3
Certificate expired problem
Problem reported by Scott Wilson - 9/30/2021 at 11:55 PM
Submitted
I used the following KB article to create a cert and secure a SmarterMail instance and everything was fine until recently.


When I run my server through a TLS tester it says the cert is expired even though I have tried renewing it repeatedly. Below is the output I'm getting from the script, I notice a number of lines that say "Missing stored keyset." Any idea what the problem could be?


C:\SmarterMail\Scripts>Powershell.exe -executionpolicy remotesigned -File c:\Sma
rterMail\Scripts\exportcert.ps1
MY "Personal"
================ Certificate 0 ================
Serial Number: xxxxxxxxxxxxxxxxx
Issuer: CN=R3, O=Let's Encrypt, C=US
 NotBefore: 9/23/2021 2:55 PM
 NotAfter: 12/22/2021 2:55 PM
Subject: CN=mail.example.com
Non-root Certificate
Cert Hash(sha1): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  Key Container = {00000000-0000-0000-0000-000000000000}
  Provider = Microsoft Enhanced Cryptographic Provider v1.0
Missing stored keyset
Encryption test passed
Missing stored keyset
Encryption test passed (CNG)
CertUtil: -exportPFX command completed successfully.
MY "Personal"
================ Certificate 1 ================
Serial Number: xxxxxxxxxxxxxxxxx
Issuer: CN=R3, O=Let's Encrypt, C=US
 NotBefore: 8/24/2021 2:23 PM
 NotAfter: 11/22/2021 2:23 PM
Subject: CN=mail.example.com
Non-root Certificate
Cert Hash(sha1): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  Key Container = {00000000-0000-0000-0000-000000000000}
  Provider = Microsoft Enhanced Cryptographic Provider v1.0
Missing stored keyset
Encryption test passed
Missing stored keyset
Encryption test passed (CNG)
CertUtil: -exportPFX command completed successfully.
MY "Personal"
================ Certificate 3 ================
Serial Number: xxxxxxxxxxxxxxxxx
Issuer: CN=R3, O=Let's Encrypt, C=US
 NotBefore: 8/15/2021 10:53 AM
 NotAfter: 11/13/2021 10:53 AM
Subject: CN=mail.example.com
Non-root Certificate
Cert Hash(sha1): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  Key Container = {00000000-0000-0000-0000-000000000000}
  Provider = Microsoft Enhanced Cryptographic Provider v1.0
Missing stored keyset
Encryption test passed
Missing stored keyset
Encryption test passed (CNG)
CertUtil: -exportPFX command completed successfully.
MY "Personal"
================ Certificate 4 ================
Serial Number: xxxxxxxxxxxxxxxxx
Issuer: CN=R3, O=Let's Encrypt, C=US
 NotBefore: 9/30/2021 9:26 PM
 NotAfter: 12/29/2021 9:26 PM
Subject: CN=mail.example.com
Non-root Certificate
Cert Hash(sha1): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  Key Container = {00000000-0000-0000-0000-000000000000}
  Provider = Microsoft Enhanced Cryptographic Provider v1.0
Missing stored keyset
Encryption test passed
Missing stored keyset
Encryption test passed (CNG)
CertUtil: -exportPFX command completed successfully.
MY "Personal"
================ Certificate 5 ================
Serial Number: xxxxxxxxxxxxxxxxx
Issuer: CN=R3, O=Let's Encrypt, C=US
 NotBefore: 7/16/2021 10:52 AM
 NotAfter: 10/14/2021 10:52 AM
Subject: CN=mail.example.com
Non-root Certificate
Cert Hash(sha1): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  Key Container = {00000000-0000-0000-0000-000000000000}
  Provider = Microsoft Enhanced Cryptographic Provider v1.0
Missing stored keyset
Encryption test passed
Missing stored keyset
Encryption test passed (CNG)
CertUtil: -exportPFX command completed successfully.

C:\SmarterMail\Scripts>pause
Press any key to continue . . .


10 Replies

Reply to Thread
0
Gabriele Maoret - SERSIS Replied
Do you use "Certify the web"?

You must update it to the latest version....
Gabriele Maoret - Head of SysAdmins at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
0
Scott Wilson Replied
Yes, I use Certify the Web and tried updating to the latest version but still no luck.
0
Sabatino Replied
I thought so just in these days.
It would be very useful to insert in smartermail the certificate test in diagnostics and / or view the details of the certificates used

Validity, expiry etc.

Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
0
Manuel Martins Replied
Hi,

I Had the same problem and the solution was as Gabriele Maoret said, just Update CertifytheWeb !

After that the Certificate was OK.
0
Gabriele Maoret - SERSIS Replied
@Scott Wilson: it's not enough to update "Certify the Web".

After that, you need to update the certificate also (open Certify the Web and re-issue the certificate request).

Sorry if I am not enough clear on that
Gabriele Maoret - Head of SysAdmins at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
0
Scott Wilson Replied
I went in and clicked the Request Certificate button on the specific cert, is that enough? Or do I need to delete the cert and start all over again?
0
Kyle Kerst Replied
Employee Post
This could be your Powershell script that exports the updated certificate to the PFX file. Have you run that manually?
Kyle Kerst IT Coordinator SmarterTools Inc. www.smartertools.com
0
Scott Wilson Replied
I ran it from Powershell itself instead of through the batch file but I'm not sure how that makes a difference. Interesting I still get the messages that say "Missing stored keyset" but when I run a TLS test it says the cert is now valid, okay as long as it works. The test does tell me I should also support TLS v1.3 as well, does SmarterMail support this? I haven't updated my instance for several months.
1
Karl Jones Replied
The problem was caused by the LetEncrypt root certificate expiring on 30 Sept 21. If users have certify the web installed then update the program and then update the certificate, even if it has time left before expiring. Once this has been done then there should be no further certificate expired errors, although it seems firefox on one of my clients refused to update despite clearing the cache and just presented a white screen when trying to log into smartermail webmail and still showed a failed SSL logon.

1
Gabriele Maoret - SERSIS Replied
You need to;
  • update "Certify the web"
  • request a new cetificate
  • run the Smartermail certificate script

after that everithing is ok
Gabriele Maoret - Head of SysAdmins at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)

Reply to Thread