Reputation: 593
SSL connect to mail server. Trusted ssl certificate rejected by mail client
I've godaddy's 2048bit certificate for domain and 4 subdomains. [www.site.com, mail.site.com, e.t.c.]
Standard Multiple Domain (UCC) SSL Up to 5 Domains - 1 year (annual)
That certificate works fine in Apache, ssl web checker says OK and browser shows green line in address string.
I've added this certificate to mail daemon, it has been accepted by Exim too.
When some client tries to send mail with SSL/TLS connection through mail server, mail program says "Certificate is BAD" though shows correct trusted info.
Client connects to hostname: mail.server.com, server's hostname is: ns1.server.com (not added to certificate), mail server says: 220 ns1.site.com ESMTP Exim 4.73
Mail clients tested: iPAD mail client, Mozilla Thunderbird, Mac mail client
Please help.
UPDATE:
Godaddy's ssl checker says: SSL Chain of Trust is Broken!
Upvotes: 0
Views: 2785
Answers (2)
Reputation: 8477
Here are a couple of things to check:
Is the hostname that the mail client uses in the TCP connect, listed in the server certificate as the Common Name (CN) of the subject distinguished name?
If not, is it listed using type "DNS:" in the Subject Alternative Name X509 v3 certificate extension?
If neither of the above, you might be getting "Remote Certificate Name Mismatch" (or similarly named error.)
If it is listed, then look for the Issuer of the certificate, and Issuer of the Issuer, etc., all the way to the root certificate of the chain. The root certificate should be installed on the client machine, in the "Trusted Root" certificate store for whatever client you are using (Windows, Mozilla, Java keystore, etc.)
If the root certificate is installed, then look at the intermediate certificates, if there are any in the chain (between root and server certificates). They have to either be installed locally, or arrive from the server alongside the server certificate -- either the server sends them each time or you've got the intermediate certificates already installed on the client end. Either way, they have got to be in hand to accept the server certificate.
Upvotes: 2
Reputation: 7219
Do the clients which reject the certificate have the appropriate root certificates in their cert store?
Upvotes: 0
Related Questions
- Can't send mail via SSL or TLS using SMTP using Javamail
- Invalid SSL Certificate for Mail Server
- Trusted self-signed cert rejected by SMTP client
- Error in sending mail through smtps
- Javamail - Could not connect to SMTP host
- Could not connect to SMTP host PHP Mailer
- SMTP protocol synchronization error (input sent without waiting for greeting)
- Could not connect to SMTP host
- I could not connect to SMTP host
- Problems with Exim hosts_require_tls config