TLS handshakes failing: tlsv1 alert unknown ca
-
- New user
- Posts: 9
- Joined: 2017-11-07 16:01
TLS handshakes failing: tlsv1 alert unknown ca
Help! Delivery of mail from my spamfilter provider (spamfilter.cc) has stopped working due to the error mentioned in the subject. Since January 1st my spamfilter provider is requiring secure connections and now this seems to have failed.
Running hMailserver v. 5.6.7-B2425 on Windows Server. I checked and the SSL certificate installed is valid.
SSL v3.0, TLS v1.0 and 1.1 and 1.2 is enabled as well as "verify remote server SSL/TLS certificates".
Thanks!
Running hMailserver v. 5.6.7-B2425 on Windows Server. I checked and the SSL certificate installed is valid.
SSL v3.0, TLS v1.0 and 1.1 and 1.2 is enabled as well as "verify remote server SSL/TLS certificates".
Thanks!
Re: TLS handshakes failing: tlsv1 alert unknown ca
The Company where you purchased your SSL-Certificate isnt supported anymore.
You need to buy a new SSL-Certificate from a well known CA like DigiCert or Verisign or
you can use a free 90 Days renewable SSL-Certificate from Letsencrypt. Check our Tutorial Section, there
are some Guides for Letsencrypt if you have no budget or simply buy a new Certificate.
You need to buy a new SSL-Certificate from a well known CA like DigiCert or Verisign or
you can use a free 90 Days renewable SSL-Certificate from Letsencrypt. Check our Tutorial Section, there
are some Guides for Letsencrypt if you have no budget or simply buy a new Certificate.
-
- New user
- Posts: 9
- Joined: 2017-11-07 16:01
Re: TLS handshakes failing: tlsv1 alert unknown ca
My certificate is up to date - that isn't the issue.
Re: TLS handshakes failing: tlsv1 alert unknown ca
"unknown CA"
Try to figure it out your self.
Try to figure it out your self.
-
- New user
- Posts: 9
- Joined: 2017-11-07 16:01
Re: TLS handshakes failing: tlsv1 alert unknown ca
I appreciate your help a lot. I'm using this certificate and it's been working flawlessly up until today. What does this tell you? This is an AlphaSSL certificate issued by GlobalSign. Should be legit, but this site also says there's a problem with it:
https://ssl-tools.net/mailservers/kinema.dk
https://ssl-tools.net/mailservers/kinema.dk
-
- New user
- Posts: 9
- Joined: 2017-11-07 16:01
Re: TLS handshakes failing: tlsv1 alert unknown ca
I just bought and reissued a certificate for my server by RapidSSL with is issued by DigiCert Inc. Still think this it the problem?
-
- New user
- Posts: 9
- Joined: 2017-11-07 16:01
Re: TLS handshakes failing: tlsv1 alert unknown ca
Btw. connection via SSL/TLS works fine between e-mail client and hMailServer. It's a remote spam-service trying to connect to my hMailServer that throws this error. Is the problem maybe with the spam-service?
Re: TLS handshakes failing: tlsv1 alert unknown ca
When I googled "RapidSSL RSA CA 2018" the first several results all were about installing an intermediate certificate. Do you have a full chain certificate?
-
- New user
- Posts: 9
- Joined: 2017-11-07 16:01
Re: TLS handshakes failing: tlsv1 alert unknown ca
You mean, when I open the certificate if I can see the full chain back to the root? Yep: https://www.dropbox.com/s/gqmuldz7popnex9/cert.png
Re: TLS handshakes failing: tlsv1 alert unknown ca
SSLv3.0 is broken and should NOT Be usedtonylorentzen wrote: ↑2019-01-02 15:51SSL v3.0, TLS v1.0 and 1.1 and 1.2 is enabled as well as "verify remote server SSL/TLS certificates".
what happens if you turn off the 'verify remote server SSL/TLS' switch?
(This shouldn't matter, but may depending on how you get mail from spamfilter.cc)
Also, can you show some detailed logs.
I'm not sure how spamfilter.cc works, logs would show us what protocols are being used etc.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
-
- New user
- Posts: 9
- Joined: 2017-11-07 16:01
Re: TLS handshakes failing: tlsv1 alert unknown ca
Okay, I figured out in some old old logs and through testing with DigiCerts SSL/TLS utility that the problem was hmailserver wasn't sending the intermediate certificate. This needed to be manually inserted into the normal certificate file but after the normal domain certificate.
