TLS handshakes failing: tlsv1 alert unknown ca

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
tonylorentzen
New user
New user
Posts: 9
Joined: 2017-11-07 16:01

TLS handshakes failing: tlsv1 alert unknown ca

Post by tonylorentzen » 2019-01-02 15:51

Help! Delivery of mail from my spamfilter provider (spamfilter.cc) has stopped working due to the error mentioned in the subject. Since January 1st my spamfilter provider is requiring secure connections and now this seems to have failed.

Running hMailserver v. 5.6.7-B2425 on Windows Server. I checked and the SSL certificate installed is valid.

SSL v3.0, TLS v1.0 and 1.1 and 1.2 is enabled as well as "verify remote server SSL/TLS certificates".

Thanks!

User avatar
Dravion
Senior user
Senior user
Posts: 2071
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: TLS handshakes failing: tlsv1 alert unknown ca

Post by Dravion » 2019-01-02 16:36

The Company where you purchased your SSL-Certificate isnt supported anymore.
You need to buy a new SSL-Certificate from a well known CA like DigiCert or Verisign or
you can use a free 90 Days renewable SSL-Certificate from Letsencrypt. Check our Tutorial Section, there
are some Guides for Letsencrypt if you have no budget or simply buy a new Certificate.

tonylorentzen
New user
New user
Posts: 9
Joined: 2017-11-07 16:01

Re: TLS handshakes failing: tlsv1 alert unknown ca

Post by tonylorentzen » 2019-01-02 17:56

My certificate is up to date - that isn't the issue.

User avatar
Dravion
Senior user
Senior user
Posts: 2071
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: TLS handshakes failing: tlsv1 alert unknown ca

Post by Dravion » 2019-01-02 18:00

"unknown CA"

Try to figure it out your self.

tonylorentzen
New user
New user
Posts: 9
Joined: 2017-11-07 16:01

Re: TLS handshakes failing: tlsv1 alert unknown ca

Post by tonylorentzen » 2019-01-02 18:56

I appreciate your help a lot. I'm using this certificate and it's been working flawlessly up until today. What does this tell you? This is an AlphaSSL certificate issued by GlobalSign. Should be legit, but this site also says there's a problem with it:

https://ssl-tools.net/mailservers/kinema.dk

tonylorentzen
New user
New user
Posts: 9
Joined: 2017-11-07 16:01

Re: TLS handshakes failing: tlsv1 alert unknown ca

Post by tonylorentzen » 2019-01-02 20:55

I just bought and reissued a certificate for my server by RapidSSL with is issued by DigiCert Inc. Still think this it the problem?

tonylorentzen
New user
New user
Posts: 9
Joined: 2017-11-07 16:01

Re: TLS handshakes failing: tlsv1 alert unknown ca

Post by tonylorentzen » 2019-01-02 21:23

Btw. connection via SSL/TLS works fine between e-mail client and hMailServer. It's a remote spam-service trying to connect to my hMailServer that throws this error. Is the problem maybe with the spam-service?

palinka
Senior user
Senior user
Posts: 4455
Joined: 2017-09-12 17:57

Re: TLS handshakes failing: tlsv1 alert unknown ca

Post by palinka » 2019-01-02 22:48

When I googled "RapidSSL RSA CA 2018" the first several results all were about installing an intermediate certificate. Do you have a full chain certificate?

tonylorentzen
New user
New user
Posts: 9
Joined: 2017-11-07 16:01

Re: TLS handshakes failing: tlsv1 alert unknown ca

Post by tonylorentzen » 2019-01-02 23:02

You mean, when I open the certificate if I can see the full chain back to the root? Yep: https://www.dropbox.com/s/gqmuldz7popnex9/cert.png

User avatar
mattg
Moderator
Moderator
Posts: 22435
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: TLS handshakes failing: tlsv1 alert unknown ca

