Auth0 Home Blog Docs

Mail Certificate Error - Resolving to server certificate not domain certificate

email

#1

We are having an issue where Auth0 is not able to connect to the mail server because it says the certificate name does not match the mail server name for that domain. When I check the SSL cert for mail.website.com, it matches. What Auth0 is matching is the actual server name. Can’t understand how it is getting that or why.

Hostname/IP doesn’t match certificate’s altnames: "Host: mail.website.com. is not in the cert’s altnames: DNS:prod.serverName.net, DNS:www.serverName.net\

Any ideas?


#2

If I try to go to mail.website.com:443 I get this:

$ openssl s_client -connect mail.website.com:443
CONNECTED(00000005)
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust RSA CA 2018
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/CN=www.website.com
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGpzCCBY+gAwIBAgIQCXe1ipIzQ5QoYR9qoRWeCzANBgkqhkiG9w0BAQsFADBe
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMR0wGwYDVQQDExRHZW9UcnVzdCBSU0EgQ0EgMjAxODAe
Fw0xODAyMjIwMDAwMDBaFw0yMDA1MjcxMjAwMDBaMBoxGDAWBgNVBAMTD3d3dy53
ZWJzaXRlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJFzBcAt
1GMkAFDsM3c/Gon6l9/C+5/JsDPbxMfrZCojaRnV2kuNb5nSbJ/JB6HL1Is5V4eL
HgNFvhpF1vbEZAvrV41jiTcHxEFjc4lMt7tQ70JIBvYmB/CE7K/4FttbwL8mQTjI
1pzk3RqF9AaAQM3y9rZEbmtl00Z0N3jkBoYkZ4JT5pKODdui7rzJ/E6VxUHfz75s
k6GAB0t2JV37qO2L51Y4fTOy7Vjo6+ZCwDintxuITEPHYqjW0xm0n/DK0rsSjAWo
Bn4Qx0r/h17X1401kS0GJlcVOOYKhUuYGZ5t3l8qb/6FvDhl3pZZykxwoc5K2bQ4
stforg/6e8Y6+yMCAwEAAaOCA6MwggOfMB8GA1UdIwQYMBaAFJBY/7CcdahRVHex
7fKjQxY4nmzFMB0GA1UdDgQWBBSLJfami+ZzBKILDZ+ezhDG3djhXTAnBgNVHREE
IDAegg93d3cud2Vic2l0ZS5jb22CC3dlYnNpdGUuY29tMA4GA1UdDwEB/wQEAwIF
oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwPgYDVR0fBDcwNTAzoDGg
L4YtaHR0cDovL2NkcC5nZW90cnVzdC5jb20vR2VvVHJ1c3RSU0FDQTIwMTguY3Js
MEwGA1UdIARFMEMwNwYJYIZIAYb9bAECMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v
d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQIBMHUGCCsGAQUFBwEBBGkwZzAm
BggrBgEFBQcwAYYaaHR0cDovL3N0YXR1cy5nZW90cnVzdC5jb20wPQYIKwYBBQUH
MAKGMWh0dHA6Ly9jYWNlcnRzLmdlb3RydXN0LmNvbS9HZW9UcnVzdFJTQUNBMjAx
OC5jcnQwCQYDVR0TBAIwADCCAfMGCisGAQQB1nkCBAIEggHjBIIB3wHdAHUApLkJ
kLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BAAAAFhvA8mIgAABAMARjBEAiBf
TlaOCJL6jzJsL82xG4L/5uusXT9IjXJ9yUbIJVzqgAIgBK65JG90HXOXWlGMYfja
tnr6KyLPSyYuUbfQJDIn8hAAdQCHdb/nWXz4jEOZX73zbv9WjUdWNv9KtWDBtOr/
XqCDDwAAAWG8DyahAAAEAwBGMEQCIDORtgM4soakwmyLDzNyJKhQF57NzMbi8Ba7
wPjhmBgrAiA/88IknXGfdgCdLiOiubidoMV1n8ADa0eEZ2+HbBMOWQB2AO5Lvbd1
zmC64UJpH6vhnmajD35fsHLYgwDEe4l6qP3LAAABYbwPJm4AAAQDAEcwRQIgI6Ps
Zpulq0rYch+5KVD+RmBPb3UZuDcqenEyUdsUOh8CIQCerCUhwW9++eQd+LP8rmgS
f52gtw8Jz+Qz6U0+kb5bmAB1ALvZ37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaO
HtGFAAABYbwPJu8AAAQDAEYwRAIgOxHL1OVZXdL78aDvIpfI4fwBqDo7BdMrzLO9
k+kPBdECIGunpIHzM/86zLMx1B/V6R+IQ8C5ujK0lAydQNmyRVHGMA0GCSqGSIb3
DQEBCwUAA4IBAQC2pHMTaqIMjmbG/cWSszGy/hRhInYdg2QuKGJmmRizlsG6z3iO
fZPmenMlEuAzkz5O0bJamx+z0RO8KRfFhhZXy0l61fge+Yh8WhItghOET57vGw3p
L5lrq6ap48b6rSSTJRrtifgCPyAUD/f6r6VVFB7Zez1rQ+xQAwtb2OvvR8qC4xad
3xUL3Ig8l6oeEEaWiTUcQEmb8siXg1xZA4uStMoBS6MR5nV7k7IxWolwG6PknFGE
wXv4iDrIzLdh2GTYkbD2+Mj5oG51qwmS/yOoeywf7ZbONxp21k5I9Zg9dke3cMw4
V7TkMNzmdrNsb9mcNzVpMH/aucz1qCAvGtNZ
-----END CERTIFICATE-----
subject=/CN=www.website.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018
---
No client certificate CA names sent
---
SSL handshake has read 3068 bytes and written 676 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES128-SHA256
    Session-ID: 4D0E000065BB7BCE6208DD859DF6EFBC4B8F3BEEADEB531633D1D9219302CE35
    Session-ID-ctx:
    Master-Key: 6601058FEA2DF3A1024A6077E914733BE89D937364FB029131B7F2D982EC21DC28243C3FE0D3A89AF88CF68526417AE7
    Start Time: 1534523085
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

notice the www.website.com as the subject name instead of mail.website.com

Which port are you using?

Perhaps you were just using those domain names as examples. In that case, I would try the above, but with the right ports and server name.

The other thing it could be is if you are hitting a load balancer that is serving the mail subdomain, and it is sending to the server. It really depends on who is replying with the certificate. Which server. The certificate comes from the mail server, not Auth0, so whatever certificate the server replies with, must match the server name that you put in the hostname of the SMTP server configuration in your email provider form.