Reputation: 1
TLS - Cert Hostname DOES NOT VERIFY
After an SSL certificate change on my virtual server running plesk and ubuntu I suddenly run into an email issue.
Cert Hostname DOES NOT VERIFY (mail.koemanmotoren.nl != www.koemanmotoren.nl)
http://www.checktls.com/perl/TestReceiver.pl
mail: e.g. [email protected]
Indeed this site seems to verify that the hostname is mail.koemanmotoren.nl
https://www.ssllabs.com/ssltest/analyze.html?d=koemanmotoren.nl
However I have changed every single hostname I could find, while changing it in plesk or via SSH it automatically changes it anyway everywhere, but somewhere must been another hostname noted?
The certificate is purchased and verified for koemanmotoren.nl and www.koemanmotoren.nl
Upvotes: 1
Views: 6915
Answers (1)
Reputation: 102346
It appears you are using the same certificate on mail.koemanmotoren.nl and www.koemanmotoren.nl (see below). Both Subject Key Identifiers are 26:61:81:B0...4A:F8:4F:5B.
It looks like your DNS is incorrect. You are using the same IP address for both mail.koemanmotoren.nl and www.koemanmotoren.nl.
$ dig mail.koemanmotoren.nl a
;; QUESTION SECTION:
;mail.koemanmotoren.nl. IN A
;; ANSWER SECTION:
mail.koemanmotoren.nl. 21164 IN A 176.28.10.250
And:
$ dig www.koemanmotoren.nl a
...
;; QUESTION SECTION:
;www.koemanmotoren.nl. IN A
;; ANSWER SECTION:
www.koemanmotoren.nl. 21223 IN A 176.28.10.250
If that's correct, then the certificate is missing a Subject Alternative Name (SAN) for mail.koemanmotoren.nl.
According to DNS, your mail server is mail.koemanmotoren.nl:
$ dig koemanmotoren.nl mx
...
;; ANSWER SECTION:
koemanmotoren.nl. 21219 IN MX 10 mail.koemanmotoren.nl.
;; ADDITIONAL SECTION:
mail.koemanmotoren.nl. 13180 IN A 176.28.10.250
However, it appears your mail server is using your web server's certificate.
$ openssl s_client -connect mail.koemanmotoren.nl:993 2>&1 | openssl x509 -text -noout
Subject: OU=Domain Control Validated, CN=www.koemanmotoren.nl
...
X509v3 Subject Alternative Name:
DNS:www.koemanmotoren.nl, DNS:koemanmotoren.nl
...
And it appears you don't have anything on 465:
$ openssl s_client -connect mail.koemanmotoren.nl:465
CONNECTED(00000003)
140735144829404:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:787:
---
no peer certificate available
---
...
$ openssl s_client -connect mail.koemanmotoren.nl:443 2>&1 | openssl x509 -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
11:21:13:40:67:18:79:8f:1d:3f:c5:48:48:f4:2c:f1:24:b6
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Domain Validation CA - SHA256 - G2
Validity
Not Before: Jun 10 11:20:11 2014 GMT
Not After : Jul 15 10:12:25 2015 GMT
Subject: OU=Domain Control Validated, CN=www.koemanmotoren.nl
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:eb:cf:e0:55:34:52:79:43:8b:49:1b:65:1c:b1:
