TLS Error "The server mode SSL must use a certificate with the associated private key"
Problem reported by Franz Weninger - July 4 at 8:43 AM
Resolved
I am runing SM15.7.6970 using a Lets Encrypt certificate for TLS (SSL did work, but can no longer be used). When connection to SM using TLS SMTP I get the said error in the detailed SMTP log:
"The server mode SSL must use a certificate with the associated private key"
An exception is thrown and nothing else happens on the server side - hence the clients get a timeout error after waiting for some times.
I double checked the LE cert and it says "You have a private key" for the cert. It is correct exported w/o private key in the correct format. All the ports and bindings are set, certs verified, firewall adjusted etc. There are no other issues with SM or the server.

Has anyone an idea what can be the cause of this error?

12 Replies

Reply to Thread
0
Jade D Replied
Try this tool to see whats going on, I suspect your export of the ssl is incorrect

0
Franz Weninger Replied
Hi Jade

Thx for your support.

Here is the output, I guess the problems is "Cannot convert to SSL (reason: SSL wants a read first)". This server does not support SSL, just TLS.


[000.284]
We can use this server
[000.284]
TLS is an option on this server
[000.285] -->STARTTLS
[000.378]<-- 220 Start TLS negotiation
[000.379]
STARTTLS command works on this server
[030.407]
Cannot convert to SSL (reason: SSL wants a read first)
[030.407]
Note: This same test with Format set to "Debug" may show more
[030.407] -->MAIL FROM:<test@checktls.com>
[060.409]
Read failed (reason: timed out )
[060.409]<-- 
[060.409]
Cannot proof email address (reason: MAIL FROM rejected)
[060.409]
Note: This does not affect the CheckTLS Confidence Factor
[060.409] -->QUIT

Anything I can do to make this work?

0
Jade D Replied
Hey Franz

There may be an answer for you within this thread
0
Franz Weninger Replied
Hi again,

Yes, I saw this thread before, but as I mentioned in my original post:

    I double checked the LE cert and it says "You have a private key" for the cert.

The certificate is OK, so is the complete chain. AFAIK we do not have a private key for any root CA.
The solution in the mentioned thread was "...turned out the root cert did not include the private key on the server,". What does that mean exactly?

Thank you very much for your kind effort.

Franz

0
Franz Weninger Replied
Hi Jade D

I just opened a support ticket at Smartertools.

Thank you for taking time to help me in this matter.

Franz
1
Franz Weninger Replied
Marked As Resolution
If others face TLS issues with v15 or v14: Finally I could solve all problems by linking a PFX certificate including private key and certificate chain to the ports binding. Although the kb article states no word about pfx export for v15 and earlier, it works ways better than the *.cer export. This may not work on a Win 2008 Server, but does on 2012R2.
0
Kyle Kerst Replied
Employee Post
For future reference, I have seen similar issues like this when multiple copies of the exported certificate end up bound to the Windows Certificate Store. You can check into this by opening certificates.msc and navigating to the Personal section. If this issue is affecting you you'll have multiple copies of your certificate present. I believe this occurs when Windows Certificate Store and the private key get out of sync. I recommend cleaning out the existing certificates and re-requesting a certificate be issued through LetsEncrypt. Once you have that you can export to PFX again and bind this to your ports. Let me know how it goes!
Kyle Kerst
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
1
Franz Weninger Replied
Hi Kyle

That was not the case here at all. It was a brand new server and there was only 1 certificate present. AFAIS it has no impact in which store the certificate is located. I tried it from "Personal" with a new certificate as well to no avail. Changing to PFX resolves everthing.

I use LE certs and their certificates went into the "Web Hosting" store here, which is "WebHosting" (without the space) when referenced from within a powershell script, btw. 

Here is a powershell script that we use for automation and that works like a charm, although the certificate is not located in "My" ("Personal"):

$mypwd = ConvertTo-SecureString -String "mysecretpassword" -Force -AsPlainText
$thumprint = (Get-ChildItem -Path Cert:\LocalMachine\WebHosting | Where-Object {$_.Subject -match "CN=mail.example.com"}).Thumbprint
Get-ChildItem -Path cert:\localMachine\WebHosting\$thumprint | Export-PfxCertificate -FilePath "C:\SmarterMail\Certificates\mail.example.com.pfx" -Password $mypwd
This will export the certificate along with all extentions, the complete chain and the private key (secured by a password) to the location where SM picks it up (port bindung -> certificate location). No problems so far.

Franz
0
Kyle Kerst Replied
Employee Post
Thanks Franz, glad to hear you got to the bottom of this, and I appreciate you sending along the LE script you've put together. I see where this differs from the one we had documented in our LE blog post, so I'm going to implement this on some of my test systems and see if I no longer run into these issues with lost private keys and duplicates. Thanks again, the follow up is appreciated. Have a great rest of your week.
Kyle Kerst
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
1
Eric Stoffers Replied
This absolutely was the solution on my 15.7 install. Thank you!

If others face TLS issues with v15 or v14: Finally I could solve all problems by linking a PFX certificate including private key and certificate chain to the ports binding. Although the kb article states no word about pfx export for v15 and earlier, it works ways better than the *.cer export. This may not work on a Win 2008 Server, but does on 2012R2.
0
Brett Garrett Replied
In latest build (7188), I solved this issue by using the PFX file to install the certificate with key into the default (Personal) store for Local Computer (not Current User). It was already installed in the Web Hosting store, but SmarterMail didn't find it there.

Regarding Let's Encrypt, what is the best way to handle the auto-renewal process? I'm not sure if there's any way to avoid manual steps to update SmarterMail for every renewal. If not, my suggestion would be an option for SmarterMail to automatically use the same certificate that is used on the IIS site.

2
Franz Weninger Replied
Brett: You can use a powershell script like the one I posted before to get the certificate in pfx format to the location where Smartermail picks it up. This script can easily be automated with the taskmanager. Have it run once a week and you should be fine.

Good luck,
Franz

Reply to Thread