- Exchange
- Microsoft Legacy OS
- SSL / HTTPS
- Encryption
- Windows OS
SSL / Certificate issue for TLS setup
Hi Everyone,
I need your suggestions, I am trying to setup TLS for an exchange 2007 server and sonicwall ES3300 appliance and I have an error I do not understand.
I have configured the setup as recommended by MS support and Sonicwall support and I beleive that I have a certificate error now but I do not understand what the error is.
The error I am getting is: Cert NOT VALIDATED: unable to get local issuer certificate - So email is encrypted but the domain is not verified
I am checking the setup via http://checktls.com and everything passes except the cert test.
Thanks in advance for any of your suggestions or help.
TheSonicGod
here are the test results (BOLD on the error message):
Checking USER@mydomain.com
looking up MX hosts on domain " mydomain.com"
1. mail. mydomain.com (preference:10)
Trying TLS on mail. mydomain.com[64.40.XXX.X] (10):
seconds test stage and result
[000.098] Connected to server
[000.176] <-- 220 mail.mydomain.com ESMTP mail.mydomain.com
[000.177] We are allowed to connect
[000.177] --> EHLO checktls.com
[000.380] <-- 250-mail.mydomain.com
250-8BITMIME
250-ENHANCEDSTATUSCODES
250-DSN
250-STARTTLS
250 SIZE 31457280
[000.381] We can use this server
[000.381] TLS is an option on this server
[000.381] --> STARTTLS
[000.472] <-- 220 2.2.0 Ready to start TLS
[000.473] STARTTLS command works on this server
[000.675] ssl : new ctx 33617352
: start handshake
: ssl handshake not started
: set socket to non-blocking to enforce timeout=30
: Net::SSLeay::connect -> -1
: ssl handshake in progress
: waiting for fd to become ready: SSL wants a read first
: socket ready, retrying connect
: ok=0 cert=34553944
: ok=0 cert=34553944
: ok=0 cert=34553944
: Net::SSLeay::connect -> -1
: ssl handshake in progress
: waiting for fd to become ready: SSL wants a read first
: socket ready, retrying connect
: Net::SSLeay::connect -> 1
: ssl handshake done
[000.676] Cipher in use: AES256-SHA
[000.676] Connection converted to SSL
[000.677] Cert Authority: /C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA
[000.677] Cert Owner: /O=mail.mydomain.com/OU=Go
[000.710] ssl Certificate 1 of 3 in chain:
-----BEGIN CERTIFICATE-----
MIIERjCCAy6gAwIBAgIQCO7R53
MQswCQYDVQQGEwJVUzEVMBMGA1
b21haW4gVmFsaWRhdGVkIFNTTD
Fw0xMTEwMzEwMDAwMDBaFw0xMj
LmNpcGhlcnBoYXJtYS5jb20xOz
YXd0ZS5jb20vcmVwb3NpdG9yeS
U1NMMTIzIGNlcnRpZmljYXRlMR
HAYDVQQDExVtYWlsLmNpcGhlcn
A4IBDwAwggEKAoIBAQC7v1lnbO
xtTnik80mdoN9tvK9XTBAscWG1
5zIgIi22J0QrdthGIuImXyeQR/
dIYTyTuP+iLs8W5XU9DdjY1+3C
OhMQvGF5SFJeKDB2oJ1aH5vZMa
pmq+kEItr2eLdw+w8/KxzQfOYJ
AQH/BAIwADA6BgNVHR8EMzAxMC
dGUuY29tL1RoYXd0ZURWLmNybD
AwIwMgYIKwYBBQUHAQEEJjAkMC
dGUuY29tMA0GCSqGSIb3DQEBBQ
0omG6xbUoTJYPRbvzTR1HrdrSJ
pvs+8phBYpnHt7uAxkZKgoDCAF
YlC6pA7FsC4MBortSQhBXEhAro
WpYLi7E7s9glP1QUMtqBEEP76b
IwehLLLpQhDV74O4CywcHP/Nn7
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
08:ee:d1:e7:73:5a:3c:f0:e6
Signature Algorithm: sha1WithRSAEncryption
Issuer:
countryName = US
organizationName = Thawte, Inc.
