Certificates for my Epson WF C-5710

My problem: Due to some previous issues with the function Scan to Email, I have reset my Epson. When setting this function up according to the user manual, I get the error message below. After reading the network manual, Epson suggest to create an CSR and send it to my email providers. Because I have three separate emails account to check, and did with all these three accounts with the same result, if I follow up on the Epson advice, I have to send all my providers the same CSR. But that seem a bit cumbersome, because I am not the only one that try to use their CA Certificate, do I?

My domain is: outlook.com, disroot.org, and vivaldi.org

I ran this command: Nothing, all done in 'on board' of my Epson, or via IP in random browser. Same settings apply, but easier for the eye.

It produced this output:

The connection is untrusted.
Check the following.

  • CA Certificate

My web server is (include version): Either the SMTP or IMAP version of outlook.com, disroot.org, and vivaldi.org

The operating system my web server runs on is (include version): Unknown

My hosting provider, if applicable, are: Email related, of outlook.com, disroot.org, and vivaldi.org

I can login to a root shell on my machine (yes or no, or I don't know): Does not apply

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Does not apply

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Does not apply

Is there some software that you can update yourself, but the problem persist?: Yes, both the firmware and the Root Certificate, but all are up to date. I even have reset the settings and updated both, "but the problem persist"...

I might be missing something here, but how is this Let's Encrypt related exactly? :question:

1 Like

I have contacted the users and developers behind Disroot on a XMPP channel, and one of them suggested that I ask my question here. Because Disroot is using Let's Encrypte, thus maybe the necessary certifcate is already on your website.

For the rest, I have no clue, thus following up some suggestions...

I see. disroot.org is indeed using a Let's Encrypt certificate. It's configured properly and it's chained up to the DST Root CA X3 root certificate, which should enable secure connections most devices, even older ones.

outlook.com and vivaldi.org don't use Let's Encrypt certificates. Do you get the error on those domains too? Or only when using disroot.org?

It could be your Epson printer doesn't even trust the widely trusted DST Root CA X3 root certificate, which could lead to this error. Your error might go away if you add the DST Root CA X3 root certificate as a trusted root certificate to your Epson printer. You can find the root certificate on the Chain of Trust - Let's Encrypt documentation page.

Thanks for your very quick reply.

In the meantime I have emailed the Tech Support of Epson, to inquire some more info on this error. Hopefully that will clear something out.

Because it is all quit late here in Europe, I will follow your advise up during this upcoming weekend.

Can you clarify exactly what you're trying to do with the printer? Have it serve you a secure admin web page? Have it send an email to those domains you mentioned?

I am happy to do it again: After setting up the function Scan to Email, I get the error message that the CA certificate is untrusted.

Thus, although I have set things up according to both the manuals of Epson, and my email providers, I get the CA certificate error.

According to the software of Epson, both the firmware (CU04KC) and Root certificate (02.02) are up to date...

I guess what @petercooperjr is trying to find out is what your printer is actually doing. For example, you've previously stated three domain names, but haven't told us how those domain names are directly relevant. I'm deducing you're sending e-mails from your Epson printer to e-mail addresses of those domains? And therefore, your printer tries to connect to the MX record of those domains through TLS, but fails at one or more of those domains, right? (Probably only disroot.org.)

By the way, not directly related to your current issue (but might "fix" it): personally I would never let my printer contact the mailservers of the recipient directly. IMO there's too much chance a device such as a printer messes the e-mail up in such a way the receiving mailserver would mark it as spam or worse. Perhaps the printer software doesn't use a header correctly. Perhaps it has a little bug somewhere, which leads to a spamfilter tagging the e-mail as spam. Personally I would always put a self-hosted relay between the printer and the rest of the internet. However, that's of course not something everybody is able to do.

And I guess I wasn't expecting that a printer would be trying to deliver mail to MX records directly. (That possibility just never occurred to me until you suggested it.) I know my printer (not Epson) wants a mail server to use to send emails. I was guessing that this was an issue with trying to configure it to connect to their own mail server, but maybe it's supposed to connect to a server Epson runs?

[My printer doesn't support TLS greater than 1.0; nor does it support connecting to mail servers using elliptic curve certificates, so I just stopped using its "email me when out of toner" features entirely. It's only a few years old, but somehow having up-to-date use of network protocols just doesn't seem to be a thing the manufacturers care about. At least it supports IPv6, so that's something, I guess. Hopefully your printer has better TLS support than mine.]

Hum, that kind of knowledge do I not possess.

But what I do know, I have used standard settings of both IMAP and STMP for Outlook.com, Vivaldi.net and Disroot.org. From Disroot.org:

IMAP-Server : disroot.org
SSL-Port : 993
Authentifizierung : Passwort, normal

SMTP-Server : disroot.org
STARTTLS Port : 587
Authentifizierung : Passwort, normal

POP3-Server : disroot.org
SSL-Port : 995
Authentifizierung : Passwort, normal

But back to your questions:

Just using the function Scan to Email on the Printer itself. Thus nothing with secure admin web and such, just the function of the printer itself.

Because I am just to get the function Scan to Email working on my Epson, I have no clue what the printer is trying to do 'behind its screens'. What I know is that I have to give these settings to the printer (see above), but I got this error:

The connection is untrusted.
Check the following.

  • CA Certificate

Outlook, Vivaldi and Disroot are related, because I have tried to set up Scan to Email with these three email accounts, each first with IMAP and then with STMP. But I get that error each time.

Thanks, I will give that a try, after I can get Scan to Email working like it should be...

Although I do understand what you are saying, I barely understand what my Epson is trying to do:
It is trying to connect with my email account, just to send an email. Not to read, or store other emails, just to send them (I truly hope). But I do not succeed in it, because of a CA Certificate error...

I just received a reply of the Tech Support of Epson:

Thank you for your email

You are correct that is exactly what you should be doing.

Here you find more information

https://files.support.epson.com/docid/cpd5/cpd56275/source/administrator_guides/source/web_config/tasks/sct3170_5470/obtaining_importing_certificate_sct3170_5470.html

If you do not want to do this you can try epsonconnect.com and use that to scan to email

Thus what I do is correct and according to their manuals, but I -as an individual- have to send my CSR to my email provider, and ask them to create an CA-certificate. But then those provides will get these kind of requests from every Epson user, wich is quite cumbersome...

What are your opinions about this CA-certificate request?

Weird and not related to Let's Encrypt. I have a feeling Epson support doesn't know what they're saying.

As I understand correctly, you're letting your Epson printer behave as a mail user agent (MUA), sending scanned files to an e-mail address. And you're using the three listed domains above. As an MUA, it just needs to establish a relative "simple" TLS connecting, just like your webbrowser would when connecting to any HTTPS website. It doesn't require any fancy thing like "client authentication" which would require a client certificate installed on the printer. It could however miss the DST Root CA X3 root certificate used by one of your domains.

Can you confirm that you're not having issues with your Outlook account and vivaldi.org-account?

Thanks again for your quick reply.

[quote="Osiris, post:11, topic:147765"]
Weird and not related to Let's Encrypt. I have a feeling Epson support doesn't know what they're saying. [/quote]

True...

I think you are right, that is indeed what I think my printer is trying to do, but in more technical terms.

True, I can send email from either of these to another, and to others too. Just to test it, I have just added the two remaining email addresses to my account. I have received the confirmation request on both email addresses, have both of them verified and I got an update on my primary email addresses.

Thus the bottom line is: everything is working like it should, except Epson...

Therefore I have asked the company where I bought my Epson from, if they have encountered something similar, but they did not. Even more, they find it weird too, that I have to do all this to have a mass-function like Scan to Email get working.

They have suggested that I can send my Epson instead back to them instead, and they will sort things out. Long life the long European warranty...


Ps. this wierd make up is done by breaking a quote with [/quote], react to what is quoted, and continued the quote with [quote]. Thus a bug in this forum software?

I actually meant if your Epson "Scan to email" worked with those domains.

Nope, because when I try to verify thet connection, I got that error message:

The connection is untrusted.
Check the following.

  • CA Certificate

OK, now I don't understand it any longer. I have absolutely NO clue how those three domains mentioned in your first post fit in your Epson. I have no clue what you're actually setting up in your Epson: which menu, which function.

So to verify again, but this time more broadly: your Epson "Scan to e-mail" doesn't work for EITHER three of those domains, of which TWO are not related to Let's Encrypt in any way? I.e., you also can't scan to an outlook.com e-mail address?

If that's the case, this Community (which is rather Let's Encrypt specific) can't help you.

Indeed, these are all true...

In short: the Scan to Email requires to establish an MUA connection. That connections fails, because

The connection is untrusted.
Check the following.

  • CA Certificate

All the settings that I have set and the things that I have done, are according to both the user and network manual of the Epson printer. Even the tech support has verified that I have to create an CSR, send it to my providers, to receive an unique CA-Certificate to get this function Scan to Email through a MUA working....

If you can't establish a Scan to E-mail-feature to an address using outlook.com or vivaldi.org, both NOT using Let's Encrypt certificates, then it's not a Let's Encrypt related problem and this Community most likely isn't the correct place to ask for help.

This is by the way something I asked yesterday already (see my second post), but didn't receive an answer to.

Thanks for your helpfull replies. I have missed that question, sorry for that. But it seems indeed that it is not a Let's Encrypt related problem, because it is related to the Epson software...

Anyhows, thanks again and have a nice weekend...

Good luck. I'm wondering what the issue could be. Using a CSR is in my opinion not the correct way to go, as your printer is simply being used as a mail client.

Like I said earlier, you might use a relay mail server set up by yourself in your own network. That way you could set up your Epson -> mail relay without TLS (it's on your own network and I assume it's safe to use without TLS) and let the relay do all the TLS stuff and send it to the mailservers of your account(s).

To be true, I would like to have this enabled, so that I just have to scan a document and have it send in plain text, without using my computer.

When all things works as it should be, I try to figure out a better way to do this... Any suggestion how to proceed on that? To "use a relay mail server set up by yourself in your own network"?

Oh, and I will post any updates here too. Because there is no solution yet...