ed:ad:93:52:12:b9:3a:55:d7:c2:10:10:cc:3f:2c:
e0:11:9a:4b:5b:ba:eb:3b:5f:f7:ad:74:e2:15:ba:
04:14:bc:52:84:ce:4b:a3:e7:a5:48:45:0f:09:cc:
b9:98:2d:1c:0a:00:75:0d:d0:ac:d6:88:52:5b:50:
fb:bb:10:8b:8d:17:ce:1b:ba:61:23:46:7e:77:70:
0e:d4:89:17:bb:2a:76:62:17:d9:12:ae:7a:1d:8e:
f1:b6:ff:f3:53:76:cd:74:fb:c9:c4:99:27:c8:4c:
5d:9d:07:53:53:d5:16:42:f5:0f:cd:75:01:82:20:
05:07:d6:19:a7:9d:77:85:84:97:cb:61:5a:f9:10:
d1:88:e4:7c:09:97:8c:9a:c1:4f:b9:a6:bf:57:87:
ab:87:59:01:fa:48:3f:86:5e:fe:15:49:8c:32:de:
6b:01:23:ea:6c:d3:fc:77:f8:c5:3f:41:89:18:74:
1b:44:87:b8:76:e4:cd:b8:be:33:0b:71:7d:4e:7f:
83:0a:46:7e:ef:63:ce:0a:20:7e:7c:aa:2a:d4:82:
af:95:a9:29:3d:13:e6:52:51:f2:74:ef:93:70:d9:
71:9b:1f:19:a5:d0:f7:9e:cc:c8:3d:63:6a:a6:35:
7c:75
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
CPS: https://www.globalsign.com/repository/
X509v3 Subject Alternative Name:
DNS:www.koemanmotoren.nl, DNS:koemanmotoren.nl
X509v3 Basic Constraints:
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.globalsign.com/gs/gsdomainvalsha2g2.crl
Authority Information Access:
CA Issuers - URI:http://secure.globalsign.com/cacert/gsdomainvalsha2g2r1.crt
OCSP - URI:http://ocsp2.globalsign.com/gsdomainvalsha2g2
X509v3 Subject Key Identifier:
26:61:81:B0:89:19:AF:DC:BE:01:DC:59:C1:28:F0:D4:4A:F8:4F:5B
X509v3 Authority Key Identifier:
keyid:EA:4E:7C:D4:80:2D:E5:15:81:86:26:8C:82:6D:C0:98:A4:CF:97:0F
Signature Algorithm: sha256WithRSAEncryption
7a:84:d6:2e:31:44:25:95:aa:d0:30:b6:2e:8c:1b:a9:a3:f3:
2e:f3:9c:0d:cf:a9:51:29:5f:39:ac:f2:1d:4b:f7:e0:50:05:
bf:b6:51:f1:0b:a9:43:42:32:9e:40:45:f3:e9:a7:7a:97:7e:
aa:80:c6:0f:f3:89:5c:87:d4:51:c3:44:a1:55:0a:16:3f:66:
8e:1e:af:74:95:18:98:ef:be:08:e5:20:f0:b2:20:4c:88:8e:
8b:00:c3:5d:0b:aa:cc:b6:80:23:83:3a:24:83:8d:fa:13:14:
bf:76:be:60:d0:c8:ce:6e:8d:22:01:90:0f:f4:5e:fa:d6:80:
25:e9:ff:d6:07:1d:95:41:4b:74:c2:a7:a3:e3:02:c4:d3:77:
3e:c9:e2:71:49:ba:4b:71:f8:92:0d:92:24:72:3c:ac:47:ef:
5e:54:2b:c4:ed:5c:78:9d:75:17:f5:7f:23:bd:af:ee:35:4a:
54:0e:72:00:45:45:0a:be:8f:ba:d5:3b:18:f9:8b:e0:0a:25:
74:76:21:01:67:50:6a:0b:7a:3c:fb:c4:b5:ab:f5:01:56:97:
8f:28:d0:28:54:0c:38:5d:7d:36:8d:89:6b:27:62:dd:93:e2:
ea:7f:88:e8:cb:df:0b:4c:74:19:1f:7e:be:54:08:6b:85:e0:
28:52:c9:d7
Upvotes: 2
Related Questions
- Invalid SSL Certificate for Mail Server
- OpenSSL Wrong Host Name
- PHPMailer - SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
- Plesk/MailEnable SMTP Relay Error
- Hostname localhost not verified
- "HostName not verified error message" on SSL connection in postgresql
- The host name in the certificate is invalid - R
- SSL certificates in Plesk
- hostname does not match the server certificate - cannot send email
- Problems with Exim hosts_require_tls config