We help IT Professionals succeed at work.

SSL / Certificate issue for TLS setup

Medium Priority
3,766 Views
Last Modified: 2014-08-05
Hi Everyone,

I need your suggestions, I am trying to setup TLS for an exchange 2007 server and sonicwall ES3300 appliance and I have an error I do not understand.

I have configured the setup as recommended by MS support and Sonicwall support and I beleive that I have a certificate error now but I do not understand what the error is.

The error I am getting is: Cert NOT VALIDATED: unable to get local issuer certificate - So email is encrypted but the domain is not verified

I am checking the setup via http://checktls.com and everything passes except the cert test.

Thanks in advance for any of your suggestions or help.

TheSonicGod

here are the test results (BOLD on the error message):

Checking USER@mydomain.com
looking up MX hosts on domain " mydomain.com"
1.      mail. mydomain.com (preference:10)
Trying TLS on mail. mydomain.com[64.40.XXX.X] (10):
seconds            test stage and result
[000.098]            Connected to server
[000.176]      <--      220 mail.mydomain.com ESMTP mail.mydomain.com
[000.177]            We are allowed to connect
[000.177]      -->      EHLO checktls.com
[000.380]      <--      250-mail.mydomain.com
250-8BITMIME
250-ENHANCEDSTATUSCODES
250-DSN
250-STARTTLS
250 SIZE 31457280
[000.381]            We can use this server
[000.381]            TLS is an option on this server
[000.381]      -->      STARTTLS
[000.472]      <--      220 2.2.0 Ready to start TLS
[000.473]            STARTTLS command works on this server
[000.675]      ssl      : new ctx 33617352
: start handshake
: ssl handshake not started
: set socket to non-blocking to enforce timeout=30
: Net::SSLeay::connect -> -1
: ssl handshake in progress
: waiting for fd to become ready: SSL wants a read first
: socket ready, retrying connect
: ok=0 cert=34553944
: ok=0 cert=34553944
: ok=0 cert=34553944
: Net::SSLeay::connect -> -1
: ssl handshake in progress
: waiting for fd to become ready: SSL wants a read first
: socket ready, retrying connect
: Net::SSLeay::connect -> 1
: ssl handshake done
[000.676]            Cipher in use: AES256-SHA
[000.676]            Connection converted to SSL
[000.677]            Cert Authority: /C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA
[000.677]            Cert Owner: /O=mail.mydomain.com/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=mail.mydomain.com
[000.710]      ssl       Certificate 1 of 3 in chain:
-----BEGIN CERTIFICATE-----
MIIERjCCAy6gAwIBAgIQCO7R53NaPPDmnMbxx46iizANBgkqhkiG9w0BAQUFADBe
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMR0wGwYDVQQLExRE
b21haW4gVmFsaWRhdGVkIFNTTDEZMBcGA1UEAxMQVGhhd3RlIERWIFNTTCBDQTAe
Fw0xMTEwMzEwMDAwMDBaFw0xMjEwMzAyMzU5NTlaMIG8MR4wHAYDVQQKExVtYWls
LmNpcGhlcnBoYXJtYS5jb20xOzA5BgNVBAsTMkdvIHRvIGh0dHBzOi8vd3d3LnRo
YXd0ZS5jb20vcmVwb3NpdG9yeS9pbmRleC5odG1sMSIwIAYDVQQLExlUaGF3dGUg
U1NMMTIzIGNlcnRpZmljYXRlMRkwFwYDVQQLExBEb21haW4gVmFsaWRhdGVkMR4w
HAYDVQQDExVtYWlsLmNpcGhlcnBoYXJtYS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC7v1lnbOLWXLD/VG6oGSAPWMSzj+QkerAa/e/KXVzqyJ5o
xtTnik80mdoN9tvK9XTBAscWG15KwyGUJx1TXDPuYl5/YrasrdPEnjlxNQJ0bBjv
5zIgIi22J0QrdthGIuImXyeQR/rRTMubeOqa2rr83Bcojjw5JdOd6slowXuk5aV0
dIYTyTuP+iLs8W5XU9DdjY1+3C7LGQAyV8xHZBU97RAdDZXFL3kEQiTgy5YSqZUt
OhMQvGF5SFJeKDB2oJ1aH5vZMazwhctYMxglMxBV//gWsoWzU7yxEr2EeXb8GXV0
pmq+kEItr2eLdw+w8/KxzQfOYJC2iSHIcmSS2OZbAgMBAAGjgaAwgZ0wDAYDVR0T
AQH/BAIwADA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vc3ZyLWR2LWNybC50aGF3
