[CalendarServer-users] Exception thrown when using chained certificates

Nikola Knežević laladelausanne at gmail.com
Sun Mar 31 15:40:04 PDT 2013 

Hi,

I finally managed to get Calendar Server (version 4.2) to run on my Mac (10.7.5). It runs without problems if I use a self-signed certificate. However, I wanted to go a step further, and introduce my root and intermediate certificates in the process. However, the server fails with the output listed at the end of this message.

This is the relevant part of caldavd.plist:
   <!--
       SSL/TLS
     -->
   <!-- Public key -->
   <key>SSLCertificate</key>
   <string>/usr/local/caldavd/etc/caldav-server.crt</string>

   <!-- SSL authority chain (for intermediate certs) -->
   <key>SSLAuthorityChain</key>
   <string>/usr/local/caldavd/etc/chain.crt</string>

   <!-- Private key -->
   <key>SSLPrivateKey</key>
   <string>/usr/local/caldavd/etc/caldav-server.key</string>

I created these, using roughly these steps:


openssl genrsa -des3 -passout pass:stdin -out root-ca.key 4096
openssl req -new -key root-ca.key -out root-ca.csr 
openssl x509 -req -days 4384 -in root-ca.csr -signkey root-ca.key \
	-extfile GenerateCertificate.cfg -extensions v3_ca -out root-ca.crt
openssl pkcs12 -export -in root-ca.crt -inkey root-ca.key -out root-ca.p12
openssl pkcs12 -in root-ca.p12  -out root-ca.pem -nodes 

intermediate:
openssl genrsa -des3 -out intermediate-ca.key 2048
openssl req -new -key  intermediate-ca.key -out  intermediate-ca.csr 
openssl x509 -req -days 4384 -in intermediate-ca.csr \
	-CA root-ca.crt -CAkey root-ca.key \
	-set_serial 1 -extfile GenerateCertificate.cfg -extensions v3_ca -out intermediate-ca.crt
openssl pkcs12 -export -in intermediate-ca.crt -inkey intermediate-ca.key \
	-chain -CAfile root-ca.crt -out intermediate-ca.p12
openssl pkcs12 -in intermediate-ca.p12 -out intermediate-ca.pem -nodes

leaf certificates:
export name=caldav-server
openssl genrsa -des3 -out $name.key 2048
openssl req -new -key $name.key -out $name.csr
openssl x509 -req -days 1095 -in $name.csr -CA root/intermediate-ca.crt -CAkey root/intermediate-ca.key \
	-set_serial 1 -out $name.crt
openssl pkcs12 -export -in $name.crt -inkey $name.key -chain -CAfile root/intermediate-ca.pem -out $name.p12
openssl pkcs12 -in $name.p12     -out $name.pem -nodes

And then produces chain.crt by doing:
	cat caldav-server.crt intermediate-ca.crt root-ca.crt > chain.crt

I created a virtualenv for caldav server, where I'm running Twisted 12.3.0 (same problem appears with 12.0.0). 

Any pointer toward resolving this issue would be most helpful :)

Thanks,
Nikola


This is the output I'm getting:
2013-03-31 20:02:24+0200 [-] [caldav-0]  [-] Unhandled Error
2013-03-31 20:02:24+0200 [-] [caldav-0] 	Traceback (most recent call last):
2013-03-31 20:02:24+0200 [-] [caldav-0] 	  File "/usr/local/caldavd/lib/python2.7/site-packages/Twisted-12.3.0-py2.7-macosx-10.7-intel.egg/twisted/python/log.py", line 73, in callWithContext
2013-03-31 20:02:24+0200 [-] [caldav-0] 	    return context.call({ILogContext: newCtx}, func, *args, **kw)
2013-03-31 20:02:24+0200 [-] [caldav-0] 	  File "/usr/local/caldavd/lib/python2.7/site-packages/Twisted-12.3.0-py2.7-macosx-10.7-intel.egg/twisted/python/context.py", line 118, in callWithContext
2013-03-31 20:02:24+0200 [-] [caldav-0] 	    return self.currentContext().callWithContext(ctx, func, *args, **kw)
2013-03-31 20:02:24+0200 [-] [caldav-0] 	  File "/usr/local/caldavd/lib/python2.7/site-packages/Twisted-12.3.0-py2.7-macosx-10.7-intel.egg/twisted/python/context.py", line 81, in callWithContext
2013-03-31 20:02:24+0200 [-] [caldav-0] 	    return func(*args,**kw)
2013-03-31 20:02:24+0200 [-] [caldav-0] 	  File "/usr/local/caldavd/lib/python2.7/site-packages/Twisted-12.3.0-py2.7-macosx-10.7-intel.egg/twisted/internet/selectreactor.py", line 151, in _doReadOrWrite
2013-03-31 20:02:24+0200 [-] [caldav-0] 	    why = getattr(selectable, method)()
2013-03-31 20:02:24+0200 [-] [caldav-0] 	--- <exception caught here> ---
2013-03-31 20:02:24+0200 [-] [caldav-0] 	  File "/usr/local/caldavd/lib/python2.7/site-packages/twext/internet/sendfdport.py", line 295, in doRead
2013-03-31 20:02:24+0200 [-] [caldav-0] 	    description, protocol)
2013-03-31 20:02:24+0200 [-] [caldav-0] 	  File "/usr/local/caldavd/lib/python2.7/site-packages/twext/web2/metafd.py", line 103, in createTransport
2013-03-31 20:02:24+0200 [-] [caldav-0] 	    transport.startTLS(self.contextFactory)
2013-03-31 20:02:24+0200 [-] [caldav-0] 	  File "/usr/local/caldavd/lib/python2.7/site-packages/Twisted-12.3.0-py2.7-macosx-10.7-intel.egg/twisted/internet/_newtls.py", line 179, in startTLS
2013-03-31 20:02:24+0200 [-] [caldav-0] 	    startTLS(self, ctx, normal, FileDescriptor)
2013-03-31 20:02:24+0200 [-] [caldav-0] 	  File "/usr/local/caldavd/lib/python2.7/site-packages/Twisted-12.3.0-py2.7-macosx-10.7-intel.egg/twisted/internet/_newtls.py", line 139, in startTLS
2013-03-31 20:02:24+0200 [-] [caldav-0] 	    tlsFactory = TLSMemoryBIOFactory(contextFactory, client, None)
2013-03-31 20:02:24+0200 [-] [caldav-0] 	  File "/usr/local/caldavd/lib/python2.7/site-packages/Twisted-12.3.0-py2.7-macosx-10.7-intel.egg/twisted/protocols/tls.py", line 602, in __init__
2013-03-31 20:02:24+0200 [-] [caldav-0] 	    contextFactory.getContext()
2013-03-31 20:02:24+0200 [-] [caldav-0] 	exceptions.AttributeError: 'NoneType' object has no attribute 'getContext'

More information about the calendarserver-users mailing list