Back to Community Threads
2
TLS Error "The server mode SSL must use a certificate with the associated private key"
Problem reported by Franz Weninger - 7/4/2019 at 8:43 AM
Resolved
I am runing SM15.7.6970 using a Lets Encrypt certificate for TLS (SSL did work, but can no longer be used). When connection to SM using TLS SMTP I get the said error in the detailed SMTP log:
"The server mode SSL must use a certificate with the associated private key"
An exception is thrown and nothing else happens on the server side - hence the clients get a timeout error after waiting for some times.
I double checked the LE cert and it says "You have a private key" for the cert. It is correct exported w/o private key in the correct format. All the ports and bindings are set, certs verified, firewall adjusted etc. There are no other issues with SM or the server.

Has anyone an idea what can be the cause of this error?

12 Replies

Reply to Thread
0
Jade D Replied
7/4/2019 at 12:24 PM
Try this tool to see whats going on, I suspect your export of the ssl is incorrect
Jade
0
Franz Weninger Replied
7/6/2019 at 6:39 AM
Hi Jade

Thx for your support.

Here is the output, I guess the problems is "Cannot convert to SSL (reason: SSL wants a read first)". This server does not support SSL, just TLS.


[000.284]
We can use this server
[000.284]
TLS is an option on this server
[000.285] -->STARTTLS
[000.378]<-- 220 Start TLS negotiation
[000.379]
STARTTLS command works on this server
[030.407]
Cannot convert to SSL (reason: SSL wants a read first)
[030.407]
Note: This same test with Format set to "Debug" may show more
[030.407] -->MAIL FROM:<test@checktls.com>
[060.409]
Read failed (reason: timed out )
[060.409]<-- 
[060.409]
Cannot proof email address (reason: MAIL FROM rejected)
[060.409]
Note: This does not affect the CheckTLS Confidence Factor
[060.409] -->QUIT

Anything I can do to make this work?
0
Jade D Replied
7/7/2019 at 1:00 AM
Hey Franz

There may be an answer for you within this thread
Jade
0
Franz Weninger Replied
7/7/2019 at 5:52 AM
Hi again,

Yes, I saw this thread before, but as I mentioned in my original post:

    I double checked the LE cert and it says "You have a private key" for the cert.

The certificate is OK, so is the complete chain. AFAIK we do not have a private key for any root CA.
The solution in the mentioned thread was "...turned out the root cert did not include the private key on the server,". What does that mean exactly?

Thank you very much for your kind effort.

Franz
0
Franz Weninger Replied
7/8/2019 at 12:04 AM
Hi Jade D

I just opened a support ticket at Smartertools.

Thank you for taking time to help me in this matter.

Franz
1
Franz Weninger Replied
7/8/2019 at 2:16 AM
Marked As Resolution
If others face TLS issues with v15 or v14: Finally I could solve all problems by linking a PFX certificate including private key and certificate chain to the ports binding. Although the kb article states no word about pfx export for v15 and earlier, it works ways better than the *.cer export. This may not work on a Win 2008 Server, but does on 2012R2.
0
Kyle Kerst Replied
7/8/2019 at 4:39 PM
Employee Post
For future reference, I have seen similar issues like this when multiple copies of the exported certificate end up bound to the Windows Certificate Store. You can check into this by opening certificates.msc and navigating to the Personal section. If this issue is affecting you you'll have multiple copies of your certificate present. I believe this occurs when Windows Certificate Store and the private key get out of sync. I recommend cleaning out the existing certificates and re-requesting a certificate be issued through LetsEncrypt. Once you have that you can export to PFX again and bind this to your ports. Let me know how it goes!
Kyle Kerst
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
1
Franz Weninger Replied
7/9/2019 at 1:23 AM
Hi Kyle

That was not the case here at all. It was a brand new server and there was only 1 certificate present. AFAIS it has no impact in which store the certificate is located. I tried it from "Personal" with a new certificate as well to no avail. Changing to PFX resolves everthing.

I use LE certs and their certificates went into the "Web Hosting" store here, which is "WebHosting" (without the space) when referenced from within a powershell script, btw. 

Here is a powershell script that we use for automation and that works like a charm, although the certificate is not located in "My" ("Personal"):

$mypwd = ConvertTo-SecureString -String "mysecretpassword" -Force -AsPlainText
$thumprint = (Get-ChildItem -Path Cert:\LocalMachine\WebHosting | Where-Object {$_.Subject -match "CN=mail.example.com"}).Thumbprint
Get-ChildItem -Path cert:\localMachine\WebHosting\$thumprint | Export-PfxCertificate -FilePath "C:\SmarterMail\Certificates\mail.example.com.pfx" -Password $mypwd
This will export the certificate along with all extentions, the complete chain and the private key (secured by a password) to the location where SM picks it up (port bindung -> certificate location). No problems so far.

Franz
0
Kyle Kerst Replied
7/9/2019 at 4:37 PM
Employee Post
Thanks Franz, glad to hear you got to the bottom of this, and I appreciate you sending along the LE script you've put together. I see where this differs from the one we had documented in our LE blog post, so I'm going to implement this on some of my test systems and see if I no longer run into these issues with lost private keys and duplicates. Thanks again, the follow up is appreciated. Have a great rest of your week.
Kyle Kerst
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
1
Eric Stoffers Replied
8/5/2019 at 8:28 PM
This absolutely was the solution on my 15.7 install. Thank you!

If others face TLS issues with v15 or v14: Finally I could solve all problems by linking a PFX certificate including private key and certificate chain to the ports binding. Although the kb article states no word about pfx export for v15 and earlier, it works ways better than the *.cer export. This may not work on a Win 2008 Server, but does on 2012R2.
0
Brett Garrett Replied
9/9/2019 at 11:18 PM
In latest build (7188), I solved this issue by using the PFX file to install the certificate with key into the default (Personal) store for Local Computer (not Current User). It was already installed in the Web Hosting store, but SmarterMail didn't find it there.

Regarding Let's Encrypt, what is the best way to handle the auto-renewal process? I'm not sure if there's any way to avoid manual steps to update SmarterMail for every renewal. If not, my suggestion would be an option for SmarterMail to automatically use the same certificate that is used on the IIS site.
2
Franz Weninger Replied
9/10/2019 at 2:43 AM
Brett: You can use a powershell script like the one I posted before to get the certificate in pfx format to the location where Smartermail picks it up. This script can easily be automated with the taskmanager. Have it run once a week and you should be fine.

Good luck,
Franz
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Configure SSL/TLS to Secure SmarterMailSmarterMail > Server Configuration and Management
Securing SmarterMail With Let's EncryptSmarterMail > Installation and Configuration
Migrate SmarterMail to a Different ServerSmarterMail > Installation and Configuration
Configure IIS for Microsoft Exchange ActiveSyncSmarterMail > Server Configuration and Management
Set up Autodiscover for SmarterMailSmarterMail > Installation and Configuration