dGUuY29tL1RoYXd0ZURWLmNybDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC50aGF3
dGUuY29tMA0GCSqGSIb3DQEBBQUAA4IBAQC907NzdPhRmm60YVuWvA0bsABUcSN8
0omG6xbUoTJYPRbvzTR1HrdrSJYCHLqfrqZztwr0JfzG6b5catmUkjMUkQ51qIlA
pvs+8phBYpnHt7uAxkZKgoDCAFSeCUl1IvvTqXcEgvPqDXVtMhDX5+5Gya5sXdfM
YlC6pA7FsC4MBortSQhBXEhAro/UR5FRuDcYEFbE/QrQW6kLuU0iwNVhNgaL8ioM
WpYLi7E7s9glP1QUMtqBEEP76bw5G6FfBgRHuReStm/nCRXMJjMuMeVcHOhcdmMh
IwehLLLpQhDV74O4CywcHP/Nn71mc7zsSO6FJnymu5fdMaYyaeWdUiL8
-----END CERTIFICATE-----
Certificate:
  Data:
    Version: 3 (0x2)
    Serial Number:
      08:ee:d1:e7:73:5a:3c:f0:e6:9c:c6:f1:c7:8e:a2:8b
    Signature Algorithm: sha1WithRSAEncryption
    Issuer:
      countryName         = US
      organizationName      = Thawte, Inc.
      organizationalUnitName  = Domain Validated SSL
      commonName        = Thawte DV SSL CA
    Validity
      Not Before: Oct 31 00:00:00 2011 GMT
      Not After : Oct 30 23:59:59 2012 GMT
    Subject:
      organizationName      = mail.mydomain.com
      organizationalUnitName  = Go to https://www.thawte.com/repository/index.html
      organizationalUnitName  = Thawte SSL123 certificate
      organizationalUnitName  = Domain Validated
      commonName        = mail.mydomain.com
    Subject Public Key Info:
      Public Key Algorithm: rsaEncryption
        Public-Key: (2048 bit)
        Modulus:
          00:bb:bf:59:67:6c:e2:d6:5c:b0:ff:54:6e:a8:19:
          20:0f:58:c4:b3:8f:e4:24:7a:b0:1a:fd:ef:ca:5d:
          5c:ea:c8:9e:68:c6:d4:e7:8a:4f:34:99:da:0d:f6:
          db:ca:f5:74:c1:02:c7:16:1b:5e:4a:c3:21:94:27:
          1d:53:5c:33:ee:62:5e:7f:62:b6:ac:ad:d3:c4:9e:
          39:71:35:02:74:6c:18:ef:e7:32:20:22:2d:b6:27:
          44:2b:76:d8:46:22:e2:26:5f:27:90:47:fa:d1:4c:
          cb:9b:78:ea:9a:da:ba:fc:dc:17:28:8e:3c:39:25:
          d3:9d:ea:c9:68:c1:7b:a4:e5:a5:74:74:86:13:c9:
          3b:8f:fa:22:ec:f1:6e:57:53:d0:dd:8d:8d:7e:dc:
          2e:cb:19:00:32:57:cc:47:64:15:3d:ed:10:1d:0d:
          95:c5:2f:79:04:42:24:e0:cb:96:12:a9:95:2d:3a:
          13:10:bc:61:79:48:52:5e:28:30:76:a0:9d:5a:1f:
          9b:d9:31:ac:f0:85:cb:58:33:18:25:33:10:55:ff:
          f8:16:b2:85:b3:53:bc:b1:12:bd:84:79:76:fc:19:
          75:74:a6:6a:be:90:42:2d:af:67:8b:77:0f:b0:f3:
          f2:b1:cd:07:ce:60:90:b6:89:21:c8:72:64:92:d8:
          e6:5b
        Exponent: 65537 (0x10001)
    X509v3 extensions:
      X509v3 Basic Constraints: critical
        CA:FALSE
      X509v3 CRL Distribution Points:
        Full Name:
          URI:http://svr-dv-crl.thawte.com/ThawteDV.crl
      X509v3 Extended Key Usage:
        TLS Web Server Authentication, TLS Web Client Authentication
      Authority Information Access:
        OCSP - URI:http://ocsp.thawte.com
  Signature Algorithm: sha1WithRSAEncryption
    bd:d3:b3:73:74:f8:51:9a:6e:b4:61:5b:96:bc:0d:1b:b0:00:
    54:71:23:7c:d2:89:86:eb:16:d4:a1:32:58:3d:16:ef:cd:34:
    75:1e:b7:6b:48:96:02:1c:ba:9f:ae:a6:73:b7:0a:f4:25:fc:
    c6:e9:be:5c:6a:d9:94:92:33:14:91:0e:75:a8:89:40:a6:fb:
    3e:f2:98:41:62:99:c7:b7:bb:80:c6:46:4a:82:80:c2:00:54:
    9e:09:49:75:22:fb:d3:a9:77:04:82:f3:ea:0d:75:6d:32:10:
    d7:e7:ee:46:c9:ae:6c:5d:d7:cc:62:50:ba:a4:0e:c5:b0:2e:
    0c:06:8a:ed:49:08:41:5c:48:40:ae:8f:d4:47:91:51:b8:37:
    18:10:56:c4:fd:0a:d0:5b:a9:0b:b9:4d:22:c0:d5:61:36:06:
    8b:f2:2a:0c:5a:96:0b:8b:b1:3b:b3:d8:25:3f:54:14:32:da:
    81:10:43:fb:e9:bc:39:1b:a1:5f:06:04:47:b9:17:92:b6:6f:
    e7:09:15:cc:26:33:2e:31:e5:5c:1c:e8:5c:76:63:21:23:07:
    a1:2c:b2:e9:42:10:d5:ef:83:b8:0b:2c:1c:1c:ff:cd:9f:bd:
    66:73:bc:ec:48:ee:85:26:7c:a6:bb:97:dd:31:a6:32:69:e5:
    9d:52:22:fc
                   
