Jul 21, 2019
"The recipient server did not accept our requests to connect" from GMail after updating SSL/TLS cert
The recipient server did not accept our requests to connect.
I've confirmed we have a clear path for traffic through our firewalls for traffic from all the servers listed in the _spf.google.com IP blocks, as well as confirmed that none of those IPs are blacklisted on our mail server, as well as the IP's being exempted from Greylisting.
We did change our Certificate vendor from COMODO to LetsEncrypt in this most recent update, which is the only significant change on our end. It did replace the by-now-expired certificate that was on SMTP 25. Is it possible GMail is rejecting a connection because of the CA on the certificate?
Note that our domains that do not use TLS on SMTP are not impacted by the issue, strongly implicating the certificate in this problem.
Thanks,
John Brewer
C4.net
Informational notification.
This question is locked and replying has been disabled.
Community content may not be verified or up-to-date. Learn more.
Last edited Jul 21, 2019
Jul 23, 2019
Original Poster John Brewer 8677 marked this as an answer
All Replies (8)
Jul 21, 2019
Original Poster John Brewer 8677 marked this as an answer
Jul 25, 2019
Aug 28, 2019
Am suddenly getting "msmtp: TLS certificate verification failed: the certificate hasn't got a known issuer" errors. It did go away this afternoon and I was able to send email for awhile, but now the problem is back!! I also notice that there were certificate validity changes lately:
Common Name: Google Internet Authority G3
Validity:
Activation time: Mon, Jul 29, 2019 11:35:48 AM
Expiration time: Mon, Oct 21, 2019 11:23:00 AM
Validity:
Activation time: Mon, Jul 29, 2019 11:35:48 AM
Expiration time: Mon, Oct 21, 2019 11:23:00 AM
Just tried again and it worked.
Anyone else encountering issues sending email?
Dec 15, 2019
However a quick test install of another mail client (eM Client) had no issues connecting with said isp's mail server. The desktop gmail interface did not provide any clues as to what the issue was but the Android gmail did state the issue was with the certificate and gave a long message I'll just put a bit of in here;
Certificate not trusted
Subject: *.teksavvy.com
Issuer: DigiCert SHA2 High Assurance Server CA
Valid from: Dec. 10, 2019
Expires on: Jan. 26, 2022
Current date: Dec. 15, 2019
PEM encoded chain: -----BEGIN CERTIFICATE-----
MIIHKzCCBhOgAwIBAgIQAZOt2rlvmABVcyvGqtDsbzANBgkqhkiG9w0BAQsFADBwMQswCQYDVQQG
EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMS8w
LQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNzdXJhbmNlIFNlcnZlciBDQTAeFw0xOTEyMTEw
MDAwMDBaFw0yMjAxMjYxMjAwMDBaMIGNMQswCQYDVQQGEwJDQTEQMA4GA1UECBMHT250YXJpbzEV
MBMGA1UEBxMMQ2hhdGhhbS1LZW50MSAwHgYDVQQKExdUZWtTYXZ2eSBTb2x1dGlvbnMgSW5jLjEa
MBgGA1UECxMRQ29ycG9yYXRlIFN5c3RlbXMxFzAVBgNVBAMMDioudGVrc2F2dnkuY29tMIIBIjAN
. . .
d5mfZkHs4M1G07VnrT3/kZl6DJs3hjuVcfZtKzFD5UsdLxszUns3bW0nQCcftNoedcDkUCcl6akV
xQ6an/DOUfRf/tYudXDwQlCP95Cq7jijpe0EWEod/eV7fR5BHN8IGWn8J0fP8vYsOdO84Ny7642U
CBxsq9ZboO2DThg7jjW8UA/T2pHOyIPNuD30I+locFjjXq1LrP5BVTj2QL08jfI2C/gyEzS+HipX
al2pkFCx6WIc8WwF4s1m
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBsMQswCQYDVQQG
EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSsw
KQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5jZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAw
. . .
myPInngiK3BD41VHMWEZ71jFhS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkK
mNEVX58Svnw2Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe
vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep+OkuE6N36B9K
-----END CERTIFICATE-----
I know nothing of how these work but I find it unusual that there are two certs, the first much longer than the last.
I hope this helps the boffins pin this issue down.