GFI Software

Welcome to the GFI Software community forum! For support please open a ticket from https://support.gfi.com.

Home » GFI User Forums » Kerio Connect » Expiring Let's Encrypt's Root Certificate
icon4.gif  Expiring Let's Encrypt's Root Certificate [message #150268] Tue, 21 September 2021 11:46 Go to next message
Vanek is currently offline  Vanek
Messages: 9
Registered: March 2013
Any recommended steps to prepare for expiring root certificate (DST) in Kerio Connect if we use Let's Encrypt certificate? For example, remove or add some certificates (files) from SSLCA directory?

https://scotthelme.co.uk/lets-encrypt-old-root-expiration/
Re: Expiring Let's Encrypt's Root Certificate [message #150277 is a reply to message #150268] Wed, 22 September 2021 17:32 Go to previous messageGo to next message
freakinvibe is currently offline  freakinvibe
Messages: 588
Registered: April 2004
If you go to SSLlabs and check your mail server:

https://www.ssllabs.com/ssltest/index.html

you will see under "Certification Paths" that you are currently serving the old chain. But most clients should be smart enough, once that the Root is expired, to use the new chain. If you want to force that the new chain is service, you can dump the new R3 Intermediate (valid to 15-Sep-2025) in the SSLCA directory of Kerio Connect and restart Kerio Connect.

But I would say, just wait and be prepared.


Dexion Services AG - IT Support Services in Basel, Switzerland
https://dexionag.ch

[Updated on: Wed, 22 September 2021 17:32]

Report message to a moderator

Re: Expiring Let's Encrypt's Root Certificate [message #150288 is a reply to message #150277] Sat, 25 September 2021 11:41 Go to previous messageGo to next message
Backspin is currently offline  Backspin
Messages: 122
Registered: June 2008
Location: Amsterdam, the Netherland...
Just wait until GFI has added official Let's Encrypt support to Kerio Connect.
Ha. Just kidding. GFI is not adding anything at all to Kerio. You are just paying your yearly SWM to please the GFI shareholders.

To be serious: expiring root certificates are a problem on the client side, not server side. Even if the corresponding root certificate expires on your server, Kerio Connect will warn you (in the web admin) that it can't verify the certificate, but this has no effect on the client side.


[Updated on: Sat, 25 September 2021 11:44]

Report message to a moderator

Re: Expiring Let's Encrypt's Root Certificate [message #150323 is a reply to message #150277] Wed, 29 September 2021 23:15 Go to previous messageGo to next message
zebby is currently offline  zebby
Messages: 154
Registered: March 2009
Posted a query, answered it myself! Embarassed

[Updated on: Wed, 29 September 2021 23:22]

Report message to a moderator

Re: Expiring Let's Encrypt's Root Certificate [message #150349 is a reply to message #150323] Thu, 07 October 2021 16:02 Go to previous message
vasyansk is currently offline  vasyansk
Messages: 1
Registered: October 2021
1) enable ssh and go to terminal
2) remount root disk to RW
mount / -o remount,rw
3) delete old crt
cd /opt/kerio/winroute/sslcert/builtin/
rm DST_Root_CA_X3.crt
4) add new crt from https://letsencrypt.org/certs/isrgrootx1.pem.txt to isrgrootx1.crt
vi isrgrootx1.crt
5) reboot

done Smile
Previous Topic: Sent emails are blocked as SPAM to some recepients
Next Topic: No preferred body type
Goto Forum:
  


Current Time: Sat Sep 24 23:49:19 CEST 2022

Total time taken to generate the page: 0.02136 seconds