[000.742]      ssl       Certificate 2 of 3 in chain:
-----BEGIN CERTIFICATE-----
MIIERjCCAy6gAwIBAgIQCO7R53NaPPDmnMbxx46iizANBgkqhkiG9w0BAQUFADBe
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMR0wGwYDVQQLExRE
b21haW4gVmFsaWRhdGVkIFNTTDEZMBcGA1UEAxMQVGhhd3RlIERWIFNTTCBDQTAe
Fw0xMTEwMzEwMDAwMDBaFw0xMjEwMzAyMzU5NTlaMIG8MR4wHAYDVQQKExVtYWls
LmNpcGhlcnBoYXJtYS5jb20xOzA5BgNVBAsTMkdvIHRvIGh0dHBzOi8vd3d3LnRo
YXd0ZS5jb20vcmVwb3NpdG9yeS9pbmRleC5odG1sMSIwIAYDVQQLExlUaGF3dGUg
U1NMMTIzIGNlcnRpZmljYXRlMRkwFwYDVQQLExBEb21haW4gVmFsaWRhdGVkMR4w
HAYDVQQDExVtYWlsLmNpcGhlcnBoYXJtYS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC7v1lnbOLWXLD/VG6oGSAPWMSzj+QkerAa/e/KXVzqyJ5o
xtTnik80mdoN9tvK9XTBAscWG15KwyGUJx1TXDPuYl5/YrasrdPEnjlxNQJ0bBjv
5zIgIi22J0QrdthGIuImXyeQR/rRTMubeOqa2rr83Bcojjw5JdOd6slowXuk5aV0
dIYTyTuP+iLs8W5XU9DdjY1+3C7LGQAyV8xHZBU97RAdDZXFL3kEQiTgy5YSqZUt
OhMQvGF5SFJeKDB2oJ1aH5vZMazwhctYMxglMxBV//gWsoWzU7yxEr2EeXb8GXV0
pmq+kEItr2eLdw+w8/KxzQfOYJC2iSHIcmSS2OZbAgMBAAGjgaAwgZ0wDAYDVR0T
AQH/BAIwADA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vc3ZyLWR2LWNybC50aGF3
dGUuY29tL1RoYXd0ZURWLmNybDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC50aGF3
dGUuY29tMA0GCSqGSIb3DQEBBQUAA4IBAQC907NzdPhRmm60YVuWvA0bsABUcSN8
0omG6xbUoTJYPRbvzTR1HrdrSJYCHLqfrqZztwr0JfzG6b5catmUkjMUkQ51qIlA
pvs+8phBYpnHt7uAxkZKgoDCAFSeCUl1IvvTqXcEgvPqDXVtMhDX5+5Gya5sXdfM
YlC6pA7FsC4MBortSQhBXEhAro/UR5FRuDcYEFbE/QrQW6kLuU0iwNVhNgaL8ioM
WpYLi7E7s9glP1QUMtqBEEP76bw5G6FfBgRHuReStm/nCRXMJjMuMeVcHOhcdmMh
IwehLLLpQhDV74O4CywcHP/Nn71mc7zsSO6FJnymu5fdMaYyaeWdUiL8
-----END CERTIFICATE-----
Certificate:
  Data:
    Version: 3 (0x2)
    Serial Number:
      08:ee:d1:e7:73:5a:3c:f0:e6:9c:c6:f1:c7:8e:a2:8b
    Signature Algorithm: sha1WithRSAEncryption
    Issuer:
      countryName         = US
      organizationName      = Thawte, Inc.
      organizationalUnitName  = Domain Validated SSL
      commonName        = Thawte DV SSL CA
    Validity
      Not Before: Oct 31 00:00:00 2011 GMT
      Not After : Oct 30 23:59:59 2012 GMT
    Subject:
      organizationName      = mail.mydomain.com
      organizationalUnitName  = Go to https://www.thawte.com/repository/index.html
      organizationalUnitName  = Thawte SSL123 certificate
      organizationalUnitName  = Domain Validated
      commonName        = mail.mydomain.com
    Subject Public Key Info:
      Public Key Algorithm: rsaEncryption
        Public-Key: (2048 bit)
        Modulus:
          00:bb:bf:59:67:6c:e2:d6:5c:b0:ff:54:6e:a8:19:
          20:0f:58:c4:b3:8f:e4:24:7a:b0:1a:fd:ef:ca:5d:
          5c:ea:c8:9e:68:c6:d4:e7:8a:4f:34:99:da:0d:f6:
          db:ca:f5:74:c1:02:c7:16:1b:5e:4a:c3:21:94:27:
          1d:53:5c:33:ee:62:5e:7f:62:b6:ac:ad:d3:c4:9e:
          39:71:35:02:74:6c:18:ef:e7:32:20:22:2d:b6:27:
          44:2b:76:d8:46:22:e2:26:5f:27:90:47:fa:d1:4c:
          cb:9b:78:ea:9a:da:ba:fc:dc:17:28:8e:3c:39:25:
          d3:9d:ea:c9:68:c1:7b:a4:e5:a5:74:74:86:13:c9:
          3b:8f:fa:22:ec:f1:6e:57:53:d0:dd:8d:8d:7e:dc:
          2e:cb:19:00:32:57:cc:47:64:15:3d:ed:10:1d:0d:
          95:c5:2f:79:04:42:24:e0:cb:96:12:a9:95:2d:3a:
          13:10:bc:61:79:48:52:5e:28:30:76:a0:9d:5a:1f:
          9b:d9:31:ac:f0:85:cb:58:33:18:25:33:10:55:ff:
          f8:16:b2:85:b3:53:bc:b1:12:bd:84:79:76:fc:19:
          75:74:a6:6a:be:90:42:2d:af:67:8b:77:0f:b0:f3:
          f2:b1:cd:07:ce:60:90:b6:89:21:c8:72:64:92:d8:
          e6:5b
        Exponent: 65537 (0x10001)
    X509v3 extensions:
      X509v3 Basic Constraints: critical
        CA:FALSE
      X509v3 CRL Distribution Points:
        Full Name:
          URI:http://svr-dv-crl.thawte.com/ThawteDV.crl
      X509v3 Extended Key Usage:
        TLS Web Server Authentication, TLS Web Client Authentication
      Authority Information Access:
        OCSP - URI:http://ocsp.thawte.com
  Signature Algorithm: sha1WithRSAEncryption
    bd:d3:b3:73:74:f8:51:9a:6e:b4:61:5b:96:bc:0d:1b:b0:00:
    54:71:23:7c:d2:89:86:eb:16:d4:a1:32:58:3d:16:ef:cd:34:
    75:1e:b7:6b:48:96:02:1c:ba:9f:ae:a6:73:b7:0a:f4:25:fc:
    c6:e9:be:5c:6a:d9:94:92:33:14:91:0e:75:a8:89:40:a6:fb:
    3e:f2:98:41:62:99:c7:b7:bb:80:c6:46:4a:82:80:c2:00:54:
    9e:09:49:75:22:fb:d3:a9:77:04:82:f3:ea:0d:75:6d:32:10:
    d7:e7:ee:46:c9:ae:6c:5d:d7:cc:62:50:ba:a4:0e:c5:b0:2e:
    0c:06:8a:ed:49:08:41:5c:48:40:ae:8f:d4:47:91:51:b8:37:
    18:10:56:c4:fd:0a:d0:5b:a9:0b:b9:4d:22:c0:d5:61:36:06:
    8b:f2:2a:0c:5a:96:0b:8b:b1:3b:b3:d8:25:3f:54:14:32:da:
    81:10:43:fb:e9:bc:39:1b:a1:5f:06:04:47:b9:17:92:b6:6f:
    e7:09:15:cc:26:33:2e:31:e5:5c:1c:e8:5c:76:63:21:23:07:
    a1:2c:b2:e9:42:10:d5:ef:83:b8:0b:2c:1c:1c:ff:cd:9f:bd:
    66:73:bc:ec:48:ee:85:26:7c:a6:bb:97:dd:31:a6:32:69:e5:
    9d:52:22:fc
                   
