SSL Validation and Trust Error after new cert install
Question asked by digital.iway - December 19, 2017 at 4:46 PM
Unanswered
I am using SM 15.7.6542 and every year I install / renew a UCC ssl for the server and install it.  most clients that need/want to connect with SSL / TLS will use the address mail.mydomain.net.  I typically never have any issues but this year after install I am getting IPADS, IPHONES and  some outlook 2016 machines on windows 7 that are throwing certificate error like "certificate cannot be verified" and ipads show cannot be trusted certificate not valid.  I am running windows 10 and outlook 2016/365 and have no issues at all running STARTLS connecting to my mail server.  I followed the CSR generating and install instructions from godaddy and the smartermail instructions for export and replace methodically.  it has been way over 72 hours and The ssl cert checks out with every validity checker I could find.   Anyone have these issues before or can lead me in the right direction?

8 Replies

Reply to Thread
1
digital.iway Replied
After reviewing the logs I do see this:
 
[2017.12.19] 18:27:45 [207.255.42.59][30624809] Exception negotiating SSL certificate: System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm
[2017.12.19]    at System.Net.Security.SslStream.BeginAuthenticateAsServer(X509Certificate serverCertificate, Boolean clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation, AsyncCallback asyncCallback, Object asyncState)
[2017.12.19] 18:27:52 [207.255.42.59][65711734] Exception negotiating SSL certificate: System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm
[2017.12.19]    at System.Net.Security.SslStream.BeginAuthenticateAsServer(X509Certificate serverCertificate, Boolean clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation, AsyncCallback asyncCallback, Object asyncState)
0
Matt Petty Replied
Employee Post
This is behavior we see at the office. I believe it's because we only allow TLS 1.1 and 1.2. This particular case I'd consider normal behavior. This specific error was not caused by a certificate issue.

"The client and server cannot communicate, because they do not possess a common algorithm"
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
digital.iway Replied
I also only allow certain protocols which include TLS 1.0, 1.1, 1.2

The strange thing is that this error only comes from a windows 10 machine running windows mail and it worked perfectly no errors before I change the certificate. I have that client machine running with SSL off temporally to keep them working.

beside that windows 10 mail issue I still have a few windows 7 machines running outlook 2016 throwing an error only on start up of outlook ERROR BOX "the server you are connected to is using a security certificate that cannot be verified" "The target principal name is incorrect" Do you want to continue using this server YES | NO

No logs are being generated on the server for the error above.

I know the certificate is valid and is working on most client boxes with a handful of ipads and iphones showing the same similar message. This is out of about 1500 email addresses and around 105 domains

is there any cache of the SSL certificates / state that could be hanging on in devices that you are aware of?

0
digital.iway Replied
Also in the server event viewer log I am getting a ton of the following error logs: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 46.
0
Von-Austin See Replied
Employee Post
Greetings,
 
I see this issue crop up every now and then with certificate renewals. When you performed the renewal on the SSL certificate was this installed into Windows with a new common name ?
 
For example I've seen issues arise with certificates being renewed where the friendly name is set to 'mail.domain.com' when it comes time for renewal, the certificate is installed into the server with the same friendly name of mail.domain.com
 
This, in my experience, can cause Windows to get confused on which certificate to actually serve up. In some instances, I've seen Windows serve the outdated SSL certificate even when it's no longer present into the Windows Certificate Store. 
 
The only way I've been able to correct this issue when encountered, is to re-key the certificate and to then re-install it into Windows with a different friendly name. Instead of just entering mail.domain.com try mail.domain.com expires <date>.
 
Once this has been re-installed into Windows, you'll then need to perform the steps to export your certificate into a password protected PFX file containing the private key. The process for doing this can be found in our KB article here: https://portal.smartertools.com/kb/a2671/configure-ssl-tls-to-secure-smartermail.aspx
 
I hope this helps.
Von See
Technical Support Supervisor
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
when I created the CSR I used the main mail server address "mail.domain.com" for the common name. when I installed the cert I first removed the old cert in iis then I completed the certificate request/install using the friendly name that matched the common name exactly "mail.domain.com" .
since I still have the cert files could I just remove the cert and re-install it with a different Friendly Name as you describe or are you saying I would need to generate a new CSR and do a full re-key from godaddy then re-install with new friendly name?
 
I re-keyed again last night and did a re-install becasue I thought that the Abbreviation of the State might be causing an issue in the CSR but no go and I am getting a bunch more people having issues today.
0
it seems this is ONLY iphones / IPADS having an issue and when I look at the settings SSL is on and they have their own domain in the mail server host field which should not work but did in the past. I have them update the settings to mail.domain.com my mail server address and it is functional again. This is really confusing that phones were functional before now they are not and especially since they did not have my mail server address listed in the host field.

This is a UCC certificate that I use and have always used. I added the additional SAN's as I always do.

0
Von-Austin See Replied
Employee Post
I would recommend completely re-keying the certificate. Use the same common name, however ensure the friendly name is different. As mentioned in my previous response, I typically just add the expiration date. 
Von See
Technical Support Supervisor
SmarterTools Inc.
(877) 357-6278
www.smartertools.com

Reply to Thread