organizationalUnitName = Domain Validated SSL
commonName = Thawte DV SSL CA
Validity
Not Before: Oct 31 00:00:00 2011 GMT
Not After : Oct 30 23:59:59 2012 GMT
Subject:
organizationName = mail.mydomain.com
organizationalUnitName = Go to https://www.thawte.com/repository/index.html
organizationalUnitName = Thawte SSL123 certificate
organizationalUnitName = Domain Validated
commonName = mail.mydomain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bb:bf:59:67:6c:e2:d6:5c
20:0f:58:c4:b3:8f:e4:24:7a
5c:ea:c8:9e:68:c6:d4:e7:8a
db:ca:f5:74:c1:02:c7:16:1b
1d:53:5c:33:ee:62:5e:7f:62
39:71:35:02:74:6c:18:ef:e7
44:2b:76:d8:46:22:e2:26:5f
cb:9b:78:ea:9a:da:ba:fc:dc
d3:9d:ea:c9:68:c1:7b:a4:e5
3b:8f:fa:22:ec:f1:6e:57:53
2e:cb:19:00:32:57:cc:47:64
95:c5:2f:79:04:42:24:e0:cb
13:10:bc:61:79:48:52:5e:28
9b:d9:31:ac:f0:85:cb:58:33
f8:16:b2:85:b3:53:bc:b1:12
75:74:a6:6a:be:90:42:2d:af
f2:b1:cd:07:ce:60:90:b6:89
e6:5b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 CRL Distribution Points:
Full Name:
URI:http://svr-dv-crl.thawte.com/ThawteDV.crl
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
Authority Information Access:
OCSP - URI:http://ocsp.thawte.com
Signature Algorithm: sha1WithRSAEncryption
bd:d3:b3:73:74:f8:51:9a:6e
54:71:23:7c:d2:89:86:eb:16
75:1e:b7:6b:48:96:02:1c:ba
c6:e9:be:5c:6a:d9:94:92:33
3e:f2:98:41:62:99:c7:b7:bb
9e:09:49:75:22:fb:d3:a9:77
d7:e7:ee:46:c9:ae:6c:5d:d7
0c:06:8a:ed:49:08:41:5c:48
18:10:56:c4:fd:0a:d0:5b:a9
8b:f2:2a:0c:5a:96:0b:8b:b1
81:10:43:fb:e9:bc:39:1b:a1
e7:09:15:cc:26:33:2e:31:e5
a1:2c:b2:e9:42:10:d5:ef:83
66:73:bc:ec:48:ee:85:26:7c
9d:52:22:fc
[000.742] ssl Certificate 2 of 3 in chain:
-----BEGIN CERTIFICATE-----
MIIERjCCAy6gAwIBAgIQCO7R53
MQswCQYDVQQGEwJVUzEVMBMGA1
b21haW4gVmFsaWRhdGVkIFNTTD
Fw0xMTEwMzEwMDAwMDBaFw0xMj
LmNpcGhlcnBoYXJtYS5jb20xOz
YXd0ZS5jb20vcmVwb3NpdG9yeS
U1NMMTIzIGNlcnRpZmljYXRlMR
HAYDVQQDExVtYWlsLmNpcGhlcn
A4IBDwAwggEKAoIBAQC7v1lnbO
xtTnik80mdoN9tvK9XTBAscWG1
5zIgIi22J0QrdthGIuImXyeQR/
dIYTyTuP+iLs8W5XU9DdjY1+3C
OhMQvGF5SFJeKDB2oJ1aH5vZMa
pmq+kEItr2eLdw+w8/KxzQfOYJ
AQH/BAIwADA6BgNVHR8EMzAxMC
dGUuY29tL1RoYXd0ZURWLmNybD
AwIwMgYIKwYBBQUHAQEEJjAkMC
dGUuY29tMA0GCSqGSIb3DQEBBQ
0omG6xbUoTJYPRbvzTR1HrdrSJ
pvs+8phBYpnHt7uAxkZKgoDCAF
YlC6pA7FsC4MBortSQhBXEhAro
WpYLi7E7s9glP1QUMtqBEEP76b
IwehLLLpQhDV74O4CywcHP/Nn7
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
08:ee:d1:e7:73:5a:3c:f0:e6
Signature Algorithm: sha1WithRSAEncryption
Issuer:
countryName = US
organizationName = Thawte, Inc.
