34 (2016) mfeplugin[2513]: [Debug] Meego graphics system destroyed
Jan 24 18:35:35 (2016) as-daemon[2461]: GLIB DEBUG default - exec_transaction: Accounts DB is now locked
Jan 24 18:35:35 (2016) as-daemon[2461]: GLIB DEBUG default - exec_transaction: Accounts DB is now unlocked
Jan 24 18:35:35 (2016) mfeplugin[2513]: [Warning] QSqlDatabasePrivate::removeDatabase: connection 'qmailstore_sql_connection' is still in use, all queries will cease to work.
Jan 24 18:35:35 (2016) mfeplugin[2513]: [Warning] QEventLoop: Cannot be used without QApplication
Jan 24 18:35:35 (2016) applauncherd[851]: Boosted process (pid=2513) exited with status 0
Jan 24 18:35:37 (2016) as-daemon[2461]: GLIB DEBUG default - exec_transaction: Accounts DB is now locked
Jan 24 18:35:37 (2016) as-daemon[2461]: GLIB DEBUG default - exec_transaction: Accounts DB is now unlocked
But synchronisation is not possible.
It fails with the Message "Invalid Host Address"

Code:
Jan 24 18:40:11 (2016) icd2 0.213.4+0m8[1197]: Duplicate filter: Do not add filter for app :1.410
Jan 24 18:40:26 (2016) as-info-ui[2555]: void SyncInfoEngine::startSync()
Jan 24 18:40:26 (2016) as-info-ui[2555]: Call  sync ( 2 )
Jan 24 18:40:26 (2016) icd2 0.213.4+0m8[1197]: Duplicate filter: Do not add filter for app :1.413
Jan 24 18:40:26 (2016) as-info-ui[2555]: void SyncInfoEngine::checkSyncStarted(qulonglong)
Jan 24 18:40:26 (2016) as-info-ui[2555]: void SyncInfoEngine::syncStarted()
Jan 24 18:40:27 (2016) as-info-ui[2555]: void SyncInfoEngine::getSharedData(bool)
Jan 24 18:40:28 (2016) as-info-ui[2555]: void SyncInfoEngine::checkSyncStopped(qulonglong)
Jan 24 18:40:28 (2016) as-info-ui[2555]: void SyncInfoEngine::getSharedData(bool)
Jan 24 18:40:28 (2016) as-info-ui[2555]: void SyncFailedWidget::setData(const SyncInfoData&)  error= 12

Which I understand can be fixed with "MeMailSettings".and forcing EAS Version 2.5

Nevertheless, this does not solve the Problem with my Horde Server

peterleinchen 2016-01-24 19:23
Re: cacert on N950 in OpenMode and MfE
 
This is my log now:

Code:
Jan 24 20:13:39 (2016) mfeplugin[32393]: [Debug] void MfeCheckCredentialsDialog::onAppeared() already online
Jan 24 20:13:39 (2016) mfeplugin[32393]: [Debug] void MfeCheckCredentialsDialog::sendRequest()
Jan 24 20:13:39 (2016) mfeplugin[32393]: [Debug] Connecting to URL:  "https://bla.bla.bla:443/Microsoft-Server-ActiveSync"
Jan 24 20:13:39 (2016) icd2 0.213.4+0m8[1386]: Duplicate filter: Do notadd filter for app :1.5754
Jan 24 20:13:39 (2016) mfeplugin[32393]: [Debug] QNetworkReplyImpl::_q_startOperation was called more than once
Jan 24 20:13:41 (2016) accounts-ui[32347]: Meego graphics system destroyed
Jan 24 20:13:46 (2016) mfeplugin[32393]: [Debug] Meego graphics system destroyed
Jan 24 20:13:46 (2016) mfeplugin[32393]: [Debug] CertManager: ssl error "The issuer certificate of a locally looked up certificate could not be found" : "The issuer certificate of a locally looked up certificate could not be found"
Jan 24 20:13:46 (2016) mfeplugin[32393]: [Debug] CertManager: server certificate "CAcert Class 3 Root" has been already accepted by user
Jan 24 20:13:46 (2016) mfeplugin[32393]: [Debug] CertManager: ssl error "The root CA certificate is not trusted for this purpose": "The root CA certificate is not trusted for this purpose"
Jan 24 20:13:46 (2016) mfeplugin[32393]: [Debug] CertManager: server certificate "CAcert Class 3 Root" has been already accepted by user
Jan 24 20:13:46 (2016) mfeplugin[32393]: [Debug] void MfeCheckCredentialsDialog::onSendFinished(QNetworkReply*) replyError= 0 "Unknown error"
Jan 24 20:13:46 (2016) mfeplugin[32393]: [Debug] error( 0 )= 3

xelo 2016-01-24 19:48
Re: cacert on N950 in OpenMode and MfE
 
Thanks peterleinchen:

now we can see that MFE --when trying to synchronize with Horde ActiveSync Plugin-- always terminates with:

Code:
Jan 24 20:13:46 (2016) mfeplugin[32393]: [Debug] void MfeCheckCredentialsDialog::onSendFinished(QNetworkReply*) replyError= 0 "Unknown error"
Jan 24 20:13:46 (2016) mfeplugin[32393]: [Debug] error( 0 )= 3
and the Issue can be replicated on other N950's.


What can be the next steps for me:

1) I deploy another instance of Horde on a different server which does not require SNI
2) Capture Traffic of N950 with Wireshark


Do you know of any workarounds apart of syncevolution which can be used to synchronize Contacts / addressbooks with CardDav / SyncML?

peterleinchen 2016-01-24 20:25
Re: cacert on N950 in OpenMode and MfE
 
Quote:
Originally Posted by xelo (Post 1496165)
Thanks peterleinchen:


Do you know of any workarounds apart of syncevolution which can be used to synchronize Contacts / addressbooks with CardDav / SyncML?
Nope :(, never bothered.

xelo 2016-04-08 19:31
Re: cacert on N950 in OpenMode and MfE
 
Short update:

Still didn't get MfE to work. Native Caldav Works, I'm syncing Contacts with SyncEvolution.


All times are GMT. The time now is 01:08.

vBulletin® Version 3.8.8