Welcome to Xfinity Help & Support Forums
Find solutions, share knowledge, and get answers from customers and experts

New to the Community? Start here.

5,857,574

members

1,750

online

29,988

topics

Top

Anyone getting certificate expired for mail.comcast.net?

ANSWERED
Frequent Visitor

Anyone getting certificate expired for mail.comcast.net?

Just started today.  E-mail client warns about the secure connect attempt to Comcast's inbound e-mail server (mail.comcast.net) by noting the certificate for that server has expired.

 

This forum software won't let me copy and paste (I already provided the cert error to Comcast Chat but those folks don't have a clue about this stuff).  So here are the hand copied details of the certificate:

 

E-mail certificate has expired.

Issued to: mail.comcast.net

Issued by: COMODO High Assurance Secure Server CA

Valid from 9/22/2013 to 9/27/2015

 

The expiration date was a couple weeks ago so I'm guessing CAs permit a couple weeks grace to a registrant although, as I recall, they send an alert a month before a certificate expires provided the registrant gives valid contact information.

 

Accepted Solution

Re: Anyone getting certificate expired for mail.comcast.net?

Thanks for your patience!


We have verified the certificate is updated on our servers. Assuming everything is working as designed the update should have been in effect towards the end of August.


I suspect this may be related to clients caching the older certificate. This sometimes happens with firewall or anti-virus software as well. You may want to start with the easy option of rebooting, this *may result in clearing out these old saved certificates.


If you are on a Mac or Linux, you can help us out by running the below command and verifying the certificate expiration date and post the results here. This is assuming your anti-virus or firewall is not setup to grab these connections as well.


If your server settings are setup to use mail.comcast.net, run the 3 below commands:

  openssl s_client -connect mail.comcast.net:995 2>/dev/null | openssl x509 -noout -dates
  openssl s_client -connect 96.114.157.77:995 2>/dev/null | openssl x509 -noout -dates
  openssl s_client -connect 68.87.20.9:995 2>/dev/null | openssl x509 -noout -dates


If your server settings are setup to use imap.comcast.net (first of all good for you!)

  openssl s_client -connect imap.comcast.net:993 2>/dev/null | openssl x509 -noout -dates
  openssl s_client -connect 68.87.20.10:993 2>/dev/null | openssl x509 -noout -dates
  openssl s_client -connect 96.114.157.78:993 2>/dev/null | openssl x509 -noout -dates

Please post the above results and send your server settings as well. If you would prefer, you can send a direct message.

View answer in context
New Poster

Re: Anyone getting certificate expired for mail.comcast.net?

I received the same error message this morning in my iPhone.  I was connected to home wifi at the time.  I did not receive the message in my iPad or on by desktop (iMac running Mail). 

New Poster

Re: Anyone getting certificate expired for mail.comcast.net?

Same message here on my Mac Book, not on my iPhone though...

Here is a screen shot..Should we "trust"??

Screen Shot 2015-10-04 at 12.38.45 PM.png

New Poster

Re: Anyone getting certificate expired for mail.comcast.net?

Yes.  I started getting the same warning on the security certificate being invalid around noon (but not when checking Comcast email earlier today).  I checked the certificate date and it exipred after September 23. 

 

I spend almost an hour talking to Comcast's support number and then to the Comcast Security Assurrances Department.  Each of them was clueless and each ended up recommending I contact Microsoft Outlook's support number because I was seeing Comcast's expired certificate when I used Outlook. 

 

I rebooted and still got the same error, but this time one email had come in from Comcast's mail server before the Outlook mail recieve process got the error and hung up, I knew from the content if could only have come through the Comcast email server so I clicked to idicate I trusted the certificate.   

New Poster

Re: Anyone getting certificate expired for mail.comcast.net?

I began getting the same message this afternoon on my iMac.  I've been ignoring it, with trepidation.  My iPad just delivered mail with no issue or warning.  My iPhone 4S, however, hasn't delivered mail since middle of the night, and was unable to deliver when i just tried.

Frequent Visitor

Re: Anyone getting certificate expired for mail.comcast.net?

Just called their Customer Security Assurance Dept at 888-565-4329 (to where their chat rep dumped me since the chat rep had no clue what is a site certificate).  The chat rep: no, they cannot deal with that problem, go somewhere else at Comcast.  Assurance rep: yeah, they desparately tried to point fingers at the e-mail client.  They don't understand site certificates, either.  It is their job to blame someone other than Comcast when Comcast screws up.  The Assurance rep claimed to have added a "note" to my account about the expired certificate error but could not or would not provide a ticket number for the issue.  It is exasperating when the customer is the expert in the conversation and has to educate the Comcast chat/tech rep.

