{"id":1249,"date":"2023-12-19T19:55:29","date_gmt":"2023-12-19T17:55:29","guid":{"rendered":"http:\/\/dety.net.ua\/?p=1249"},"modified":"2023-12-19T19:55:29","modified_gmt":"2023-12-19T17:55:29","slug":"exchange-2019-receive-connector-certificate-issue","status":"publish","type":"post","link":"https:\/\/dety.net.ua\/?p=1249","title":{"rendered":"Exchange 2019 + Receive Connector Certificate Issue"},"content":{"rendered":"\n

We\u2019ve got an error from the client about WordPress mail sending failure.<\/p>\n\n\n\n

Debug:<\/p>\n\n\n\n

Email Source: WP Mail SMTP<\/p>\n\n\n\n

Mailer: Other SMTP<\/p>\n\n\n\n

SMTP Error: Could not connect to SMTP host. Connection failed. stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:<\/p>\n\n\n\n

error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failedSMTP server error: QUIT command failed<\/p>\n\n\n\n

2023-12-18 17:20:35 CLIENT -> SERVER: STARTTLS<\/p>\n\n\n\n

2023-12-18 17:20:35 SERVER -> CLIENT: 220 2.0.0 SMTP server ready<\/p>\n\n\n\n

2023-12-18 17:20:35 Connection failed. Error #2: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed [\/var\/www\/html\/wp-includes\/PHPMailer\/SMTP.php line 476]<\/p>\n\n\n\n

SMTP Error: Could not connect to SMTP host. Connection failed. stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed<\/p>\n\n\n\n

2023-12-18 17:20:35 CLIENT -> SERVER: QUIT<\/p>\n\n\n\n

SMTP OpenSSL check:<\/p>\n\n\n\n

openssl s_client -connect mail.server.com:587 -starttls smtp<\/strong><\/p>\n\n\n\n

CONNECTED(00000003)<\/p>\n\n\n\n

depth=0 CN =.com<\/p>\n\n\n\n

verify error:num=20:unable to get local issuer certificate<\/p>\n\n\n\n

verify return:1<\/p>\n\n\n\n

depth=0 CN =.com<\/p>\n\n\n\n

verify error:num=21:unable to verify the first certificate<\/p>\n\n\n\n

verify return:1<\/p>\n\n\n\n

depth=0 CN =.com<\/p>\n\n\n\n

verify return:1<\/p>\n\n\n\n

—<\/p>\n\n\n\n

Certificate chain<\/p>\n\n\n\n

 0 s:CN =.com<\/p>\n\n\n\n

   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256<\/p>\n\n\n\n

   v:NotBefore: Dec 14 18:43:46 2023 GMT; NotAfter: Dec 13 18:43:46 2024 GMT<\/p>\n\n\n\n

—<\/p>\n\n\n\n

Server certificate<\/p>\n\n\n\n

—–BEGIN CERTIFICATE—–<\/p>\n\n\n\n

—–END CERTIFICATE—–<\/p>\n\n\n\n

subject=CN =.com<\/p>\n\n\n\n

issuer=DC = com,<\/p>\n\n\n\n

—<\/p>\n\n\n\n

No client certificate CA names sent<\/p>\n\n\n\n

Peer signing digest: SHA256<\/p>\n\n\n\n

Peer signature type: RSA<\/p>\n\n\n\n

Server Temp Key: ECDH, secp384r1, 384 bits<\/p>\n\n\n\n

—<\/p>\n\n\n\n

SSL handshake has read 2679 bytes and written 513 bytes<\/p>\n\n\n\n

Verification error: unable to verify the first certificate<\/strong><\/p>\n\n\n\n

—<\/p>\n\n\n\n

New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384<\/p>\n\n\n\n

Server public key is 2048 bit<\/p>\n\n\n\n

Secure Renegotiation IS supported<\/p>\n\n\n\n

Compression: NONE<\/p>\n\n\n\n

Expansion: NONE<\/p>\n\n\n\n

No ALPN negotiated<\/p>\n\n\n\n

SSL-Session:<\/p>\n\n\n\n

    Protocol  : TLSv1.2<\/p>\n\n\n\n

    Cipher    : ECDHE-RSA-AES256-GCM-SHA384<\/p>\n\n\n\n

    Session-ID: 964A0000F62300131AB8EC758DB53C2BDB0EBBBC6CC6AFC58A0D7CFBF4A80680<\/p>\n\n\n\n

    Session-ID-ctx:<\/p>\n\n\n\n

    Master-Key:<\/p>\n\n\n\n

    PSK identity: None<\/p>\n\n\n\n

    PSK identity hint: None<\/p>\n\n\n\n

    SRP username: None<\/p>\n\n\n\n

    Start Time: 1703004291<\/p>\n\n\n\n

    Timeout   : 7200 (sec)<\/p>\n\n\n\n

    Verify return code: 21 (unable to verify the first certificate)<\/p>\n\n\n\n

    Extended master secret: yes<\/p>\n\n\n\n

—<\/p>\n\n\n\n

250 SMTPUTF8<\/p>\n\n\n\n

We checked the Exchange Server:<\/p>\n\n\n\n

[PS] C:\\>Get-ExchangeCertificate<\/strong><\/p>\n\n\n\n

Thumbprint                                Services   Subject<\/p>\n\n\n\n

———-                                ——–   ——-<\/p>\n\n\n\n

D58156A24F5F75F1A5EA288B3FE92CA1B5C33859  …….    CN=.com<\/p>\n\n\n\n

A2A66C232FBB1AD846386FDBAC38EBC225844E89  ….S..    CN= V28<\/p>\n\n\n\n

745634734DF2974C9441092DBE1DF7E9F2DDDBE7  …….    CN=CLIUSR<\/p>\n\n\n\n

9803DE33A89F90B06E2629A7BC52C51969A66017  IP.WS..    CN=.com<\/p>\n\n\n\n

2DC2C1DAA06E234ABF57D3E8792FA93320C532DD  …….    CN=CLIUSR<\/p>\n\n\n\n

1511938F82535F158ED22F3040E2D900BED6A49D  …….    CN=CLIUSR<\/p>\n\n\n\n

027B83E66330CCACF1560F805C0C79AEA93CFC1E  …….    CN=CLIUSR<\/p>\n\n\n\n

8C928F1ED907DF896A3DD4216F47C45B2EF3ECE2  ….S..    CN=Microsoft Exchange Server Auth Certificate<\/p>\n\n\n\n

9A13D41F2C19D04B1930A79F383E0B948982774B  ….S..    CN= V28<\/p>\n\n\n\n

27A2966214A07F6F4C946D650A87F1751596ACCA  …….    CN=WMSvc-SHA2-EX22<\/p>\n\n\n\n

get-receiveconnector ” V28\\Client Proxy V28″ | fl<\/strong><\/p>\n\n\n\n

We saw that there is the certificate from our internal CA for this server. So, the server automatically enrolled the certificate and replaced somehow the certificate for Receive Connector at port 587<\/strong>.<\/p>\n\n\n\n

We replaced the certificate as in an example:<\/p>\n\n\n\n

\n
Configuring the TLS Certificate Name for Exchange Server Receive Connectors<\/a><\/blockquote>