Let's Encrypt expire error message


#1

My customer Is a WINDOWS shop with an Exchange 2010 environment. He has several thousand users. For some reason a couple of his WIndows PCs are getting popup errors in Outlook that his “Let’s Encrypt” 3 month cert has expired. He has NO idea why these machines even have this certificate installed. They are just Windows machines and only a few of them. He cannot remove them! He deletes them, he even made a new profile, but the popups expired error comes back. Why does he have these certs at all? They are not from Exchange and he does not know why these PCs have the certs or how to make them delete. Please advise.


#2

Hi @mwc2767

without knowing your domain it’s impossible to say something.


#3

Hi @mwc2767,

Certificate errors warn users that the certificate on the server is expired. The certificate isn’t “installed” on the client, but is presented by the server to the client when the client initiates a connection. (A somewhat frustrating recent forum thread in which various community members attempt to explain this issue is found at Let’s Encrypt got on my iphone without my permission in case you’re unclear on the overall concept that the certificate isn’t “installed” on the client device but rather provided by the server. However, if you accept this there’s no benefit to reading that other thread.)

As @JuergenAuer says, we can’t likely diagnose this problem without knowing the real domain name.

The most likely interpretation is that the clients are configured to use some kind of TLS service such as SMTPS, IMAPS, or similar, pointed at a server which is using an expired Let’s Encrypt certificate which needs to be renewed.

If you don’t want to share the domain name but want us to speculate on this, although it will be much more difficult and annoying, please at least provide screenshots of the actual Outlook error as well as screenshots of the Outlook configuration on an affected machine.


#4

Ok. That makes sense to me. I have let the contact know that it would be helpful to share the domain, he asked me not to so far. I appreciate your response. I let him know it might be helpful to share the domain. I did look at the thumbprint and it does not match anything on his Exchange servers.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.