| Problem with SSL certificate [message #128818] |
Wed, 06 April 2016 22:50  |
Tenglund
Messages: 10
Registered: December 2014
|
|
|
|
Hi,
I got a strange problem. Today i got a RapidSSL certificate for our mail server. I created the cert with intermediate cert according to the guide for Kerio Connect, and it doesn't really work.
We have several domains, and here is what happens when i check with online SSL checker services or any browser:
1. Our main domain, example "mail.company.com" still uses the self signed cert for "mail.company.com"
2. The other domains, "mail.company2.com", "mail.company3.com" and so on responds with the real new cert, but of course says the domain name does not match.
Any ideas why this is happening? I've not deleted the old self signed cert, but the "preferred" cert is the new one for "mail.company.com".
I'm running latest Kerio Connect 9.0.2 on OSX 10.10.5 by the way.
[Updated on: Wed, 06 April 2016 22:52] Report message to a moderator |
|
|
|
| Re: Problem with SSL certificate [message #128820 is a reply to message #128818] |
Wed, 06 April 2016 23:41  |
 |
Pavel Dobry (Kerio)
Messages: 2057
Registered: October 2003
Location: Czech Republic
|
|
|
|
Tenglund wrote on Wed, 06 April 2016 22:50Hi,
I got a strange problem. Today i got a RapidSSL certificate for our mail server. I created the cert with intermediate cert according to the guide for Kerio Connect, and it doesn't really work.
We have several domains, and here is what happens when i check with online SSL checker services or any browser:
1. Our main domain, example "mail.company.com" still uses the self signed cert for "mail.company.com"
2. The other domains, "mail.company2.com", "mail.company3.com" and so on responds with the real new cert, but of course says the domain name does not match.
Any ideas why this is happening? I've not deleted the old self signed cert, but the "preferred" cert is the new one for "mail.company.com".
I'm running latest Kerio Connect 9.0.2 on OSX 10.10.5 by the way.
Kerio Connect 9.0.2 supports multiple SSL certificates and the server chooses the right one based on hostname. Therefore "default" SSL certificate is used only when no other matches the hostname. If "mail.company.com" certificate is still present in configuration, it is used.
So the solution is to get valid server SSL certificate for mail.domain.com or delete all certificates you don't want to use from product configuration.
See http://kb.kerio.com/product/kerio-connect/server-configurati on/ssl-certificates/configuring-ssl-certificates-in-kerio-co nnect-1132.html
Knowledge Base: http://manuals.gfi.com/en/kerio/home/Content/Home.htm.
[Updated on: Wed, 06 April 2016 23:42] Report message to a moderator |
|
|
|
| Re: Problem with SSL certificate [message #128824 is a reply to message #128820] |
Thu, 07 April 2016 08:41 |
Tenglund
Messages: 10
Registered: December 2014
|
|
|
|
Thanks!
I understand that all domains could have their own certificate from now, but i cannot see the problem here.
To be clear, i have a new valid trusted cert for mail.company.com which i've set to default. When i connect to mail.company.com it still uses the old self signed cert for mail.company.com.
But, if i connect to mail.company2.com which is on the same server, but don't have it's own cert, it uses my new valid cert.
So, is it safe for me to delete the old self signed cert, or could i end up with no working cert in this way?
|
|
|
|
|
|
|
|
|
|
| Re: Problem with SSL certificate [message #129087 is a reply to message #128830] |
Tue, 19 April 2016 12:10 |
ArthurV
Messages: 7
Registered: February 2016
Location: Amsterdam
|
|
|
|
Question to Pavel:
While this is an easy fix, why create confusion?
1. Since the 'Default server certificate' is used/selected by Kerio Connect only when no other certificate (even expired ones!) are available I suppose it's NOT active when other certificates with matching hostnames or wildcards are available.
2. If so, when would you ever want to use the button 'Set as Default'? (used to be 'Make Active'). What does it do?
3. It seems unlogical that an (almost) expired SSL certificate is ranked higher ('active') than the newer replacement certificate ('default', so: not active). This happened on our server after updating Kerio Connect from 8.5.3 tot 9.0.2.
4. A request: now with multiple domain certificates possible (thank you!): can information be added to the Request items in the SSL Certificates interface, so it is clear which Request (CSR) belongs to what domain/certificate key? Or should the 'Request' be removed immediately after the CSR was created?
|
|
|
|
| Re: Problem with SSL certificate [message #129095 is a reply to message #129087] |
Tue, 19 April 2016 16:09 |
Maerad
Messages: 275
Registered: August 2013
|
|
|
|
ArthurV wrote on Tue, 19 April 2016 12:10Question to Pavel:
While this is an easy fix, why create confusion?
1. Since the 'Default server certificate' is used/selected by Kerio Connect only when no other certificate (even expired ones!) are available I suppose it's NOT active when other certificates with matching hostnames or wildcards are available.
2. If so, when would you ever want to use the button 'Set as Default'? (used to be 'Make Active'). What does it do?
3. It seems unlogical that an (almost) expired SSL certificate is ranked higher ('active') than the newer replacement certificate ('default', so: not active). This happened on our server after updating Kerio Connect from 8.5.3 tot 9.0.2.
1. The default cert is used, if the selected/used hostname matches no other cert. Also the default cert is NOT selected by kerio. Under Adminstration > SSL Cert you can select (if multiple SSL cert are in the list) with a right click, which one is the default.
2. It's basically a fallback system. If you enforce SSL as example and your ip/host changes, the cert expires or whatever, you wouldn't be able to connect. And no, a unsecured connection is way less to prefer, then one with a not so optimal cert. 
3. Why? The cert is NOT expired, why shouldn't it be used then? Same with an expired cert - you could still want to connect with that, because you don't have a new one. An expired cert might get you 200 warnings and can't be authed by others, but in most cases still be used. Also YOU tell the system what to do. Kerio has the same problem like any other programming company - if you restrict the system too much, users complain, if you are too lenient, they also don't like it. You won't believe, how many unlogical cases I saw in the past, that made me facepalm so hard, but there wasn't another way.
|
|
|
|
Members
Search
Help
Register
Login
Home