organizationalUnitName = Domain Validated SSL
commonName = Thawte DV SSL CA
Validity
Not Before: Oct 31 00:00:00 2011 GMT
Not After : Oct 30 23:59:59 2012 GMT
Subject:
organizationName = mail.mydomain.com
organizationalUnitName = Go to https://www.thawte.com/repository/index.html
organizationalUnitName = Thawte SSL123 certificate
organizationalUnitName = Domain Validated
commonName = mail.mydomain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bb:bf:59:67:6c:e2:d6:5c
20:0f:58:c4:b3:8f:e4:24:7a
5c:ea:c8:9e:68:c6:d4:e7:8a
db:ca:f5:74:c1:02:c7:16:1b
1d:53:5c:33:ee:62:5e:7f:62
39:71:35:02:74:6c:18:ef:e7
44:2b:76:d8:46:22:e2:26:5f
cb:9b:78:ea:9a:da:ba:fc:dc
d3:9d:ea:c9:68:c1:7b:a4:e5
3b:8f:fa:22:ec:f1:6e:57:53
2e:cb:19:00:32:57:cc:47:64
95:c5:2f:79:04:42:24:e0:cb
13:10:bc:61:79:48:52:5e:28
9b:d9:31:ac:f0:85:cb:58:33
f8:16:b2:85:b3:53:bc:b1:12
75:74:a6:6a:be:90:42:2d:af
f2:b1:cd:07:ce:60:90:b6:89
e6:5b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 CRL Distribution Points:
Full Name:
URI:http://svr-dv-crl.thawte.com/ThawteDV.crl
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
Authority Information Access:
OCSP - URI:http://ocsp.thawte.com
Signature Algorithm: sha1WithRSAEncryption
bd:d3:b3:73:74:f8:51:9a:6e
54:71:23:7c:d2:89:86:eb:16
75:1e:b7:6b:48:96:02:1c:ba
c6:e9:be:5c:6a:d9:94:92:33
3e:f2:98:41:62:99:c7:b7:bb
9e:09:49:75:22:fb:d3:a9:77
d7:e7:ee:46:c9:ae:6c:5d:d7
0c:06:8a:ed:49:08:41:5c:48
18:10:56:c4:fd:0a:d0:5b:a9
8b:f2:2a:0c:5a:96:0b:8b:b1
81:10:43:fb:e9:bc:39:1b:a1
e7:09:15:cc:26:33:2e:31:e5
a1:2c:b2:e9:42:10:d5:ef:83
66:73:bc:ec:48:ee:85:26:7c
9d:52:22:fc
[000.812] ssl Certificate 3 of 3 in chain:
-----BEGIN CERTIFICATE-----
MIIERjCCAy6gAwIBAgIQCO7R53
MQswCQYDVQQGEwJVUzEVMBMGA1
b21haW4gVmFsaWRhdGVkIFNTTD
Fw0xMTEwMzEwMDAwMDBaFw0xMj
LmNpcGhlcnBoYXJtYS5jb20xOz
YXd0ZS5jb20vcmVwb3NpdG9yeS
U1NMMTIzIGNlcnRpZmljYXRlMR
HAYDVQQDExVtYWlsLmNpcGhlcn
A4IBDwAwggEKAoIBAQC7v1lnbO
xtTnik80mdoN9tvK9XTBAscWG1
5zIgIi22J0QrdthGIuImXyeQR/
dIYTyTuP+iLs8W5XU9DdjY1+3C
OhMQvGF5SFJeKDB2oJ1aH5vZMa
pmq+kEItr2eLdw+w8/KxzQfOYJ
AQH/BAIwADA6BgNVHR8EMzAxMC
dGUuY29tL1RoYXd0ZURWLmNybD
AwIwMgYIKwYBBQUHAQEEJjAkMC
dGUuY29tMA0GCSqGSIb3DQEBBQ
0omG6xbUoTJYPRbvzTR1HrdrSJ
pvs+8phBYpnHt7uAxkZKgoDCAF
YlC6pA7FsC4MBortSQhBXEhAro
WpYLi7E7s9glP1QUMtqBEEP76b
IwehLLLpQhDV74O4CywcHP/Nn7
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
08:ee:d1:e7:73:5a:3c:f0:e6
Signature Algorithm: sha1WithRSAEncryption
Issuer:
countryName = US
organizationName = Thawte, Inc.
organizationalUnitName = Domain Validated SSL
commonName = Thawte DV SSL CA
Validity
Not Before: Oct 31 00:00:00 2011 GMT
Not After : Oct 30 23:59:59 2012 GMT
Subject:
organizationName = mail.mydomain.com
organizationalUnitName = Go to https://www.thawte.com/repository/index.html
organizationalUnitName = Thawte SSL123 certificate
organizationalUnitName = Domain Validated
commonName = mail.mydomain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bb:bf:59:67:6c:e2:d6:5c
20:0f:58:c4:b3:8f:e4:24:7a
5c:ea:c8:9e:68:c6:d4:e7:8a
db:ca:f5:74:c1:02:c7:16:1b
1d:53:5c:33:ee:62:5e:7f:62
39:71:35:02:74:6c:18:ef:e7
44:2b:76:d8:46:22:e2:26:5f
cb:9b:78:ea:9a:da:ba:fc:dc
d3:9d:ea:c9:68:c1:7b:a4:e5
3b:8f:fa:22:ec:f1:6e:57:53
2e:cb:19:00:32:57:cc:47:64
95:c5:2f:79:04:42:24:e0:cb
13:10:bc:61:79:48:52:5e:28
9b:d9:31:ac:f0:85:cb:58:33
f8:16:b2:85:b3:53:bc:b1:12
75:74:a6:6a:be:90:42:2d:af
f2:b1:cd:07:ce:60:90:b6:89
e6:5b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 CRL Distribution Points:
Full Name:
URI:http://svr-dv-crl.thawte.com/ThawteDV.crl
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
Authority Information Access:
OCSP - URI:http://ocsp.thawte.com
Signature Algorithm: sha1WithRSAEncryption
bd:d3:b3:73:74:f8:51:9a:6e
54:71:23:7c:d2:89:86:eb:16
75:1e:b7:6b:48:96:02:1c:ba
c6:e9:be:5c:6a:d9:94:92:33
3e:f2:98:41:62:99:c7:b7:bb
9e:09:49:75:22:fb:d3:a9:77
d7:e7:ee:46:c9:ae:6c:5d:d7
0c:06:8a:ed:49:08:41:5c:48
18:10:56:c4:fd:0a:d0:5b:a9
8b:f2:2a:0c:5a:96:0b:8b:b1
81:10:43:fb:e9:bc:39:1b:a1
e7:09:15:cc:26:33:2e:31:e5
a1:2c:b2:e9:42:10:d5:ef:83
66:73:bc:ec:48:ee:85:26:7c
9d:52:22:fc
[000.812] Cert NOT VALIDATED: unable to get local issuer certificate
[000.812] So email is encrypted but the domain is not verified
[000.813] ssl : scheme=http cert=34553944
: identity=mail.mydomain.com
[000.813] Cert Hostname VERIFIED (mail.mydomain.com)
[000.813] ~~> EHLO checktls.com
[000.814] ssl write_all VM at entry=vm_unknown
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/s
partial `EHLO checktls.com
'
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/s
written so far 19:19 bytes (VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/s
[000.979] ssl got `250 SIZE 31457280
' (19:0 bytes, VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/d
[000.979] <~~ 250-mail.mydomain.com
250-8BITMIME
250-ENHANCEDSTATUSCODES
250-DSN
250 SIZE 31457280
[000.980] TLS successfully started on this server
[000.980] ~~> MAIL FROM: <test@checktls.com>
[000.981] ssl write_all VM at entry=vm_unknown
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/s
partial `MAIL FROM:
'
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/s
written so far 32:32 bytes (VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/s
[001.060] ssl got `250 2.1.0 MAIL ok
' (19:0 bytes, VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/d
[001.061] <~~ 250 2.1.0 MAIL ok
[001.061] Sender is OK
[001.061] ~~> RCPT TO: <jchan@mydomain.com>
[001.062] ssl write_all VM at entry=vm_unknown
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/s
partial `RCPT TO:
'
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/s
written so far 35:35 bytes (VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/s
[001.143] ssl got `250 2.0.0 Ok
' (14:0 bytes, VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/d
[001.143] <~~ 250 2.0.0 Ok
[001.143] Recipient OK, E-mail address proofed
[001.144] ~~> QUIT
[001.145] ssl write_all VM at entry=vm_unknown
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/s
partial `QUIT
'
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/s
written so far 6:6 bytes (VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/s
[001.224] ssl got `221 2.0.0 Bye
' (15:0 bytes, VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/d
[001.224] <~~ 221 2.0.0 Bye
[001.228] ssl : free ctx 33617352 open=33617352
: free ctx 33617352 callback
: OK free ctx 33617352
I need your suggestions, I am trying to setup TLS for an exchange 2007 server and sonicwall ES3300 appliance and I have an error I do not understand.
I have configured the setup as recommended by MS support and Sonicwall support and I beleive that I have a certificate error now but I do not understand what the error is.
The error I am getting is: Cert NOT VALIDATED: unable to get local issuer certificate - So email is encrypted but the domain is not verified
I am checking the setup via http://checktls.com and everything passes except the cert test.
Thanks in advance for any of your suggestions or help.
