Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » SSL Certificate error since 8.2.2. hostname does not match (Cert error during Mac Assistant Installer)
  •  
eyos

Messages: 20
Karma: -2
Send a private message to this user
Hi there,

we're using a signed Thawte Cert on our KC 8.2.2 server. We've encountered one issue with 10.9 Mavericks clients. During the Mac Account Configuration a certificate error shows up.

Authentication failed because the server certificate is not trusted....
‚ÄěThis root certificate is not trusted"

As said we use our signed Thawte certificate which is activated. We don't have any issue on previous MacOS version 10.6-10.8.


Why do we receive this error message on 10.9 clients? Why does Kerio search for the domain name instead of the hostname?

Thanks

[Updated on: Sun, 02 February 2014 12:44]

  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
I guess you need to ask Apple with this question.
Is the server certificate with md5 or sha-1 signature? Mavericks does not trust any certificate with md5 signature.

You can also post a screenshot and certificate details to our technical support.

[Updated on: Mon, 20 January 2014 10:49]

  •  
eyos

Messages: 20
Karma: -2
Send a private message to this user
The Thawte Server certificate uses SHA-1 signature.
  •  
eyos

Messages: 20
Karma: -2
Send a private message to this user
This issue is not related to 10.9 Mavericks! It also occurs on previous MacOS versions 10.6 - 10.8. As soon as I add a new E-mail Account (IMAP) in Apple Mail the following error shows up:

"The client is trying to connect to example.com but the server presents certificate for domain *.differentdomain.com. Ie. hostname does not match."


Our IP addresses matches the hostname and the Thawte SSL cert is still valid. We haven't had any issues so far with SSL authentication. It was working before we've upgraded to KC 8.2.2. It looks like Kerio made some changes to SSL implementation. Why do we receive this error message?

[Updated on: Sun, 02 February 2014 12:33]

  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
What URL did you use when downloading the tool?
What is the Internet hostname of Kerio Connect?
What is the reverse DNS record for IP address of Kerio Connect?
What is the SSL certificate hostname?
Does it all match?

[Updated on: Sun, 02 February 2014 16:24]

  •  
eyos

Messages: 20
Karma: -2
Send a private message to this user
Quote:
What URL did you use when downloading the tool?

https://webmail.domain.com/setup/mac

Quote:
What is the Internet hostname of Kerio Connect?


mail.domain.com

Quote:
What is the reverse DNS record for IP address of Kerio Connect?


mail.domain.com

Quote:
What is the SSL certificate hostname?

https://webmail.domain.com

Quote:
Does it all match?

Yes, using the Thawte SSL Checker.


Any idea?
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
I guess you need to specify what "example.com" and "differentdomain.com" is.
  •  
eyos

Messages: 20
Karma: -2
Send a private message to this user
The KC server hosts many domains for different customers. Every customer has its own domain but of course the KC server only has one internet hostname

The internet hostname is mail.domain.com
The certificate name is webmail.domain.com which is used during Mac Assistant Configuration.


"The client is trying to connect to domain.com but the server presents certificate for domain *.differentdomain.com. Ie. hostname does not match."


*.differentdomain.com is the Root certificate from our ISP which is NOT CORRECT!
Why does not KC resolve webmail.domain.com?
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
This is not related to Kerio Connect.
It is Apple Mail's default behavior when configuring new account using a configuration profile. It uses autodiscovery and looks for https://domain.com, which obviously points to your website and not to Kerio Connect server.
  •  
eyos

Messages: 20
Karma: -2
Send a private message to this user
Thank you for reply. So, Autodiscovery is not an optional feature anymore, it's required to properly configure mail clients?

Is it required to use a signed certificate for autodiscover.domain.com?
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
eyos wrote on Mon, 03 February 2014 14:47
Thank you for reply. So, Autodiscovery is not an optional feature anymore, it's required to properly configure mail clients?

Is it required to use a signed certificate for autodiscover.domain.com?


It is a bug in Apple Mail account configuration over Apple configuration profiles.
Working auto-discovery in Apple Mail is not a good thing in this case because it forces Apple Mail to use EWS account instead of IMAP, which is more stable and more reliable.

So the best solution is to ignore the warning and finish the configuration wizard. It will create IMAP account in Apple Mail.
  •  
eyos

Messages: 20
Karma: -2
Send a private message to this user
I see. It's a bug? It was working in MacOS 10.6, 10.7 and 10.8 without showing any certificate error. Since we've updated to KC 8.2.2 the certificate error shows up on those older clients.

Really strange. So the only solution is to ignore it?
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Previous Kerio Connect versions did not use configuration profiles. Unfortunately, with Mavericks this is the only reliable option how to configure accounts on OS X (instead of hacking files in OSX).
Previous Topic: Robots.txt
Next Topic: Spell check
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Oct 21 06:49:39 CEST 2017

Total time taken to generate the page: 0.00527 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.