[000.812]      ssl       Certificate 3 of 3 in chain:
-----BEGIN CERTIFICATE-----
MIIERjCCAy6gAwIBAgIQCO7R53NaPPDmnMbxx46iizANBgkqhkiG9w0BAQUFADBe
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMR0wGwYDVQQLExRE
b21haW4gVmFsaWRhdGVkIFNTTDEZMBcGA1UEAxMQVGhhd3RlIERWIFNTTCBDQTAe
Fw0xMTEwMzEwMDAwMDBaFw0xMjEwMzAyMzU5NTlaMIG8MR4wHAYDVQQKExVtYWls
LmNpcGhlcnBoYXJtYS5jb20xOzA5BgNVBAsTMkdvIHRvIGh0dHBzOi8vd3d3LnRo
YXd0ZS5jb20vcmVwb3NpdG9yeS9pbmRleC5odG1sMSIwIAYDVQQLExlUaGF3dGUg
U1NMMTIzIGNlcnRpZmljYXRlMRkwFwYDVQQLExBEb21haW4gVmFsaWRhdGVkMR4w
HAYDVQQDExVtYWlsLmNpcGhlcnBoYXJtYS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC7v1lnbOLWXLD/VG6oGSAPWMSzj+QkerAa/e/KXVzqyJ5o
xtTnik80mdoN9tvK9XTBAscWG15KwyGUJx1TXDPuYl5/YrasrdPEnjlxNQJ0bBjv
5zIgIi22J0QrdthGIuImXyeQR/rRTMubeOqa2rr83Bcojjw5JdOd6slowXuk5aV0
dIYTyTuP+iLs8W5XU9DdjY1+3C7LGQAyV8xHZBU97RAdDZXFL3kEQiTgy5YSqZUt
OhMQvGF5SFJeKDB2oJ1aH5vZMazwhctYMxglMxBV//gWsoWzU7yxEr2EeXb8GXV0
pmq+kEItr2eLdw+w8/KxzQfOYJC2iSHIcmSS2OZbAgMBAAGjgaAwgZ0wDAYDVR0T
AQH/BAIwADA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vc3ZyLWR2LWNybC50aGF3
dGUuY29tL1RoYXd0ZURWLmNybDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC50aGF3
dGUuY29tMA0GCSqGSIb3DQEBBQUAA4IBAQC907NzdPhRmm60YVuWvA0bsABUcSN8
0omG6xbUoTJYPRbvzTR1HrdrSJYCHLqfrqZztwr0JfzG6b5catmUkjMUkQ51qIlA
pvs+8phBYpnHt7uAxkZKgoDCAFSeCUl1IvvTqXcEgvPqDXVtMhDX5+5Gya5sXdfM
YlC6pA7FsC4MBortSQhBXEhAro/UR5FRuDcYEFbE/QrQW6kLuU0iwNVhNgaL8ioM
WpYLi7E7s9glP1QUMtqBEEP76bw5G6FfBgRHuReStm/nCRXMJjMuMeVcHOhcdmMh
IwehLLLpQhDV74O4CywcHP/Nn71mc7zsSO6FJnymu5fdMaYyaeWdUiL8
-----END CERTIFICATE-----
Certificate:
  Data:
    Version: 3 (0x2)
    Serial Number:
      08:ee:d1:e7:73:5a:3c:f0:e6:9c:c6:f1:c7:8e:a2:8b
    Signature Algorithm: sha1WithRSAEncryption
    Issuer:
      countryName         = US
      organizationName      = Thawte, Inc.
      organizationalUnitName  = Domain Validated SSL
      commonName        = Thawte DV SSL CA
    Validity
      Not Before: Oct 31 00:00:00 2011 GMT
      Not After : Oct 30 23:59:59 2012 GMT
    Subject:
      organizationName      = mail.mydomain.com
      organizationalUnitName  = Go to https://www.thawte.com/repository/index.html
      organizationalUnitName  = Thawte SSL123 certificate
      organizationalUnitName  = Domain Validated
      commonName        = mail.mydomain.com
    Subject Public Key Info:
