简体繁体 English

SSL连接到邮件服务器。邮件客户端拒绝了受信任的SSL证书

[英]SSL connect to mail server. Trusted ssl certificate rejected by mail client

原文 2011-01-26 16:30:51 3 2 email/ ssl/ certificate/ ssl-certificate/ exim

I've godaddy's 2048bit certificate for domain and 4 subdomains. 我是godaddy的域名和4个子域名的2048位证书。 [www.site.com, mail.site.com, etc] [www.site.com，mail.site.com等]

Standard Multiple Domain (UCC) SSL Up to 5 Domains - 1 year (annual) 标准多域（UCC）SSL最多5个域 - 1年（年）

That certificate works fine in Apache, ssl web checker says OK and browser shows green line in address string. 该证书在Apache中工作正常，ssl web checker说OK，浏览器在地址字符串中显示绿线。

I've added this certificate to mail daemon, it has been accepted by Exim too. 我已将此证书添加到邮件守护程序中，它也已被Exim接受。

When some client tries to send mail with SSL/TLS connection through mail server, mail program says "Certificate is BAD" though shows correct trusted info. 当某些客户端尝试通过邮件服务器发送带有SSL / TLS连接的邮件时，邮件程序会显示“证书不好”，但会显示正确的可信信息。

Client connects to hostname: mail.server.com, server's hostname is: ns1.server.com (not added to certificate), mail server says: 220 ns1.site.com ESMTP Exim 4.73 客户端连接到主机名：mail.server.com，服务器的主机名是：ns1.server.com（未添加到证书），邮件服务器说：220 ns1.site.com ESMTP Exim 4.73

Mail clients tested: iPAD mail client, Mozilla Thunderbird, Mac mail client 测试的邮件客户端：iPAD邮件客户端，Mozilla Thunderbird，Mac邮件客户端

Please help. 请帮忙。

UPDATE: 更新：

Godaddy's ssl checker says: SSL Chain of Trust is Broken! Godaddy的ssl检查员说：SSL信任链破碎了！

2 个解决方案

Here are a couple of things to check: 以下是一些要检查的事项：

Is the hostname that the mail client uses in the TCP connect, listed in the server certificate as the Common Name (CN) of the subject distinguished name? 邮件客户端在TCP连接中使用的主机名是否在服务器证书中列为主题可分辨名称的公用名（CN）？
If not, is it listed using type "DNS:" in the Subject Alternative Name X509 v3 certificate extension? 如果不是，是否在“使用者备用名称” X509 v3证书扩展名中使用“ DNS：”类型列出？
If neither of the above, you might be getting "Remote Certificate Name Mismatch" (or similarly named error.) 如果以上都不是，则可能会收到“远程证书名称不匹配”（或类似的错误）。
If it is listed, then look for the Issuer of the certificate, and Issuer of the Issuer, etc., all the way to the root certificate of the chain. 如果已列出，则查找证书的颁发者和颁发者的颁发者，等等，一直到链的根证书。 The root certificate should be installed on the client machine, in the "Trusted Root" certificate store for whatever client you are using (Windows, Mozilla, Java keystore, etc.) 根证书应安装在客户端计算机上的“受信任的根”证书存储区中，以用于所使用的任何客户端（Windows，Mozilla，Java密钥存储区等）。
If the root certificate is installed, then look at the intermediate certificates, if there are any in the chain (between root and server certificates). 如果安装了根证书，然后看中间证书，如果有任何的链（根证书和服务器证书之间）。 They have to either be installed locally, or arrive from the server alongside the server certificate -- either the server sends them each time or you've got the intermediate certificates already installed on the client end. 它们必须在本地安装，或者从服务器与服务器证书一起到达 - 服务器每次都发送它们，或者您已经在客户端安装了中间证书。 Either way, they have got to be in hand to accept the server certificate. 无论哪种方式，他们都必须亲自接受服务器证书。