Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Problem with SSL certificate
  •  
Tenglund

Messages: 10
Karma: 1
Send a private message to this user
Hi,

I got a strange problem. Today i got a RapidSSL certificate for our mail server. I created the cert with intermediate cert according to the guide for Kerio Connect, and it doesn't really work.

We have several domains, and here is what happens when i check with online SSL checker services or any browser:

1. Our main domain, example "mail.company.com" still uses the self signed cert for "mail.company.com"
2. The other domains, "mail.company2.com", "mail.company3.com" and so on responds with the real new cert, but of course says the domain name does not match.

Any ideas why this is happening? I've not deleted the old self signed cert, but the "preferred" cert is the new one for "mail.company.com".

I'm running latest Kerio Connect 9.0.2 on OSX 10.10.5 by the way.

[Updated on: Wed, 06 April 2016 22:52]

  •  
Pavel Dobry (Kerio)

Messages: 5240
Karma: 251
Send a private message to this user
Tenglund wrote on Wed, 06 April 2016 22:50
Hi,

I got a strange problem. Today i got a RapidSSL certificate for our mail server. I created the cert with intermediate cert according to the guide for Kerio Connect, and it doesn't really work.

We have several domains, and here is what happens when i check with online SSL checker services or any browser:

1. Our main domain, example "mail.company.com" still uses the self signed cert for "mail.company.com"
2. The other domains, "mail.company2.com", "mail.company3.com" and so on responds with the real new cert, but of course says the domain name does not match.

Any ideas why this is happening? I've not deleted the old self signed cert, but the "preferred" cert is the new one for "mail.company.com".

I'm running latest Kerio Connect 9.0.2 on OSX 10.10.5 by the way.


Kerio Connect 9.0.2 supports multiple SSL certificates and the server chooses the right one based on hostname. Therefore "default" SSL certificate is used only when no other matches the hostname. If "mail.company.com" certificate is still present in configuration, it is used.

So the solution is to get valid server SSL certificate for mail.domain.com or delete all certificates you don't want to use from product configuration.

See http://kb.kerio.com/product/kerio-connect/server-configurati on/ssl-certificates/configuring-ssl-certificates-in-kerio-co nnect-1132.html

[Updated on: Wed, 06 April 2016 23:42]

  •  
Tenglund

Messages: 10
Karma: 1
Send a private message to this user
Thanks!

I understand that all domains could have their own certificate from now, but i cannot see the problem here.

To be clear, i have a new valid trusted cert for mail.company.com which i've set to default. When i connect to mail.company.com it still uses the old self signed cert for mail.company.com.

But, if i connect to mail.company2.com which is on the same server, but don't have it's own cert, it uses my new valid cert.

So, is it safe for me to delete the old self signed cert, or could i end up with no working cert in this way?
  •  
thowden

Messages: 17
Karma: -2
Send a private message to this user
Hi

I have recently added and removed SSL certificates without an issue. They are treated independently.

My guess is that the config for your mail.company.com has not been updated with the new certificate because it has a 'current' cert in the self-signed one. Just remove it and you should be ok.

cheers
Tony

www.wrenmaxwell.com.au

  •  
Pavel Dobry (Kerio)

Messages: 5240
Karma: 251
Send a private message to this user
Tenglund wrote on Thu, 07 April 2016 08:41

To be clear, i have a new valid trusted cert for mail.company.com which i've set to default. When i connect to mail.company.com it still uses the old self signed cert for mail.company.com.


Kerio Connect uses any installed certificate with that hostname with no preference. "Default" means "when no other certificate matches the hostname". In your case, if you don't what that self-signed certificate to be used, remove it from configuration.
  •  
Tenglund

Messages: 10
Karma: 1
Send a private message to this user
Yes, i removed the old self signed (after making an export to be able to roll back), and now it works perfect.

Thanks!
  •  
ArthurV

Messages: 7
Karma: -2
Send a private message to this user
Question to Pavel:
While this is an easy fix, why create confusion?
1. Since the 'Default server certificate' is used/selected by Kerio Connect only when no other certificate (even expired ones!) are available I suppose it's NOT active when other certificates with matching hostnames or wildcards are available.
2. If so, when would you ever want to use the button 'Set as Default'? (used to be 'Make Active'). What does it do?
3. It seems unlogical that an (almost) expired SSL certificate is ranked higher ('active') than the newer replacement certificate ('default', so: not active). This happened on our server after updating Kerio Connect from 8.5.3 tot 9.0.2.
4. A request: now with multiple domain certificates possible (thank you!): can information be added to the Request items in the SSL Certificates interface, so it is clear which Request (CSR) belongs to what domain/certificate key? Or should the 'Request' be removed immediately after the CSR was created?
  •  
Maerad

Messages: 158
Karma: 31
Send a private message to this user
ArthurV wrote on Tue, 19 April 2016 12:10
Question to Pavel:
While this is an easy fix, why create confusion?
1. Since the 'Default server certificate' is used/selected by Kerio Connect only when no other certificate (even expired ones!) are available I suppose it's NOT active when other certificates with matching hostnames or wildcards are available.
2. If so, when would you ever want to use the button 'Set as Default'? (used to be 'Make Active'). What does it do?
3. It seems unlogical that an (almost) expired SSL certificate is ranked higher ('active') than the newer replacement certificate ('default', so: not active). This happened on our server after updating Kerio Connect from 8.5.3 tot 9.0.2.


1. The default cert is used, if the selected/used hostname matches no other cert. Also the default cert is NOT selected by kerio. Under Adminstration > SSL Cert you can select (if multiple SSL cert are in the list) with a right click, which one is the default.

2. It's basically a fallback system. If you enforce SSL as example and your ip/host changes, the cert expires or whatever, you wouldn't be able to connect. And no, a unsecured connection is way less to prefer, then one with a not so optimal cert. Smile

3. Why? The cert is NOT expired, why shouldn't it be used then? Same with an expired cert - you could still want to connect with that, because you don't have a new one. An expired cert might get you 200 warnings and can't be authed by others, but in most cases still be used. Also YOU tell the system what to do. Kerio has the same problem like any other programming company - if you restrict the system too much, users complain, if you are too lenient, they also don't like it. You won't believe, how many unlogical cases I saw in the past, that made me facepalm so hard, but there wasn't another way.
Previous Topic: Archiving in Outlook 2013
Next Topic: SSL Certificate confusion
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat May 27 04:24:31 CEST 2017

Total time taken to generate the page: 0.01059 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.