TheSonicGod
here are the test results (BOLD on the error message):
Checking USER@mydomain.com
looking up MX hosts on domain " mydomain.com"
1. mail. mydomain.com (preference:10)
Trying TLS on mail. mydomain.com[64.40.XXX.X] (10):
seconds test stage and result
[000.098] Connected to server
[000.176] <-- 220 mail.mydomain.com ESMTP mail.mydomain.com
[000.177] We are allowed to connect
[000.177] --> EHLO checktls.com
[000.380] <-- 250-mail.mydomain.com
250-8BITMIME
250-ENHANCEDSTATUSCODES
250-DSN
250-STARTTLS
250 SIZE 31457280
[000.381] We can use this server
[000.381] TLS is an option on this server
[000.381] --> STARTTLS
[000.472] <-- 220 2.2.0 Ready to start TLS
[000.473] STARTTLS command works on this server
[000.675] ssl : new ctx 33617352
: start handshake
: ssl handshake not started
: set socket to non-blocking to enforce timeout=30
: Net::SSLeay::connect -> -1
: ssl handshake in progress
: waiting for fd to become ready: SSL wants a read first
: socket ready, retrying connect
: ok=0 cert=34553944
: ok=0 cert=34553944
: ok=0 cert=34553944
: Net::SSLeay::connect -> -1
: ssl handshake in progress
: waiting for fd to become ready: SSL wants a read first
: socket ready, retrying connect
: Net::SSLeay::connect -> 1
: ssl handshake done
[000.676] Cipher in use: AES256-SHA
[000.676] Connection converted to SSL
[000.677] Cert Authority: /C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA
[000.677] Cert Owner: /O=mail.mydomain.com/OU=Go
[000.710] ssl Certificate 1 of 3 in chain:
-----BEGIN CERTIFICATE-----
MIIERjCCAy6gAwIBAgIQCO7R53
MQswCQYDVQQGEwJVUzEVMBMGA1
b21haW4gVmFsaWRhdGVkIFNTTD
Fw0xMTEwMzEwMDAwMDBaFw0xMj
LmNpcGhlcnBoYXJtYS5jb20xOz
YXd0ZS5jb20vcmVwb3NpdG9yeS
U1NMMTIzIGNlcnRpZmljYXRlMR
HAYDVQQDExVtYWlsLmNpcGhlcn
A4IBDwAwggEKAoIBAQC7v1lnbO
xtTnik80mdoN9tvK9XTBAscWG1
5zIgIi22J0QrdthGIuImXyeQR/
dIYTyTuP+iLs8W5XU9DdjY1+3C
OhMQvGF5SFJeKDB2oJ1aH5vZMa
pmq+kEItr2eLdw+w8/KxzQfOYJ
AQH/BAIwADA6BgNVHR8EMzAxMC
dGUuY29tL1RoYXd0ZURWLmNybD
AwIwMgYIKwYBBQUHAQEEJjAkMC
dGUuY29tMA0GCSqGSIb3DQEBBQ
0omG6xbUoTJYPRbvzTR1HrdrSJ
pvs+8phBYpnHt7uAxkZKgoDCAF
YlC6pA7FsC4MBortSQhBXEhAro
WpYLi7E7s9glP1QUMtqBEEP76b
IwehLLLpQhDV74O4CywcHP/Nn7
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
08:ee:d1:e7:73:5a:3c:f0:e6
Signature Algorithm: sha1WithRSAEncryption
Issuer:
countryName = US
organizationName = Thawte, Inc.
organizationalUnitName = Domain Validated SSL
commonName = Thawte DV SSL CA
Validity
Not Before: Oct 31 00:00:00 2011 GMT
Not After : Oct 30 23:59:59 2012 GMT
Subject:
organizationName = mail.mydomain.com
organizationalUnitName = Go to https://www.thawte.com/repository/index.html
organizationalUnitName = Thawte SSL123 certificate
organizationalUnitName = Domain Validated
commonName = mail.mydomain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bb:bf:59:67:6c:e2:d6:5c
20:0f:58:c4:b3:8f:e4:24:7a
5c:ea:c8:9e:68:c6:d4:e7:8a
db:ca:f5:74:c1:02:c7:16:1b
1d:53:5c:33:ee:62:5e:7f:62
39:71:35:02:74:6c:18:ef:e7
44:2b:76:d8:46:22:e2:26:5f
cb:9b:78:ea:9a:da:ba:fc:dc
d3:9d:ea:c9:68:c1:7b:a4:e5
3b:8f:fa:22:ec:f1:6e:57:53
2e:cb:19:00:32:57:cc:47:64
95:c5:2f:79:04:42:24:e0:cb
13:10:bc:61:79:48:52:5e:28
9b:d9:31:ac:f0:85:cb:58:33
f8:16:b2:85:b3:53:bc:b1:12
75:74:a6:6a:be:90:42:2d:af
f2:b1:cd:07:ce:60:90:b6:89
e6:5b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 CRL Distribution Points:
Full Name:
URI:http://svr-dv-crl.thawte.com/ThawteDV.crl
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
Authority Information Access:
OCSP - URI:http://ocsp.thawte.com
Signature Algorithm: sha1WithRSAEncryption
bd:d3:b3:73:74:f8:51:9a:6e
54:71:23:7c:d2:89:86:eb:16
75:1e:b7:6b:48:96:02:1c:ba
c6:e9:be:5c:6a:d9:94:92:33
3e:f2:98:41:62:99:c7:b7:bb
9e:09:49:75:22:fb:d3:a9:77
d7:e7:ee:46:c9:ae:6c:5d:d7
0c:06:8a:ed:49:08:41:5c:48
18:10:56:c4:fd:0a:d0:5b:a9