      Public Key Algorithm: rsaEncryption
        Public-Key: (2048 bit)
        Modulus:
          00:bb:bf:59:67:6c:e2:d6:5c:b0:ff:54:6e:a8:19:
          20:0f:58:c4:b3:8f:e4:24:7a:b0:1a:fd:ef:ca:5d:
          5c:ea:c8:9e:68:c6:d4:e7:8a:4f:34:99:da:0d:f6:
          db:ca:f5:74:c1:02:c7:16:1b:5e:4a:c3:21:94:27:
          1d:53:5c:33:ee:62:5e:7f:62:b6:ac:ad:d3:c4:9e:
          39:71:35:02:74:6c:18:ef:e7:32:20:22:2d:b6:27:
          44:2b:76:d8:46:22:e2:26:5f:27:90:47:fa:d1:4c:
          cb:9b:78:ea:9a:da:ba:fc:dc:17:28:8e:3c:39:25:
          d3:9d:ea:c9:68:c1:7b:a4:e5:a5:74:74:86:13:c9:
          3b:8f:fa:22:ec:f1:6e:57:53:d0:dd:8d:8d:7e:dc:
          2e:cb:19:00:32:57:cc:47:64:15:3d:ed:10:1d:0d:
          95:c5:2f:79:04:42:24:e0:cb:96:12:a9:95:2d:3a:
          13:10:bc:61:79:48:52:5e:28:30:76:a0:9d:5a:1f:
          9b:d9:31:ac:f0:85:cb:58:33:18:25:33:10:55:ff:
          f8:16:b2:85:b3:53:bc:b1:12:bd:84:79:76:fc:19:
          75:74:a6:6a:be:90:42:2d:af:67:8b:77:0f:b0:f3:
          f2:b1:cd:07:ce:60:90:b6:89:21:c8:72:64:92:d8:
          e6:5b
        Exponent: 65537 (0x10001)
    X509v3 extensions:
      X509v3 Basic Constraints: critical
        CA:FALSE
      X509v3 CRL Distribution Points:
        Full Name:
          URI:http://svr-dv-crl.thawte.com/ThawteDV.crl
      X509v3 Extended Key Usage:
        TLS Web Server Authentication, TLS Web Client Authentication
      Authority Information Access:
        OCSP - URI:http://ocsp.thawte.com
  Signature Algorithm: sha1WithRSAEncryption
    bd:d3:b3:73:74:f8:51:9a:6e:b4:61:5b:96:bc:0d:1b:b0:00:
    54:71:23:7c:d2:89:86:eb:16:d4:a1:32:58:3d:16:ef:cd:34:
    75:1e:b7:6b:48:96:02:1c:ba:9f:ae:a6:73:b7:0a:f4:25:fc:
    c6:e9:be:5c:6a:d9:94:92:33:14:91:0e:75:a8:89:40:a6:fb:
    3e:f2:98:41:62:99:c7:b7:bb:80:c6:46:4a:82:80:c2:00:54:
    9e:09:49:75:22:fb:d3:a9:77:04:82:f3:ea:0d:75:6d:32:10:
    d7:e7:ee:46:c9:ae:6c:5d:d7:cc:62:50:ba:a4:0e:c5:b0:2e:
    0c:06:8a:ed:49:08:41:5c:48:40:ae:8f:d4:47:91:51:b8:37:
    18:10:56:c4:fd:0a:d0:5b:a9:0b:b9:4d:22:c0:d5:61:36:06:
    8b:f2:2a:0c:5a:96:0b:8b:b1:3b:b3:d8:25:3f:54:14:32:da:
    81:10:43:fb:e9:bc:39:1b:a1:5f:06:04:47:b9:17:92:b6:6f:
    e7:09:15:cc:26:33:2e:31:e5:5c:1c:e8:5c:76:63:21:23:07:
    a1:2c:b2:e9:42:10:d5:ef:83:b8:0b:2c:1c:1c:ff:cd:9f:bd:
    66:73:bc:ec:48:ee:85:26:7c:a6:bb:97:dd:31:a6:32:69:e5:
    9d:52:22:fc
                   
