Menu
Reply
  • 5
  • 0
  • 1
JAFJAF
Tuning in
930 Views
Message 1 of 29
Flag for a moderator

IMAP EMAILS CERTIFICATE INVALID

Suddenly having problems with receiving and sending emails on Virgin Media in my IMAC.  Message comes up saying cannot verify the identity of the server IMAP.Virginmedia.com and SMTP.Virginmedia.com. Says the certificate for the server is invalid. Have spent nearly an  hour on phone to VM but they say nothing wrong their end and I need to contact Apple. Just seen though that a similar problem occurred back in 2015 and looked like the problem was with Virgin. 

0 Kudos
Reply

Helpful Answers
  • 6
  • 1
  • 1
JackLN
Tuning in
991 Views
Message 17 of 29
Flag for a moderator
Helpful Answer

Re: IMAP EMAILS CERTIFICATE INVALID

It may have something to do with this: https://www.theregister.co.uk/2016/10/13/globalsigned_off/
Virgin Media recently installed a new certificate on imap.virginmedia.com, switching from Verisign to AlphaSSL (Globalsign). A few months ago Globalsign inadvertently triggered the revocation of its intermediary certificates. It appears that MacOS is still affected by this.

Could you try clearing the certificate cache? According to the Globalsign website (https://support.globalsign.com/customer/portal/articles/1353318) you need to do this:

OS X 10.12 Sierra
To delete both OCSP and CRL cache in OS X 10.12, open a terminal and run the following command:

sqlite3 ~/Library/Keychains/*/ocspcache.sqlite3 'DELETE FROM ocsp;'


0 Kudos
Reply

All Replies
  • 969
  • 58
  • 173
Tudor
Well-informed
911 Views
Message 2 of 29
Flag for a moderator

Re: IMAP EMAILS CERTIFICATE INVALID

There were reports on some of the Apple sites I visit about certificates for non Apple apps having expired and being renewed. Don't know if this is your problem, but a wider Google search may help you.


There are 10 types of people: those who understand binary and those who don't
0 Kudos
Reply
  • 13.63K
  • 719
  • 4.72K
Superuser
Superuser
906 Views
Message 3 of 29
Flag for a moderator

Re: IMAP EMAILS CERTIFICATE INVALID

Hi JIFFJAFF

While I'm not seeing errors myself.  I am getting two conflicting result from a couple of tools I use.  As the OP is having difficulties, I am going to follow the OpenSSL results, as to be frank they look odd.

I'm going to use the s_client command to compare the certificate chains of the following servers

  • imap.blueyonder.co.uk
  • imap.virginmedia.com

For brevity, while I'm going to show the commands I used - I'm only going to post the certificate chains.

Blueyonder

 

C:\Users\timdu>openssl s_client -connect imap.blueyonder.co.uk:993
...
Certificate chain 0 s:/C=GB/ST=Hampshire/L=Hook/O=Virgin Media Ltd/OU=internet operations/CN=imap.blueyonder.co.uk i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4 i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
...

Virginmedia

 

C:\Users\timdu>openssl s_client -connect imap.virginmedia.com:993
...
Certificate chain
 0 s:/C=GB/OU=Domain Control Validated/CN=imap.virginmedia.com
   i:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
 1 s:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
...

Spot the difference?

In each case. the OpenSSL should be seeing the FULL certificate chain - all the way down to the root certificate. yet for the imap.virginmedia.com case we only see as far as the issuer certificate.

Looking at smtp.virginmedia.com

 

 

C:\Users\timdu>openssl s_client -connect smtp.virginmedia.com:465
---
Certificate chain
 0 s:/C=GB/OU=Domain Control Validated/CN=smtp.virginmedia.com
   i:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
 1 s:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---

Same again?

Strangely - Outlook and Thunderbird on Windows BOTH connect without complaint to imap.virginmedia.com .  As did my iPad

Finally, I checked pop3.virginmedia.com

 

C:\Users\timdu>openssl
OpenSSL> s_client -connect pop3.virginmedia.com:995
---
Certificate chain
 0 s:/C=GB/OU=Domain Control Validated/CN=pop3.virginmedia.com
   i:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
 1 s:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---

Again no root certificate showing in the chain.

I used Digicerts certificate utility to double check my findings.

imap.blueyonder.co.uk

digibl.JPG

imap.virginmedia.com

digivg.JPG

@ModTeam - Can you please ask a Forum Team member to view this and escalate URGENTLY.  While I'm by no means an expert, my understanding is that EVERY certificate chain should ideally show all certificates including the root certificate.  So the above does not look at all right to me.

Thanks in advance.

Tim

PS trying to post this was a headache.

