To further debug this, use openssl s_client with the -debug option, which right before the error message dumps the first few bytes of the server response which OpenSSL was unable to parse. I would be rather surprised if that would work.Ī simple test is to use wget (or a browser) to request (note the not if it works, SSL is not enabled on port 443. It is unclear whether you attempted to pass -no-check-certificate or not. Normally, servers are backwards compatible to at least SSL 3.0 / TLS 1.0, but maybe this specific server isn't (by implementation or configuration). TLS 1.2 and the client does not understand that protocol version. It can also happen if the server only supports e.g. It can happen if the server answers with a plain (unencrypted) HTTP. This error happens when OpenSSL receives something other than a ServerHello in a protocol version it understands from the server. If so, what should I be specifying in the virtualhost? Is there any alternative other than specifying -no-check-certificate because I don't want to do that? Perhaps the ssl cert was never setup in the conf file on Apache for that domain? While if I do the same command on another site, it shows the entire cert. Using openssl: openssl s_client -connect :443ġ5586:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:588: I believe it is because I do not have the certificate setup properly. OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol Also this task needs to restart the mailserver service, so the new certificate gets into effect.I'm trying to wget to my own box, and it can't be an internal address in the wget (so says another developer).Ĭonnecting to |172.20.0.224|:80. Let's Encrypt certificates expire after 90 days, so you should create a scheduled task that renews the certificates and copies them to If you look at the certificate it should list "Let's Encrypt Authority" as the issuer and it shoul show a green padlock. You should now be able to go to the Kerio Connect login web page with Delete any other certificates.Ĭ:\Program Files\Kerio\MailServer\sslcert Two files are importantĬ:\Users\\AppData\Roaming\letsencrypt-win-simple\įrom Kerio Web Admin > SSL Certificates, import the certificate and make it the default certificates. It will now create the certificate for your mail server. It will present you with all the current bindings from IIS. When run for the first time, it will ask you for your email address and to accept the TOS. Now, run letsencrypt.exe from the folder where you downloaded it. Make sure that Kerio Connect only has https enabled and not http. Then, make sure you have IIS enabled on your Windows 2012 R2 Server, but only have a binding to port 80 (port 443 will be used by Kerio Connect). This tool simplifies and automates the communication with the Let's Encrypt API. Here is how I set it up (there might be other ways, of course, please feel free to add your comments at the bottom of the page).įirst, download "letsencrypt-win-simple" from While the use is simple on IIS or Apache web servers, on Kerio Connect it is a bit more complicated as it comes with its own web server. "Let's Encrypt" is an organisation that provides SSL certificates for free in an automated way.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |