Exchange Installed Certificate rejected by Android Mail App?


#1

Hi everyone,

I’m using a Let’s Encrypt Certificate to publish our Exchange Server. If I do connect via browser the certificate is validated by the browser without error.

When I do use the Android E-Mail app (I’ve tried Versions 4 to 6.0.1) using ActiveSync (HTTPS based access) the E-Mail app says that it could not connect to the server. When I switch to “accept all certificates” it connects to the server.

The same phone using the browser can connect to the mail server using the Outlook Web Access page and no certificate errors are shown.

The server is using the DNS name mail.beko-group.com I’ve tried two certificates, one registered directly to mail.beko-group.com and one to portal.beko-group.com with additional names including mail.beko-group.com. Both certificates produce exactly the same behaviour. However I’ve not found a way to see why the certificate is rejected by the app. So what is wrong here? Does the app not use the phone’s trusted certificate store or is there a problem with my certificate?


#2

The problem is that the server isn’t sending the intermediate certificate.

You need to send the end entity certificate (which you are already doing), and also the Let’s Encrypt X3 intermediate certificate.

The intermediate certificate, which is cross-signed by Identrust, is what completes the trust chain for your Android devices.


#3

So how do I send the intermediate certificate as well?


#4

I’m afraid I don’t know anything about Exchange or IIS.

I found this article that appears to do describe how to do it but your mileage may vary:

https://support.microsoft.com/en-us/help/954755/how-to-configure-intermediate-certificates-on-a-computer-that-is-runni

The intermediate you need to use is https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt


#5

Our proxy is offloading the SSL request (since the Exchange Server is using certificate from the internal domain itself). Luckily just adding the Intermediate certificate to the proxy store was all that was needed.

Thanks for the help.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.