TLS Certificate error

Need help? Ask here.

Moderator: Moderators

Post Reply
brianpettyjohn
Posts: 3
Joined: Wed Oct 06, 2021 12:45 pm

TLS Certificate error

Post by brianpettyjohn »

About 6 days ago, rollernet stopped accepting mail from my server. I had made no configuration changes on my side. I have llooked at my outbound queues, and discovered the following error on my outbound smarthost connector:
451 4.4.396 Target host responded with error. -> 454 4.7.5 Certificate validation failure, Reason:UntrustedRoot};{MSG=};{FQDN=smtpauth.rollernet.us};{IP=208.79.240.5};{LRT=10/6/2021 3:45:59 PM}]

I have verified that my SSL certificate is still valid

Thanks for any help. -Brian
Seth
Site Admin
Posts: 309
Joined: Sun Aug 30, 2009 10:44 pm
Location: Nevada
Contact:

Re: TLS Certificate error

Post by Seth »

On September 30th 2021, the old Let's Encrypt cross-signed root certificate expired. The error message indicates that your system doesn't have the current root certificate installed, which you may need to do so manually if the system is very old or hasn't had updates applied that include current set of root certificate authorities.

We don't have anyone at Rollernet that has direct experience with Exchange servers, but these links may help:

Summary of the root expiration:
https://www.rollernet.us/2021/10/dst-ro ... 3-expired/

Exchange Server TLS Guidance:
https://techcommunity.microsoft.com/t5/ ... a-p/607649

To view certificates in Windows see:
https://docs.microsoft.com/en-us/dotnet ... mc-snap-in

Let's Encrypt Chain of Trust:
https://letsencrypt.org/certificates/

You can download the ISRG Root X1 root certificate and install it with the Certificates MMC.
Seth Mattinen, Roller Network LLC
brianpettyjohn
Posts: 3
Joined: Wed Oct 06, 2021 12:45 pm

Re: TLS Certificate error

Post by brianpettyjohn »

Thanks, I used these as a guide; I'll share all the steps I performed to make it work (for the next Exchange user):
-Download and install the following into the Trusted Root Certification Authorities:
-- https://letsencrypt.org/certs/isrgrootx1.der
-- https://letsencrypt.org/certs/isrg-root-x2.der

-Download and install the following into Intermediate Certification Authorities:
-- https://letsencrypt.org/certs/lets-encrypt-r3.der

-Within Microsoft Exchange Powershell, issue the following command:
-- Get-Service *Exchange* | Restart-Service -force
--- Wait until all Exchange services have restarted successfully

-Launch Exchange Toolbox and open queue viewer
--Right-click the appropriate send connector for Rollernet. Select Retry.
--- If the same error is present, remove the DST Root CA X3 from the Trusted Root Certification Authorities (2 servers worked without removing; 1 required removal)
Seth
Site Admin
Posts: 309
Joined: Sun Aug 30, 2009 10:44 pm
Location: Nevada
Contact:

Re: TLS Certificate error

Post by Seth »

Thanks for posting the step-by-step instructions.
Seth Mattinen, Roller Network LLC
Post Reply