Cert renewed but Outlook says "nope"


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:(not aplicable)

I ran this command:renewd from plesk plugin

It produced this output: ok

My web server is (include version): apache

The operating system my web server runs on is (include version): CentOS 6.9

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):Plesk

A couple of weeks ago a problem updating cert automatically generated a litle problem, all outlooks began to say “cert not valid…” So I checked and fixed the issue, renewed the cert but outlook (versions 2010 and 2016) stills “getting” the old cert, I’ve checked de cert with https://cryptoreport.websecurity.symantec.com/checker/ and its correct, what should I do?

Thanks


#2

With outlook, do you mean e-mail clients? If yes: did you restart your mailserver software after renewing your certificates?


#3

fill out your main domain as it is applicable

The first test would be to establish a STARTLS connection to your server and see what certificate is returned

However as per statement - no domain no help :smiley:

Andrei


#4

Server restarted, same problem :S


#5

As I said b4, is not aplicable and as I said b4 too I’ve check it with an external tool from symantec Captura


#6

why are you connecting to port 443 for a mail server?

Review outlook and the protocols it supports

Andrei


#7

Im not connecting on port 443… Captura


Outlook on Android, Dovecot, Postfix
#8

The Symantec tool that you used checks port 443, not port 993.


#9

I will continue this on for learning more than anything else

Let’s have a look at googles IMAP service imap.gmail.com

image

A scan shows us this domain has SMTP, STMPS (protocols for sending emails)

For receiving emails they only support IMAPS and POPS (secure versions of the protocols). If you read any google documentation it is in line with this (require ssl needs to be ticked).

https://support.google.com/mail/answer/7126229?hl=en

So now that we know that port 995 and 993 are open and use secure TLS based encryption let’s try to retrieve the certificate using openssl to confirm they are valid (google certificates)

image

image

Andrei


#10

Also, for a mail server you need some kind of IMAP server application which I’m not necessarily sure could be configured by Plesk at all. What IMAP server are you using, and how did you configure it? How did you originally tell it that you had a certificate?


#11

Now I don’t expect you to be an expert or even have openssl installed, understand different protocols etc.

By sharing your domain you would have allowed me in about 30 seconds confirm for you what was wrong and advise you of how to fix the problem .

By sharing the results of your test (helping others) you would also allowed me to share my knowledge of why you are getting a false positive (you are looking at HTTP protocols not mail protocols)

There are several things that could be misconfigured

A) If your mail server (not web server) is using multiple protocols it could be one of the certificates for example POPS has not been updated
B) It could be that you were using a self signed certificate all along which has now expired

Andrei


#12

I could have also shared a link which would have saved a lot of time

this is similar to what i believe you are observing. it may be that cPanel like Webuzo do not apply new certificates to email servers but only to the web servers.

Andrei


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.