GFI Software Aurea SMB Solutions


Home » GFI User Forums » Kerio Connect » SSL Error CRL (Unable to get certificate CRL)
SSL Error CRL [message #137801] Wed, 29 November 2017 09:12 Go to next message
kam46 is currently offline  kam46
Messages: 8
Registered: November 2017
Location: Russia
Hello everybody.
In our mail server (Windows 7 + Kerio Connect) the COMODO certificate is used. After some indefinite time, a warning about CRL appears in the certificate properties (Unable to get certificate CRL). The certificate is validated on the COMODO website.
Why?
Re: SSL Error CRL [message #137802 is a reply to message #137801] Wed, 29 November 2017 11:45 Go to previous messageGo to next message
freakinvibe is currently offline  freakinvibe
Messages: 527
Registered: April 2004
The Root CA needs to access this CRL:

http://crl.comodoca.com/AddTrustExternalCARoot.crl

Is this reachable from the Kerio Connect server?


Dexion AG - The BlackBerry UEM Specialists in Switzerland
https://dexionag.ch
Re: SSL Error CRL [message #137803 is a reply to message #137802] Wed, 29 November 2017 11:53 Go to previous messageGo to next message
kam46 is currently offline  kam46
Messages: 8
Registered: November 2017
Location: Russia
Yes.
URL opened via I.
Re: SSL Error CRL [message #137806 is a reply to message #137801] Wed, 29 November 2017 16:32 Go to previous messageGo to next message
freakinvibe is currently offline  freakinvibe
Messages: 527
Registered: April 2004
In my opinion it should work then. Maybe you can see something in the error/warning log.

Or switch on Network Connections and SSL in the debug log.


Dexion AG - The BlackBerry UEM Specialists in Switzerland
https://dexionag.ch
Re: SSL Error CRL [message #137807 is a reply to message #137806] Wed, 29 November 2017 16:43 Go to previous messageGo to next message
kam46 is currently offline  kam46
Messages: 8
Registered: November 2017
Location: Russia
Debug log:

[29/Nov/2017 18:37:11][5468] {conn} Connection from 10.10.0.61:51734 to 10.10.0.2:443, socket 52976.
[29/Nov/2017 18:37:11][5468] {conn} SSL debug: id 000000000C9ECF00 SSL handshake started: before/accept initialization
[29/Nov/2017 18:37:11][5468] {conn} SSL debug: id 000000000C9ECF00 SSL_accept:before/accept initialization
[29/Nov/2017 18:37:11][5468] {conn} SSL debug: id 000000000C9ECF00 SSL_accept:error in SSLv2/v3 read client hello A
[29/Nov/2017 18:37:11][5468] {conn} SSL debug: id 000000000C9ECF00 Client requests server by name: mail.insigma.ru
[29/Nov/2017 18:37:11][5468] {conn} SSL debug: id 000000000C9ECF00 Found ssl context for connection by name: mail.insigma.ru
[29/Nov/2017 18:37:11][5468] {conn} SSL debug: id 000000000C9ECF00 SSL_accept:SSLv3 read client hello A
[29/Nov/2017 18:37:11][5468] {conn} SSL debug: id 000000000C9ECF00 SSL_accept:SSLv3 write server hello A
[29/Nov/2017 18:37:11][5468] {conn} SSL debug: id 000000000C9ECF00 SSL_accept:SSLv3 write certificate A
[29/Nov/2017 18:37:11][5468] {conn} SSL debug: id 000000000C9ECF00 SSL_accept:SSLv3 write key exchange A
[29/Nov/2017 18:37:11][5468] {conn} SSL debug: id 000000000C9ECF00 SSL_accept:SSLv3 write server done A
[29/Nov/2017 18:37:11][5468] {conn} SSL debug: id 000000000C9ECF00 SSL_accept:SSLv3 flush data
[29/Nov/2017 18:37:11][5468] {conn} SSL debug: id 000000000C9ECF00 SSL_accept:error in SSLv3 read client certificate A
[29/Nov/2017 18:37:11][5468] {conn} SSL debug: id 000000000C9ECF00 SSL_accept:error in SSLv3 read client certificate A
[29/Nov/2017 18:37:11][5468] {conn} SSL debug: id 000000000C9ECF00 SSL_accept:SSLv3 read client key exchange A
[29/Nov/2017 18:37:11][5468] {conn} SSL debug: id 000000000C9ECF00 SSL_accept:SSLv3 read certificate verify A
[29/Nov/2017 18:37:11][5468] {conn} SSL debug: id 000000000C9ECF00 SSL_accept:SSLv3 read finished A
[29/Nov/2017 18:37:11][5468] {conn} SSL debug: id 000000000C9ECF00 SSL_accept:SSLv3 write session ticket A
[29/Nov/2017 18:37:11][5468] {conn} SSL debug: id 000000000C9ECF00 SSL_accept:SSLv3 write change cipher spec A
[29/Nov/2017 18:37:11][5468] {conn} SSL debug: id 000000000C9ECF00 SSL_accept:SSLv3 write finished A
[29/Nov/2017 18:37:11][5468] {conn} SSL debug: id 000000000C9ECF00 SSL_accept:SSLv3 flush data
[29/Nov/2017 18:37:11][5468] {conn} SSL debug: id 000000000C9ECF00 SSL handshake done: SSL negotiation finished successfully
[29/Nov/2017 18:37:11][5468] {conn} Established secure server connection from 10.10.0.61:51734 to 10.10.0.2:443 using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384, id 000000002BCE3E28
[29/Nov/2017 18:37:11][4316] {conn} SSL debug: id 000000000C979CA0 SSL3 alert read:warning:close notify
[29/Nov/2017 18:37:11][4316] {conn} SSL debug: id 000000000C979CA0 SSL3 alert write:warning:close notify
[29/Nov/2017 18:37:11][4316] {conn} Closing socket 31952
Re: SSL Error CRL [message #137809 is a reply to message #137807] Wed, 29 November 2017 18:56 Go to previous messageGo to next message
Kerio/GFI Brian is currently offline  Kerio/GFI Brian
Messages: 852
Registered: March 2004
Location: California
It seems you haven't added the intermediate certificate. You can validate your domain using sslshopper.com and it will show you any errors. Instructions for installing the intermediate certificate is described here toward the bottom http://manuals.gfi.com/en/kerio/connect/content/server-confi guration/ssl-certificates/configuring-ssl-certificates-in-ke rio-connect-1132.html

Brian Carmichael
Instructional Content Architect
Re: SSL Error CRL [message #137810 is a reply to message #137809] Wed, 29 November 2017 19:37 Go to previous messageGo to next message
kam46 is currently offline  kam46
Messages: 8
Registered: November 2017
Location: Russia
yep... already understood( in our Kerio Control there were no intermediate certificates. Now added them.
sorry for my English. Critically not enough time to learn the English. It is very unfortunate that the GFI closed the support of the Russian-speaking(
Very lack of advice and knowledge of Svetlana.
Re: SSL Error CRL [message #146411 is a reply to message #137810] Tue, 13 August 2019 16:41 Go to previous message
terosufix is currently offline  terosufix
Messages: 1
Registered: August 2019
Hi how did you solve this problem? (Привет. Подскажи, как ты победил?)
I've got some extra files with my sert named (Мне вместе с моим сертификатом, пришло еще несколько файлов):
AddTrustExternalCARoot
SectigoRSADomainValidationSecureServerCA
USERTrustRSAAddTrustCA
I even tried to split all this files into my sert file (put data from others below my sert data), but don't get the result. (пытался слепить файлы в один файл моего сертификата, вставляя данные из других в него, но это не дало результатов).
Previous Topic: Error: An element node 'soap:Header'
Next Topic: Contact suggestions export from outlook 2016
Goto Forum:
  


Current Time: Sun Sep 22 08:16:36 CEST 2019

Total time taken to generate the page: 0.02564 seconds