________________________________________


Only use Helpful answer if your problems been solved.

  • 1.42K
  • 154
  • 457
Superuser
Superuser
879 Views
Message 4 of 29
Flag for a moderator

Re: IMAP EMAILS CERTIFICATE INVALID

The root certificate is not returned as that should already be in your (local) certificate store; look at the initial output generated by the openssl command for imap.blueyonder.co.uk and imap.virginmedia.com:

blueyonder

⋮
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
verify return:1
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Secure Server CA - G4
verify return:1
depth=0 C = GB, ST = Hampshire, L = Hook, O = Virgin Media Ltd, OU = internet operations, CN = imap.blueyonder.co.uk
verify return:1
---
Certificate chain
⋮

virginmedia

⋮
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2
verify return:1
depth=0 C = GB, OU = Domain Control Validated, CN = imap.virginmedia.com
verify return:1
---
Certificate chain
⋮

 

0 Kudos
Reply
  • 1.42K
  • 154
  • 457
Superuser
Superuser
864 Views
Message 5 of 29
Flag for a moderator

Re: IMAP EMAILS CERTIFICATE INVALID


JAFJAF wrote:

Suddenly having problems with receiving and sending emails on Virgin Media in my IMAC.  Message comes up saying cannot verify the identity of the server IMAP.Virginmedia.com and SMTP.Virginmedia.com. Says the certificate for the server is invalid. Have spent nearly an  hour on phone to VM but they say nothing wrong their end and I need to contact Apple. Just seen though that a similar problem occurred back in 2015 and looked like the problem was with Virgin. 


The certificate for [imap|smtp].virignmedia.com have only recently been applied so you may wish to use [imap|smtp].blueyonder.co.uk instead until the verification issue can be resolved however be aware that certificate expires on 28/03/17.

Was version of the OS are you using?

0 Kudos
Reply
  • 13.63K
  • 719
  • 4.72K
Superuser
Superuser
857 Views
Message 6 of 29
Flag for a moderator

Re: IMAP EMAILS CERTIFICATE INVALID

Except you can't use imap.blueyonder.co.uk to log in a virginmedia.com account.

________________________________________


Only use Helpful answer if your problems been solved.

0 Kudos
Reply
  • 1.42K
  • 154
  • 457
Superuser
Superuser
851 Views
Message 7 of 29
Flag for a moderator

Re: IMAP EMAILS CERTIFICATE INVALID

You are right, my mistake.

0 Kudos
Reply
  • 1.42K
  • 154
  • 457
Superuser
Superuser
846 Views
Message 8 of 29
Flag for a moderator

Re: IMAP EMAILS CERTIFICATE INVALID


用心棒 wrote:

JAFJAF wrote:

Suddenly having problems with receiving and sending emails on Virgin Media in my IMAC.  Message comes up saying cannot verify the identity of the server IMAP.Virginmedia.com and SMTP.Virginmedia.com. Says the certificate for the server is invalid. Have spent nearly an  hour on phone to VM but they say nothing wrong their end and I need to contact Apple. Just seen though that a similar problem occurred back in 2015 and looked like the problem was with Virgin. 


The certificate for [imap|smtp].virignmedia.com have only recently been applied so you may wish to use [imap|smtp].blueyonder.co.uk instead until the verification issue can be resolved however be aware that certificate expires on 28/03/17.

Was version of the OS are you using?


Does the following website's certificate chain validate correctly when you use Safari: https://www.alphassl.com/

0 Kudos
Reply
  • 5
  • 0
  • 1
JAFJAF
Tuning in
819 Views
Message 9 of 29
Flag for a moderator

Re: IMAP EMAILS CERTIFICATE INVALID

Thanks for all the replies everyone.  I am a new member of the Forum and think I may have posted my problem in the wrong category as I am not tech savvy and a lot of the great replies have gone over my head!  I hoped that by putting it on the tech forum VM would pick it up again. Sierra is the OS for my IMAC.  

Reading the replies though and with my limited knowledge it looks like the certificate problem is with VM (?).  I have got round the problem at the moment by ticking a box on the error message that allows me to continue using the 'invalid' certificate but  don't think this is the ideal way to resolve the problem.  

0 Kudos
Reply
  • 1.42K
  • 154
  • 457
Superuser
Superuser
810 Views
Message 10 of 29
Flag for a moderator

Re: IMAP EMAILS CERTIFICATE INVALID

Did you try browsing to https://www.alphassl.com/ using Safari? FYI, Sierra's Trust Store contains the root certificate to validate https://www.alphassl.com/ and the same is used to validate [imap | smtp].virginmedia.com.

0 Kudos
Reply