Everything on my domain, servers and such seem to work fine but all of a sudden Outlook on my Win 11 machine is complaining about an expired certificate. It appears to be the one listed in the topic title. It expired on 9/30/2021 but only now has become an issue.
I use ESET for virus protection and it was actually the software that complained first. Per some instructions I turned off the ESET check and that's when I could see it was the R3 certificate.
I see an entry (on my Win machine) for ISRG Root X1 which (I believe) is the replacement but I have no idea how to get the error to go away. Is it a matter of simply deleting the old DST Root one? Changing some other settings?
What's the URL of the service Outlook is connecting to? Is the error from IMAP, POP3 or SMTP?
I don't get any exact indicator but my email uses POP/SMTP. The following dialog appears when I start Outlook. I can tell it to continue and it works but that's annoying at a minimum. It started doing this (I think) 2 days ago.
Outlook also fetches email from my gmail account. I don't know if that has something to do with it.
You don't know the hostname of the service Outlook is configured to use?
I know the name of the server: mail.leylan.com and the certificate is valid for that
It's not a DST Root CA X3 issue: the POP3/SMTP server is using the short chain without the intermediate signed by DST Root CA X3. The actual issue is much simpler: the end leaf certificate for
mail.leylan.com has expired yesterday at Dec 18 14:36:05 2021 GMT and should be renewed.
Oh m'gosh thanks. I'll go renew that right now.
Hm, it seems there are more than enough certs issued for that hostname: crt.sh | mail.leylan.com
A few questions:
- why so many and why so frequent?
- why isn't your mailserver using any of the more recent cerrificates?
Good questions I have no idea. I'm using "canned" solutions that I've paid for and tend to expect them to do whatever is necessary. I'm guilty of "if it works it must be close enough" unless something dramatic happens. Until yesterday it never failed.
I also don't know what that list you posted indicates other than what I can infer. I'm using an app from Certify The Web. I could have set it incorrectly or I suppose there could be a bug.
I don't know what an end leaf certificate is either and my outgoing email seems to be broken now.
Ok... got it sending again, my error But I still get the dialog warning and it continues to show an expired version of my certificate (on Outlook).
This is the expired cert Outlook keeps mentioning. There is a newer one exp. 3/12/2022 in my certificates / personal folder Issued by R3.
Perhaps I am mistaken on the PC-side of these certificates.
That cert is not part of the certificate chain send by the mail server. It should not be used at all.
Perhaps your clients OS also has somehow the R3-signed-by-DST Root CA X3 intermediate installed manually somewhere?
I'm looking around, thanks. I also found dozens of entries in Intermediate Certification Authorities\Certificates issued to my PC for "Server Authentication" with expiration dates in the past and in the future. This is beginning to not be fun
Hooray solved... good gosh I wish I understood the mechanism better but each failure brings me a little closer. Didn't need anything on the on the PC side, my server was pulling up an old (expired) copy of the cert despite having a new one available.
Thanks Osiris for your time. I wish I knew what generated all those certs you listed. I'm wondering if the app is being too aggressive requesting certs when it doesn't need them. In any case I'm in "let's guess" territory for now.
Just as a reminder, if you are paying for Certify The Web then you are also paying for support, so please do get in touch with us if you are having problems Support Options | Certify The Web Docs
Certify The Web will notify you via email if a certificate renewal is failing unless access to our API is blocked (or your server can't talk a common TLS cipher suite) or you have disabled status reporting.
Btw, if your server is running Windows 2012 we are finding that lately a lot of users on Server 2012 are having trouble connecting to our API (for updates etc), the fix is to install the free tool Nartac Software - IIS Crypto then apply the 'Best Practises' mode and restart the server. This enables with most compatible set of TLS Ciphers and protocol levels.
Regarding the frequent renewals, you can adjust that under Settings, I'd suggest setting that to 60 days once you are confident renewals are working ok.
Thanks for the additional info. I have Windows 2019 thankfully. I did find the renewal setting seems as though the default is quite often. In any case I've set it to 14 days prior to expire and will see if that changes anything. I've posted a question on the CTW site about automating the cert export into a folder which caught me today also.
Yep if you started with an older version of the app (possible 3.x or lower) it had a 14 day renewal as default so that would be carried forward in your settings.
Remember that the community forum is not the priority support channel, the email helpdesk is, so if something is important please log a ticket.
I've replied to the thread on the CTW community forum now, you need to set the PFX password (if you want one) and add a task to deploy the certificate to the required location. You may also need a task to restart the SmarterMail service to ensure it picks up the latest cert.
I replied to your message there. The instructions seemed clear enough but I now get a failure message: Validation of the required challenges did not complete successfully.
The cert is still working and so is my mail so whatever the problem is will hopefully clear up before I need another cert.
No problem, as mentioned on the other thread we can handle that via a helpdesk ticket.