Post by mattg » 2019-01-03 00:08

tonylorentzen wrote:
2019-01-02 15:51
SSL v3.0, TLS v1.0 and 1.1 and 1.2 is enabled as well as "verify remote server SSL/TLS certificates".
SSLv3.0 is broken and should NOT Be used

what happens if you turn off the 'verify remote server SSL/TLS' switch?
(This shouldn't matter, but may depending on how you get mail from spamfilter.cc)

Also, can you show some detailed logs.
I'm not sure how spamfilter.cc works, logs would show us what protocols are being used etc.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

tonylorentzen
New user
New user
Posts: 9
Joined: 2017-11-07 16:01

Re: TLS handshakes failing: tlsv1 alert unknown ca

Post by tonylorentzen » 2019-01-03 00:44

Okay, I figured out in some old old logs and through testing with DigiCerts SSL/TLS utility that the problem was hmailserver wasn't sending the intermediate certificate. This needed to be manually inserted into the normal certificate file but after the normal domain certificate.

User avatar
mattg
Moderator
Moderator
Posts: 22435
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: TLS handshakes failing: tlsv1 alert unknown ca

Post by mattg » 2019-01-03 02:50

SO that means that spamfilter.cc was rejecting YOUR certificates

That's not remotely how I would have imagined the flow of traffic, and honestly the high use of self signed and poorly validated certificates on the world's mail servers would make that service fairly unusable to many people.

I know some countries get that better than others (eg the EU seems all of validation of certificates), but here in Australia, some government departments can't get that right.

Thanks for posting back your solution
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
Dravion
Senior user
Senior user
Posts: 2071
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: TLS handshakes failing: tlsv1 alert unknown ca

Post by Dravion » 2019-01-03 08:38

The thing with Intermediate Certificates is allways the same.

Some cheap new SSL CA is licensing the usage of a well known Root CA and acts as Intermediate CA Authority but such a Intermmediate CA is never independent.

I recommend not to use such cheap SSL Certificates because you have to fiddle out he chain of trust correctness yourself. Before wasting your Money for RapidSSL, AlphaSSL or PositiveSSL, just use a free Letsencrypt Domain validated 90 Day renewable SSL-Certificate and you good to go.

If you dont like the 90 Days renew cycle of Letsencrypt and you need a sustainable Solution you should buy a Verisign, Digicert, Geotrust or Thawthe SSL-Certificate, which covers your smtp.youdomain.com and imap.yourdomain.com Hostnames (yes, you need two SSL-Certificates and if you want to cover POP3 for example pop.yourdomain.com you need at least 3.x SSL-Certificates).

However, you can also buy a Wildcard SSL-Certificate which cover everything on your Domain
(*.yourdomain.com) but such Certificates are more expensive, but the advantage is you can use it for your Websites https requirements to and you just have to renew 1 Certificate instead of many if your SSL+Certificate is about to expire.

tonylorentzen
New user
New user
Posts: 9
Joined: 2017-11-07 16:01

Re: TLS handshakes failing: tlsv1 alert unknown ca

Post by tonylorentzen » 2019-01-03 09:56

Dravion, I appreciate your suggestion about Lets Encrypt and I may have a look at it in the future. I actually use it on my webserver through Certify the Web, but this is a dedicated mailserver and I actually have no immediate way of doing what that walk-through suggests. Seems a bit humpty-dumpty the way that it's working and if I can get my RapidSSL certificate to work then that's all I care about as it's based on the Digicert authority. If you look closely you'd see that I'm actually using a wildcard certificate for my domain too. The part about merging the certificate and the intermediate certificate into the same file seems a bit counter-intuitive but apparent some systems want that - some even want the root certificate in there. I'm just glad I figured that out ;-)

User avatar
Dravion
Senior user
Senior user
Posts: 2071
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: TLS handshakes failing: tlsv1 alert unknown ca

Post by Dravion » 2019-01-03 10:38

Yeah, some Systems want it because RapidSSL depends on Digicert but IS NOT Digicert.

If you had a real Digicert Certificate you dont have to care about the chain of trust and merging it into a bundle at all.

Post Reply