[000.812]            Cert NOT VALIDATED: unable to get local issuer certificate
[000.812]            So email is encrypted but the domain is not verified

[000.813]      ssl      : scheme=http cert=34553944
: identity=mail.mydomain.com cn=mail.mydomain.com alt=
[000.813]            Cert Hostname VERIFIED (mail.mydomain.com)
[000.813]      ~~>      EHLO checktls.com
[000.814]      ssl      write_all VM at entry=vm_unknown
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 1890
partial `EHLO checktls.com
'
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 1893
written so far 19:19 bytes (VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 2012
[000.979]      ssl      got `250 SIZE 31457280
' (19:0 bytes, VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/debug_read.al) line 1837
[000.979]      <~~      250-mail.mydomain.com
250-8BITMIME
250-ENHANCEDSTATUSCODES
250-DSN
250 SIZE 31457280
[000.980]            TLS successfully started on this server
[000.980]      ~~>      MAIL FROM: <test@checktls.com>
[000.981]      ssl      write_all VM at entry=vm_unknown
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 1890
partial `MAIL FROM:
'
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 1893
written so far 32:32 bytes (VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 2012

[001.060]      ssl      got `250 2.1.0 MAIL ok
' (19:0 bytes, VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/debug_read.al) line 1837
[001.061]      <~~      250 2.1.0 MAIL ok
[001.061]            Sender is OK
[001.061]      ~~>      RCPT TO: <jchan@mydomain.com>
[001.062]      ssl      write_all VM at entry=vm_unknown
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 1890
partial `RCPT TO:
'
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 1893
written so far 35:35 bytes (VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 2012

