Knowledgebase
MailStore Client / Outlook Add-In cannot connect to MailStore Server. Error message: The SSL/TLS certificate verification failed. The server name was enforced by group policies, but the certificate validation failed.
Posted by Michael Pelzer on 20 Jan 2021 09:09
|
Problem: MailStore Client / Outlook Add-In cannot connect to MailStore Server. Error message: The SSL/TLS certificate verification failed. The server name was enforced by group policies, but the certificate validation failed. Root Cause: If an administrator has decided to specify a server name via group policy, the decision about the confidentiality of a server specified in this way should not lie with the end-user. In such a case, the domain administrator must take the necessary steps to establish confidentiality, possibly also via GPO. Since the effort to distribute a possibly self-signed certificate as a trustworthy root certification authority does not differ from the whitelist of a certificate fingerprint, but significantly reduces the complexity on the development side and makes it less error-prone, the option to use certificate fingerprints was removed in V13 MailStore's own group policy for whitelists. Solution: If you are using a self-signed certificate in MailStore Server that was neither obtained from Let's Encrypt nor from another trusted root certification authority please note the following: As soon as you specify the server name via group policy, the MailStore Outlook Add-In and MailStore Client expect that the certificate used by MailStore Server is valid. This means that the server certificate must neither be expired nor have been withdrawn, the server name must be stored in the certificate, and the certificate must have been issued by a trustworthy root certification authority (possibly by its own internal certification authority). The latter is not the case with self-signed certificates. If you do not have the option of using certificates that have been issued by a trustworthy certification authority, you can create a suitable self-signed certificate in the MailStore Server service configuration, save it in a file and then send it to the clients as "Trusted Root Certification Authority". In the case of the group guideline for the distribution of login information, please ensure that the specified server name matches the name issued in the certificate, i.e. that no different name or even the IP address has been entered. Article-ID: KB20200819-0-EN (Deutsche Version) |
|