Re: TLS handshakes failing: tlsv1 alert unknown ca
SO that means that spamfilter.cc was rejecting YOUR certificates
That's not remotely how I would have imagined the flow of traffic, and honestly the high use of self signed and poorly validated certificates on the world's mail servers would make that service fairly unusable to many people.
I know some countries get that better than others (eg the EU seems all of validation of certificates), but here in Australia, some government departments can't get that right.
Thanks for posting back your solution
That's not remotely how I would have imagined the flow of traffic, and honestly the high use of self signed and poorly validated certificates on the world's mail servers would make that service fairly unusable to many people.
I know some countries get that better than others (eg the EU seems all of validation of certificates), but here in Australia, some government departments can't get that right.
Thanks for posting back your solution
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: TLS handshakes failing: tlsv1 alert unknown ca
The thing with Intermediate Certificates is allways the same.
Some cheap new SSL CA is licensing the usage of a well known Root CA and acts as Intermediate CA Authority but such a Intermmediate CA is never independent.
I recommend not to use such cheap SSL Certificates because you have to fiddle out he chain of trust correctness yourself. Before wasting your Money for RapidSSL, AlphaSSL or PositiveSSL, just use a free Letsencrypt Domain validated 90 Day renewable SSL-Certificate and you good to go.
If you dont like the 90 Days renew cycle of Letsencrypt and you need a sustainable Solution you should buy a Verisign, Digicert, Geotrust or Thawthe SSL-Certificate, which covers your smtp.youdomain.com and imap.yourdomain.com Hostnames (yes, you need two SSL-Certificates and if you want to cover POP3 for example pop.yourdomain.com you need at least 3.x SSL-Certificates).
However, you can also buy a Wildcard SSL-Certificate which cover everything on your Domain
(*.yourdomain.com) but such Certificates are more expensive, but the advantage is you can use it for your Websites https requirements to and you just have to renew 1 Certificate instead of many if your SSL+Certificate is about to expire.
Some cheap new SSL CA is licensing the usage of a well known Root CA and acts as Intermediate CA Authority but such a Intermmediate CA is never independent.
I recommend not to use such cheap SSL Certificates because you have to fiddle out he chain of trust correctness yourself. Before wasting your Money for RapidSSL, AlphaSSL or PositiveSSL, just use a free Letsencrypt Domain validated 90 Day renewable SSL-Certificate and you good to go.
If you dont like the 90 Days renew cycle of Letsencrypt and you need a sustainable Solution you should buy a Verisign, Digicert, Geotrust or Thawthe SSL-Certificate, which covers your smtp.youdomain.com and imap.yourdomain.com Hostnames (yes, you need two SSL-Certificates and if you want to cover POP3 for example pop.yourdomain.com you need at least 3.x SSL-Certificates).
However, you can also buy a Wildcard SSL-Certificate which cover everything on your Domain
(*.yourdomain.com) but such Certificates are more expensive, but the advantage is you can use it for your Websites https requirements to and you just have to renew 1 Certificate instead of many if your SSL+Certificate is about to expire.
-
- New user
- Posts: 9
- Joined: 2017-11-07 16:01
Re: TLS handshakes failing: tlsv1 alert unknown ca
Dravion, I appreciate your suggestion about Lets Encrypt and I may have a look at it in the future. I actually use it on my webserver through Certify the Web, but this is a dedicated mailserver and I actually have no immediate way of doing what that walk-through suggests. Seems a bit humpty-dumpty the way that it's working and if I can get my RapidSSL certificate to work then that's all I care about as it's based on the Digicert authority. If you look closely you'd see that I'm actually using a wildcard certificate for my domain too. The part about merging the certificate and the intermediate certificate into the same file seems a bit counter-intuitive but apparent some systems want that - some even want the root certificate in there. I'm just glad I figured that out
Re: TLS handshakes failing: tlsv1 alert unknown ca
Yeah, some Systems want it because RapidSSL depends on Digicert but IS NOT Digicert.
If you had a real Digicert Certificate you dont have to care about the chain of trust and merging it into a bundle at all.
If you had a real Digicert Certificate you dont have to care about the chain of trust and merging it into a bundle at all.