8b:f2:2a:0c:5a:96:0b:8b:b1
81:10:43:fb:e9:bc:39:1b:a1
e7:09:15:cc:26:33:2e:31:e5
a1:2c:b2:e9:42:10:d5:ef:83
66:73:bc:ec:48:ee:85:26:7c
9d:52:22:fc
[000.742] ssl Certificate 2 of 3 in chain:
-----BEGIN CERTIFICATE-----
MIIERjCCAy6gAwIBAgIQCO7R53
MQswCQYDVQQGEwJVUzEVMBMGA1
b21haW4gVmFsaWRhdGVkIFNTTD
Fw0xMTEwMzEwMDAwMDBaFw0xMj
LmNpcGhlcnBoYXJtYS5jb20xOz
YXd0ZS5jb20vcmVwb3NpdG9yeS
U1NMMTIzIGNlcnRpZmljYXRlMR
HAYDVQQDExVtYWlsLmNpcGhlcn
A4IBDwAwggEKAoIBAQC7v1lnbO
xtTnik80mdoN9tvK9XTBAscWG1
5zIgIi22J0QrdthGIuImXyeQR/
dIYTyTuP+iLs8W5XU9DdjY1+3C
OhMQvGF5SFJeKDB2oJ1aH5vZMa
pmq+kEItr2eLdw+w8/KxzQfOYJ
AQH/BAIwADA6BgNVHR8EMzAxMC
dGUuY29tL1RoYXd0ZURWLmNybD
AwIwMgYIKwYBBQUHAQEEJjAkMC
dGUuY29tMA0GCSqGSIb3DQEBBQ
0omG6xbUoTJYPRbvzTR1HrdrSJ
pvs+8phBYpnHt7uAxkZKgoDCAF
YlC6pA7FsC4MBortSQhBXEhAro
WpYLi7E7s9glP1QUMtqBEEP76b
IwehLLLpQhDV74O4CywcHP/Nn7
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
08:ee:d1:e7:73:5a:3c:f0:e6
Signature Algorithm: sha1WithRSAEncryption
Issuer:
countryName = US
organizationName = Thawte, Inc.
organizationalUnitName = Domain Validated SSL
commonName = Thawte DV SSL CA
Validity
Not Before: Oct 31 00:00:00 2011 GMT
Not After : Oct 30 23:59:59 2012 GMT
Subject:
organizationName = mail.mydomain.com
organizationalUnitName = Go to https://www.thawte.com/repository/index.html
organizationalUnitName = Thawte SSL123 certificate
organizationalUnitName = Domain Validated
commonName = mail.mydomain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bb:bf:59:67:6c:e2:d6:5c
20:0f:58:c4:b3:8f:e4:24:7a
5c:ea:c8:9e:68:c6:d4:e7:8a
db:ca:f5:74:c1:02:c7:16:1b
1d:53:5c:33:ee:62:5e:7f:62
39:71:35:02:74:6c:18:ef:e7
44:2b:76:d8:46:22:e2:26:5f
cb:9b:78:ea:9a:da:ba:fc:dc
d3:9d:ea:c9:68:c1:7b:a4:e5
3b:8f:fa:22:ec:f1:6e:57:53
2e:cb:19:00:32:57:cc:47:64
95:c5:2f:79:04:42:24:e0:cb
13:10:bc:61:79:48:52:5e:28
9b:d9:31:ac:f0:85:cb:58:33
f8:16:b2:85:b3:53:bc:b1:12
75:74:a6:6a:be:90:42:2d:af
f2:b1:cd:07:ce:60:90:b6:89
e6:5b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 CRL Distribution Points:
Full Name:
URI:http://svr-dv-crl.thawte.com/ThawteDV.crl
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
Authority Information Access:
OCSP - URI:http://ocsp.thawte.com
Signature Algorithm: sha1WithRSAEncryption
bd:d3:b3:73:74:f8:51:9a:6e
54:71:23:7c:d2:89:86:eb:16
75:1e:b7:6b:48:96:02:1c:ba
c6:e9:be:5c:6a:d9:94:92:33
3e:f2:98:41:62:99:c7:b7:bb
9e:09:49:75:22:fb:d3:a9:77
d7:e7:ee:46:c9:ae:6c:5d:d7
0c:06:8a:ed:49:08:41:5c:48
18:10:56:c4:fd:0a:d0:5b:a9
8b:f2:2a:0c:5a:96:0b:8b:b1
81:10:43:fb:e9:bc:39:1b:a1
e7:09:15:cc:26:33:2e:31:e5
a1:2c:b2:e9:42:10:d5:ef:83
66:73:bc:ec:48:ee:85:26:7c
9d:52:22:fc
[000.812] ssl Certificate 3 of 3 in chain:
-----BEGIN CERTIFICATE-----
MIIERjCCAy6gAwIBAgIQCO7R53
MQswCQYDVQQGEwJVUzEVMBMGA1
b21haW4gVmFsaWRhdGVkIFNTTD
Fw0xMTEwMzEwMDAwMDBaFw0xMj
LmNpcGhlcnBoYXJtYS5jb20xOz
YXd0ZS5jb20vcmVwb3NpdG9yeS
U1NMMTIzIGNlcnRpZmljYXRlMR
HAYDVQQDExVtYWlsLmNpcGhlcn
A4IBDwAwggEKAoIBAQC7v1lnbO
xtTnik80mdoN9tvK9XTBAscWG1
5zIgIi22J0QrdthGIuImXyeQR/
dIYTyTuP+iLs8W5XU9DdjY1+3C
OhMQvGF5SFJeKDB2oJ1aH5vZMa
pmq+kEItr2eLdw+w8/KxzQfOYJ
AQH/BAIwADA6BgNVHR8EMzAxMC
dGUuY29tL1RoYXd0ZURWLmNybD
AwIwMgYIKwYBBQUHAQEEJjAkMC
dGUuY29tMA0GCSqGSIb3DQEBBQ
0omG6xbUoTJYPRbvzTR1HrdrSJ
pvs+8phBYpnHt7uAxkZKgoDCAF
YlC6pA7FsC4MBortSQhBXEhAro
WpYLi7E7s9glP1QUMtqBEEP76b
IwehLLLpQhDV74O4CywcHP/Nn7
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
08:ee:d1:e7:73:5a:3c:f0:e6
Signature Algorithm: sha1WithRSAEncryption
Issuer:
countryName = US
organizationName = Thawte, Inc.
organizationalUnitName = Domain Validated SSL
commonName = Thawte DV SSL CA
Validity
Not Before: Oct 31 00:00:00 2011 GMT
Not After : Oct 30 23:59:59 2012 GMT
Subject:
organizationName = mail.mydomain.com
organizationalUnitName = Go to https://www.thawte.com/repository/index.html