[001.143]      ssl      got `250 2.0.0 Ok
' (14:0 bytes, VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/debug_read.al) line 1837
[001.143]      <~~      250 2.0.0 Ok
[001.143]            Recipient OK, E-mail address proofed
[001.144]      ~~>      QUIT
[001.145]      ssl      write_all VM at entry=vm_unknown
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 1890
partial `QUIT
'
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 1893
written so far 6:6 bytes (VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 2012
[001.224]      ssl      got `221 2.0.0 Bye
' (15:0 bytes, VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/debug_read.al) line 1837
[001.224]      <~~      221 2.0.0 Bye
[001.228]      ssl      : free ctx 33617352 open=33617352
: free ctx 33617352 callback
: OK free ctx 33617352



Comment
Watch Question

Commented:
Looks like the certificate chain (Intermediate & Root Certificate) missing. open the certificate and click on the certificate path tab and you should see the chain. If the chain is missing then install the missing certificate.
Commented:
To clarify vinsvin a bit:
If your cert is not signed by a well known root cert, then you have to provide one or more certs to link your cert to a well known root cert.  So your cert, from Thawte, is signed by some "intermediate" cert that Thawte has, which is maybe signed by another internediate cert, which is signed by Thawte's well known root cert.
You have to send your cert and all the intermediate certs (just concatenate them together in the cert text file).
What you seem to be sending is your cert twice.  Cert check shows the last cert it checks twice.
For a good example, just run the CheckTLS test against the CheckTLS site -- they use a single intermediate cert.

Author

Commented:
Thanks Everyone,

The x.509 cert required both the root and intermediate certs and the sonicwall es3300 appliance only had a location for one .pem certificate.

Thus we had to combine the root and intermediate certs into 1 cacert.pem file and upload and install it through putty and winscp utilities.

Once that was done we reloaded the rekeyed .pem signing cert and everything is now working correctly.

Thanks for pointing me in the right direction

TheSonicOne
We had the same issue, but used "verisign" Certificate Authority.
Using ES3300 - Had to download the Microsoft SSL vs. Apache, then it worked.
Below kb article from Sonicwall specifies to use Apache, however.
so the Microsoft SSL worked not Apache.  All steps applied until choosing "Apache" pick Microsoft.

https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=10219

Note - Depends possibly on your email server - we are using Microsoft. And there are other requirements of communications on the ES3300. Sonicwall Support did verify these settings as well.