Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Host Name Mismatch certificate error (moved server to new hardware and upgraded, now clients getting error)
  •  
jcooper

Messages: 65
Karma: 3
Send a private message to this user
Hi,

I recently moved our Kerio 7.4 server from an old XServe running 10.5 to a not-quite-as-old XServe running 10.9, and upgraded to 8.3.

All seems to be working ok, except some users (or maybe they're all getting it but only some are telling me), are getting certificate warnings:

"This certificate is not valid (host name mismatch)."

The IP address is the same, as is the domain.

The name in the sharing System Prefs is different, but does the certificate care about that? I thought they were bound to domains?

The certificate is valid until next year.

I'm having people click continue for now, but I'd like to not be dealing with this for another year until I buy a new cert.

Thanks!

Jeff
  •  
Neil Whiteside (Kerio)

Messages: 318

Karma: 35
Send a private message to this user
Hi jcooper,

The error message indicates a mismatch between the Internet Hostname in Kerio Connect (Webadmin->Configuration->Domains - the Internet Hostname is shown above the list of domains) and the SSL certificate.

The Internet Hostname should also match the server name used in your MX records, too.

Best regards,

Neil.


Knowledge Base: http://kb.kerio.com/.
Looking for technical support? http://www.kerio.com/support
  •  
jcooper

Messages: 65
Karma: 3
Send a private message to this user
That's what I thought. But our hostname is exactly what it was on the old server. Our MX Record is hosted by our ISP, which points it to an address on our firewall. The certificate matches our domain name, not the full subdomain of the server, but it never has, and I didn't start getting the errors until the move.

Thanks,

Jeff
  •  
Neil Whiteside (Kerio)

Messages: 318

Karma: 35
Send a private message to this user
Hi Jeff,

There have been significant changes since Connect 7.4, and I think these issues are as a result.

I'd suggest that you raise this as a support ticket, so that we can assist you more fully.

Best regards,

Neil.

Knowledge Base: http://kb.kerio.com/.
Looking for technical support? http://www.kerio.com/support
  •  
eyos

Messages: 20
Karma: -2
Send a private message to this user
We are getting certificate warnings too using the Mac Account Configuration Assistant. Unfortunately this issue has not been resolved and Kerio closed our Ticket. The Kerio Support recommended that users should just ignore that warnings which is not option.


Do you get these message all the time on Mail startup? Or do get a certificate warning during Account Configuration only?

[Updated on: Wed, 02 July 2014 11:46]

  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
eyos wrote on Tue, 01 July 2014 18:12
We do are getting certificate warnings too using the Mac Account Configuration Assistant. Unfortunately this issue has not been resolved and Kerio closed our Ticket. The Kerio Support recommended that users should just ignore that warnings which is not option.


Do you get these message all the time on Mail startup? Or do get a certificate warning during Account Configuration only?


That's probably because Apple Mail tries to reach autodiscover.<yourdomain>.<com> website over HTTPS and such hostname does exist for your domain but serves an SSL certificate with different hostname. This autodiscovery is Apple Mail feature, which cannot be disabled. Sad

[Updated on: Tue, 01 July 2014 18:23]

  •  
jcooper

Messages: 65
Karma: 3
Send a private message to this user
We seem to be getting them every time unless we "always trust" the certificate. I tried deleting it from my Keychain, rebooted, but I can't get the error back. In fact, the certificate it was complaining about is no longer in my keychain (which makes sense since I deleted it). But it hasn't come back, even after I connected to the the sever via outlook and via web mail. So I'm not sure how to revoke my "trust" to get the error back.

Now, in Entourage, which are getting a repeating error that seems to have to do with the Autodetect that Pavel mentioned, but we only have 1-2 users on it (one's an owner and HATES outlook's interface so refuses to upgrade... what can ya do?). I told him to just click OK; I'm not trouble-shooting something he could upgrade his way out of. I think this is a different issue, though.

Thanks,

Jeff
  •  
eyos

Messages: 20
Karma: -2
Send a private message to this user
Quote:
That's probably because Apple Mail tries to reach autodiscover.<yourdomain>.<com> website over HTTPS and such hostname does exist for your domain but serves an SSL certificate with different hostname. This autodiscovery is Apple Mail feature, which cannot be disabled


No, we don't use a autodiscover DNS record. This behavior also occurs on 10.6, 10.7.10.8 clients. Everytime clients configure their email account they do get certificate warning due to host name mismatch.

@Jeff: Make sure that your signed certificate is set to active. Also try to restart your server so that KC loads the certificate correctly.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
[quote title=eyos wrote on Wed, 02 July 2014 12:04]Quote:

No, we don't use a autodiscover DNS record. This behavior also occurs on 10.6, 10.7.10.8 clients. Everytime clients configure their email account they do get certificate warning due to host name mismatch.


Do you have a ticket ID from our eSupport? I would like to review it. Thank you.

[Updated on: Wed, 02 July 2014 12:13]

  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
eyos wrote on Wed, 02 July 2014 12:04

No, we don't use a autodiscover DNS record. This behavior also occurs on 10.6, 10.7.10.8 clients. Everytime clients configure their email account they do get certificate warning due to host name mismatch.


If autodiscover.<yourdomain>.<com> does not exist, the client tries also https://<yourdomain>.<com>. Which does exist in your case and presents a different SSL certificate, not matching the hostname.

[Updated on: Wed, 02 July 2014 13:07]

  •  
jcooper

Messages: 65
Karma: 3
Send a private message to this user
Since updating to 8.3.1 no one has come to be with the certificate problem. Note that I am talking about the "Host Name Mismatch" error, not the warning displayed by Entourage which my research led me to believe is related to autodiscovery.

I have not submitted a ticket yet. I will wait until I get another report of this happening (if I do).

The autodiscovery problem is annoying, but doesn't seem to cause any real issues. If someone knows differently, could you let me know?

Thanks,

Jeff
  •  
itmnetcom

Messages: 3
Karma: 0
Send a private message to this user
Hi,

Was this issue ever resolved? Will getting a wildcard SSL certificate fix the issue?

Thanks!
Previous Topic: Previous Recipients inadvertently syncing across machines
Next Topic: 8.5.2 - AlternateDownloadURL not work now
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Aug 19 11:10:41 CEST 2017

Total time taken to generate the page: 0.00516 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.