organizationalUnitName = Thawte SSL123 certificate
organizationalUnitName = Domain Validated
commonName = mail.mydomain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bb:bf:59:67:6c:e2:d6:5c
20:0f:58:c4:b3:8f:e4:24:7a
5c:ea:c8:9e:68:c6:d4:e7:8a
db:ca:f5:74:c1:02:c7:16:1b
1d:53:5c:33:ee:62:5e:7f:62
39:71:35:02:74:6c:18:ef:e7
44:2b:76:d8:46:22:e2:26:5f
cb:9b:78:ea:9a:da:ba:fc:dc
d3:9d:ea:c9:68:c1:7b:a4:e5
3b:8f:fa:22:ec:f1:6e:57:53
2e:cb:19:00:32:57:cc:47:64
95:c5:2f:79:04:42:24:e0:cb
13:10:bc:61:79:48:52:5e:28
9b:d9:31:ac:f0:85:cb:58:33
f8:16:b2:85:b3:53:bc:b1:12
75:74:a6:6a:be:90:42:2d:af
f2:b1:cd:07:ce:60:90:b6:89
e6:5b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 CRL Distribution Points:
Full Name:
URI:http://svr-dv-crl.thawte.com/ThawteDV.crl
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
Authority Information Access:
OCSP - URI:http://ocsp.thawte.com
Signature Algorithm: sha1WithRSAEncryption
bd:d3:b3:73:74:f8:51:9a:6e
54:71:23:7c:d2:89:86:eb:16
75:1e:b7:6b:48:96:02:1c:ba
c6:e9:be:5c:6a:d9:94:92:33
3e:f2:98:41:62:99:c7:b7:bb
9e:09:49:75:22:fb:d3:a9:77
d7:e7:ee:46:c9:ae:6c:5d:d7
0c:06:8a:ed:49:08:41:5c:48
18:10:56:c4:fd:0a:d0:5b:a9
8b:f2:2a:0c:5a:96:0b:8b:b1
81:10:43:fb:e9:bc:39:1b:a1
e7:09:15:cc:26:33:2e:31:e5
a1:2c:b2:e9:42:10:d5:ef:83
66:73:bc:ec:48:ee:85:26:7c
9d:52:22:fc
[000.812] Cert NOT VALIDATED: unable to get local issuer certificate
[000.812] So email is encrypted but the domain is not verified
[000.813] ssl : scheme=http cert=34553944
: identity=mail.mydomain.com
[000.813] Cert Hostname VERIFIED (mail.mydomain.com)
[000.813] ~~> EHLO checktls.com
[000.814] ssl write_all VM at entry=vm_unknown
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/s
partial `EHLO checktls.com
'
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/s
written so far 19:19 bytes (VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/s
[000.979] ssl got `250 SIZE 31457280
' (19:0 bytes, VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/d
[000.979] <~~ 250-mail.mydomain.com
250-8BITMIME
250-ENHANCEDSTATUSCODES
250-DSN
250 SIZE 31457280
[000.980] TLS successfully started on this server
[000.980] ~~> MAIL FROM: <test@checktls.com>
[000.981] ssl write_all VM at entry=vm_unknown
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/s
partial `MAIL FROM:
'
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/s
written so far 32:32 bytes (VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/s
[001.060] ssl got `250 2.1.0 MAIL ok
' (19:0 bytes, VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/d
[001.061] <~~ 250 2.1.0 MAIL ok
[001.061] Sender is OK
[001.061] ~~> RCPT TO: <jchan@mydomain.com>
[001.062] ssl write_all VM at entry=vm_unknown
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/s
partial `RCPT TO:
'
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/s
written so far 35:35 bytes (VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/s
[001.143] ssl got `250 2.0.0 Ok
' (14:0 bytes, VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/d
[001.143] <~~ 250 2.0.0 Ok
[001.143] Recipient OK, E-mail address proofed
[001.144] ~~> QUIT
[001.145] ssl write_all VM at entry=vm_unknown
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/s
partial `QUIT
'
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/s
written so far 6:6 bytes (VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/s
[001.224] ssl got `221 2.0.0 Bye
' (15:0 bytes, VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/d
[001.224] <~~ 221 2.0.0 Bye
[001.228] ssl : free ctx 33617352 open=33617352
: free ctx 33617352 callback
: OK free ctx 33617352
Looks like the certificate chain (Intermediate & Root Certificate) missing. open the certificate and click on the certificate path tab and you should see the chain. If the chain is missing then install the missing certificate.
