Let's Encrypt - Outlook Office 365 "Target principal name is incorrect"

Hi,

not sure this is the right forum. I installed Let’s Encrypt in a LAMP server. After install, Outlook app 365 for Windows 10 keeps asking me to install the Let’s Encrypt cert every time it starts. Outlook warning runs: “The target principal name is incorrect” and “The server is using a certificate that cannot be verified”. See screenshot from Outlook warning here https://diigo.com/0e6mtj

If I click “yes” to use Let’s Encrypt, it will work without issue. But when I restart Outlook, it will request me to install Let’s Encrypt cert again. Any advice to solve this issue is welcome.

Rgs

IM

I have moved your thread to the “Help” section. You’re obviously asking for help.

In that section, you would have been presented with the following questions. Please answer them as wel as you can:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Hi Osiris,

thank you. Here you have the information:

Comain is: www.aksert.com

I ran this command: no server command, this happens when I start Outlook 365 app in Windows 10

It produced this output: see above

My web server is (include version):

The operating system my web server runs on is (include version): Apache 2.4, 37, PHP 7.3.2

My hosting provider, if applicable, is: Hetzner

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): yes, CWP Panel 7

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): not using Certbot.

rgs

IM

Hi @itmonitor

how do you use this domain with Outlook app 365 for Windows? There is port 25 open, same with port 465.

The domain has two configuration problems (checked with https://check-your-website.server-daten.de/?q=aksert.com ):

Your certificate has only one domain name:

CN=aksert.com
	10.03.2019
	08.06.2019
expires in 83 days	aksert.com - 1 entry

So if you use www.aksert.com in Outlook the certificate is invalid.

And the server sends the same certificate three times:

Chain - duplicate certificates	
	1	CN=aksert.com
	2	CN=aksert.com
	3	CN=aksert.com
	4	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US

One is enough.

Hi Juergen,

Sorry, my mistake, the emails go through another server: msgserv.com . I reinstalled the Let’s Encrypt certificate and now the Outlook starts without requesting the certificate. The email issue is solved.
I will go now after the aksert.com ssl issue you mentioned in your post. Thanks.

That domain has the wrong certificate, there is cloud.msgserv.com used. But it looks that this domain isn't used, so it's not so relevant.

This subdomain has the same problem:

Chain - duplicate certificates	
	1	CN=cloud.msgserv.com
	
	2	CN=cloud.msgserv.com
	
	3	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US

The certificate is sent two times.

Juergen, thank you for pointing this out. Seems like the CWP SSL install is duplicating them. We are resolving that and I will get back to you for a final check.

Perhaps the tool merges cert.pem and fullchain.pem. But fullchain.pem has already the cert.pem content.

seems like this is a bug at CWP. Thank you for the information, I am contacting them now and I will post here their reply/solution in order to help others with the same issue.

Hallo Jürgen, please, I need your help. Could you try access aksert.com and finefruit.co and also cloud.msgserv.com:2087 and share with me screenshots how your browser display these webpages?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.