Outlook - The target principal name is incorrect

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: hattertech.com

I ran this command: certbot certonly --standalone -d hattertech.com -d mail.hattertech.com

It produced this output:

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/mail.hattertech.com.conf)

What would you like to do?

1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate

IMPORTANT NOTES:

• Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/mail.hattertech.com/fullchain.pem
  Your key file has been saved at:
  /etc/letsencrypt/live/mail.hattertech.com/privkey.pem
  Your cert will expire on 2021-04-17. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot
  again. To non-interactively renew all of your certificates, run
  "certbot renew"

• If you like Certbot, please consider supporting our work by:

  Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
  Donating to EFF: https://eff.org/donate-le

My web server is (include version): (NA)

The operating system my web server runs on is (include version): Ubuntu 18.04.5 LTS

My hosting provider, if applicable, is: Self.

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

In outlook 2013 I keep getting "The target principle name is incorrect". Viewing the cert from Outlook shows:

Issued To: ubn004
Issued By: ubn004

This is the actual hostname the server postfix runs on.

Web searches suggest changing the SMTP server in outlook to whatever the "Issued By" on the cert says. Clearly that is not an option because the SMTP server is "mail.hattertech.com"

How can I get certbot to change the issued to / issued by? Or am I completely off base here?

image510×891 19 KB

Did you actually install the certificate? With certonly, certbot only gets you a certificate.

I did it with an install, and used a vhost of mail.hattertech.com.

Same problem.

That sounds like Apache or nginx, it doesn't sound like Postfix. It seems your Postfix is succesfully using the Let's Encrypt certificate on port 25 and port 587 for SMTP with STARTTLS. I don't see the ubn004 certificate.

It is. It's just outlook that is squealing about the issuer (and thanks for helping! )

What protocol is Outlook using? And on which port?

Ah, I'm guessing you're also using POP3 on port 110. That one is presenting the ubn004 certificate. That's Dovecot by the way, not Postfix.

Hmm ... it looks like this is happening on the pop3s call (995). Maybe I need to do something with dovecot

Thanks man! Let me try fixing dovecot ...

Every service you want the certificate to use, needs to know about the certificate. Certbot can only install the certificate automatically for Apache and nginx.

Fixed it! And thanks a million!

I changed:

ssl_cert
ssl_key

in dovecot's 10-ssl.conf.txt

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.