To clarify vinsvin a bit:
If your cert is not signed by a well known root cert, then you have to provide one or more certs to link your cert to a well known root cert. So your cert, from Thawte, is signed by some "intermediate" cert that Thawte has, which is maybe signed by another internediate cert, which is signed by Thawte's well known root cert.
You have to send your cert and all the intermediate certs (just concatenate them together in the cert text file).
What you seem to be sending is your cert twice. Cert check shows the last cert it checks twice.
For a good example, just run the CheckTLS test against the CheckTLS site -- they use a single intermediate cert.
If your cert is not signed by a well known root cert, then you have to provide one or more certs to link your cert to a well known root cert. So your cert, from Thawte, is signed by some "intermediate" cert that Thawte has, which is maybe signed by another internediate cert, which is signed by Thawte's well known root cert.
You have to send your cert and all the intermediate certs (just concatenate them together in the cert text file).
What you seem to be sending is your cert twice. Cert check shows the last cert it checks twice.
For a good example, just run the CheckTLS test against the CheckTLS site -- they use a single intermediate cert.
Thanks Everyone,
The x.509 cert required both the root and intermediate certs and the sonicwall es3300 appliance only had a location for one .pem certificate.
Thus we had to combine the root and intermediate certs into 1 cacert.pem file and upload and install it through putty and winscp utilities.
Once that was done we reloaded the rekeyed .pem signing cert and everything is now working correctly.
Thanks for pointing me in the right direction
TheSonicOne
The x.509 cert required both the root and intermediate certs and the sonicwall es3300 appliance only had a location for one .pem certificate.
Thus we had to combine the root and intermediate certs into 1 cacert.pem file and upload and install it through putty and winscp utilities.
Once that was done we reloaded the rekeyed .pem signing cert and everything is now working correctly.
Thanks for pointing me in the right direction
TheSonicOne
We had the same issue, but used "verisign" Certificate Authority.
Using ES3300 - Had to download the Microsoft SSL vs. Apache, then it worked.
Below kb article from Sonicwall specifies to use Apache, however.
so the Microsoft SSL worked not Apache. All steps applied until choosing "Apache" pick Microsoft.
https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=10219
Note - Depends possibly on your email server - we are using Microsoft. And there are other requirements of communications on the ES3300. Sonicwall Support did verify these settings as well.
Using ES3300 - Had to download the Microsoft SSL vs. Apache, then it worked.
Below kb article from Sonicwall specifies to use Apache, however.
so the Microsoft SSL worked not Apache. All steps applied until choosing "Apache" pick Microsoft.
https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=10219
Note - Depends possibly on your email server - we are using Microsoft. And there are other requirements of communications on the ES3300. Sonicwall Support did verify these settings as well.
Explore More ContentExplore courses, solutions, and other research materials related to this topic.
-
![]()
received a Solution
SSL certificates for Exchange server -
![]()
wrote an Article
![]()
How to Renew SSL Certificate for Exchange 2013 Server Step by Step
-
![]()
created a Video
![]()
Exchange 2019 - Setup a domain controller for your Exchange lab in Azure Part 2
-
Explore Cloud Class® ![]()
70-662: Deploying Microsoft Exchange Server 2010
