Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

SBS2011 failing PCI scan - SSL Certificate Cannot Be Trusted

Posted on 2014-01-30
6
Medium Priority
?
2,524 Views
Last Modified: 2014-01-31
Hi Experts

I have purchased a GoDaddy cert and installed it via the SBS Console wizard however the PCI scan is failing.  If I hit https://remote.DOMAINNAME.co.uk the chain is valid.  Is this something to do with Exchange as its port 25?
Protocol: TCP
Port: 25
Program: SMTP
Description: SSL Certificate Cannot Be Trusted
Synopsis: The SSL certificate for this service cannot be trusted.

Impact: The server's X.509 certificate does not have a signature from a known public certificate authority. This situation can occur in three different ways, each of which results in a break in the chain below which certificates cannot be trusted.

First, the top of the certificate chain sent by the server might not be descended from a known public certificate authority. This can occur either when the top of the chain is an unrecognized, self-signed certificate, or when intermediate certificates are missing that would connect the top of the certificate chain to a known public certificate authority.

Second, the certificate chain may contain a certificate that is not valid at the time of the scan. This can occur either when the scan occurs before one of the certificate's 'notBefore' dates, or after one of the certificate's 'notAfter' dates.

Third, the certificate chain may contain a signature that either didn't match the certificate's information, or could not be verified. Bad signatures can be fixed by getting the certificate with the bad signature to be re-signed by its issuer. Signatures that could not be verified are the result of the certificate's issuer using a signing algorithm that SecurityMetrics either does not support or does not recognize.

If the remote host is a public host in production, any break in the chain nullifies the use of SSL as anyone could establish a man-in-the- middle attack against the remote host.

Data Received: The following certificate was at the top of the certificate chain sent by the remote host, but is signed by an unknown certificate authority : |-Subject : CN=remote.DOMAINNAME.co.uk |-Issuer : CN =CUSTOMER-SERVERNAME-CA

Resolution: Purchase or generate a proper certificate for this service.

Risk Factor: Medium/ CVSS2 Base Score: 6.4

Thanks
0
Comment
Question by:George-
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 39820309
Try the Fix my network wizard in the SBS console first.

Did you use the SSL wizard to get the certificate.?
Just do it again and rekey it in the Godaddy SSL Panel. When asked if you have the cert just say you need more time and finish the wizard.
When approved download the Exchange 2010 option for import open the wizard again to import.
Hope that helps,
Olaf
0
 
LVL 3

Expert Comment

by:cristiantm
ID: 39820317
What is most probably happening is that the SMTP server is not sending the intermediate certificate, and therefore the scanner cannot find a trust path from the server certificate to a trusted anchor.

Let me detail this a little bit. Usually a certificate is issued by an intermediate certification authority. And this intermediate certificate authority has a certificate that is issued by a root certification authority. To verify a certificate, you need to have the full "chain" of certificates, from the server to a root ca. Then you verify the server certificate using the intermediate ca certificate, and the intermediate ca certificate using the root ca certificate, and finally check if the root ca certificate is trusted on your computer.

The last message says that the top certificate received is the server certificate (CN=remote.DOMAINNAME.co.uk |-Issuer : CN =CUSTOMER-SERVERNAME-CA) and the Issuer of this certificate (an intermediate certificate) is unknwon. Thats normal, because intermediate certificates should not be previously known for the client, the server should send this certificate. The client only needs to already known root cas. So what you need to do is setup your server to send the intermediate certificate. I´m not sure how to do this on your software, but I hope you can find that or another expert can complement the answer with that info.
0
 
LVL 1

Author Comment

by:George-
ID: 39820417
Hi Olaf

I ran the SBS wizard to Add a Trusted Certificate.

Should it be the Exchange 2010 I download?  I thought it should be IIS7 for SBS2011?

I've also done some more reading and it looks like with GoDaddy I need to install an intermediate certificate.  If I install the intermediate as below will I need to reimport the trusted cert from GoDaddy?

http://sbs.seandaniel.com/2009/02/installing-godaddy-standard-ssl.html

Thanks
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 
LVL 22

Accepted Solution

by:
Olaf De Ceuster earned 1500 total points
ID: 39822056
I have never had to use the intermediate at all.
I just import the final cert.
I always use the exchange one.
Hope that helps
Olaf
The support at GoDaddy has always been 100% or "number one" as we say in Vanuatu if you get stuck.
0
 
LVL 1

Author Comment

by:George-
ID: 39823422
Hi Olaf

I phoned GoDaddy support and they said they had nobody who could help with installing the cert in SBS.

I ran the scan again and it passed.  The only change I made was on the router for something else that was failing.

Thanks anyway, I will close the question and pass you the points as if it fails again I will create a new cert and download the Exchange version.

Cheers
0
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 39823462
Thanks and good luck.
Olaf
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction At 19:33 (UST) on Tuesday 21st September the long awaited email arrived with the subject title of “ANNOUNCING THE AVAILABILITY OF WINDOWS SBS 7 PREVIEW”.  It was time to drop whatever I was doing and dedicate as much bandwidth as possi…
#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question