 

So basically Comcast will not fix the problem (by renewing or replacing their certificate) until a lot more users call in to report the issue.  That was what the Assurance rep claimed: no one else has reported the problem.  That's because their customers don't understand the cause of the error, they don't know where to call, the chat reps avert having to deal with the issue by pointing customers to some other Comcast rep, and the other Comcast rep (Assurance) claims it is not a problem.  They keep trying to say that they only support their webmail client (i.e., the slow and clumsy and slow-to-get-fixed Smartzone contracted from Zimbra where you use a web browser to use that).  Their HTTPS cert works just fine for their web server.  That's all they claim to support. 

 

They don't support e-mail clients.  Well, duh, it's not an e-mail client issue.  At least the Assurance rep acknowledged that the POP and IMAP servers are Comcast's responsibility so finally she acknowledged that those server hosts have a certificate.  That took a lot of pushing with the result that the only action to which she would commit was to add a note to my account.  When they say that, it is double-talk for "we're going to ignore you".  It is as ineffective as a disconnected cross-walk button: you get satisfaction from pushing the button but it doesn't do anything.

 

Contacting Comcast results in conversing with robotic 1st level reps (aka boobs that can punch keywords into a canned response database).  To get the problem fixed means having to raise the heat by making it publicly known that Comcast's e-mail server's certificate has expired and Comcast will not look into the problem (the 1st level reps haven't a clue how to inspect a site certificate or look at the correct one for their e-mail server hostnames and not with their HTTPS web server) and intends to ignore the problem.

 

I have seen in the past where, I think, Intel's site cert had expired and someone decided to pay the renewal to help out Intel.  I'm wondering if I could hijack Comcast's certificate by paying Comodo for its renewal AND then also owning it.  Comcast would then have to pay me (lots) to get back their old certificate; else, they would have to change their hostnames, update their help articles, get new certs for their new hostnames, and get all their customers making secure connects to reconfigure their e-mail clients to use the new hostnames to which new certificates were issued and deployed.  The huge price to buy back the certificate for their mail.comcast.net and imap.comcast.net hosts would be a fine for them failing to support their customers and the services that Comcast says it provides.  Yeah, I'll help Comcast ... for a fat contractor fee.  I doubt that I could do that since I'm not the domain registrant for comcast.net.  I could pay for the cert's renewal but I could not then own the cert.

 

For those saying they do not get the "certificate expired" error, I have to wonder if they are using *secure* connections.  IMAPS and POPS require the site to have a valid cert to identify them.  If using IMAP or POP, there is no secure connection, there is no encryption of data transfer, and there is no assurance of host's identity (the reasons why secure connects are used).  One e-mail client may be configured to use SSL or TLS (or Auto which first tries TLS and then backs off to SSL) while another is not.  Those not configured to use SSL/TLS won't get a site cert expired error because no cert is involved in non-secure connects. 

 

Most of the web apps for e-mail clients are not nearly as robust as desktop e-mail clients.  Less code = less features and less compliance with e-mail standards.  Many are limp and several are flawed.  For example, while the desktop Outlook e-mail client will add the References header so hierarchy of posts within a discussion can be threaded, the Outlook web app omits this header.  A discussion that was nicely threaded becomes disjoint with a newly started but disconnected thread when someone replies using the Outlook web app.  Same thing happens for users of Android's default e-mail app.  No References header = no hierchical threading of e-mails for a discussion.  So it is possible another reason e-mail web apps don't report the error is they have less code which means they don't test the validity of a site cert or they don't report the error to the user.

 

You must have your e-mail client configured to make SSL or TLS connects to the server for a certificate to be involved (to then find out that the certificate has expired).  Non-secure connects don't involve a certificate.

 

Contributor

Re: Anyone getting certificate expired for mail.comcast.net?

I have been having problems with sending email for several days. Now I am having trouble with account verification. I did get the certificate error once. A little while ago, I did see a blurb about an email outage in response to a Google search. There was no time nor date in the statement, however. 

 

New Poster

Re: Anyone getting certificate expired for mail.comcast.net?

It is difficult to quantify how bad Comcast is at email, security, and customer and technical support, but you have done a nice job.  They are so behind the times in terms of sophistication in security matters that trusting them with anything except your spam is a huge mistake.  Stick with Apple and Google if you want reliability and security.  But it is annoying that I have been also been getting this certificate expiration message for the last couple of days.  Not sure which is worse - ignoring it or trusting the expired certificate.

 

Frequent Visitor

Re: Anyone getting certificate expired for mail.comcast.net?

If you choose to have your e-mail client trust an invalid certificate (expired is one cause for invalidation) then you might as well not use secured connections. You cannot guarantee the site to which you client connects is actually Comcast's e-mail server if a certificate is not involved. So one solution is to configure the e-mail client to NOT use either SSL or TLS (or Auto) for the incoming e-mail server -- provided Comcast allows insecure connects to their servers.

 

Since I only have 1 active account at Comcast and because it is not my primary e-mail account (I moved away from Comcast pretty soon after they got enamored with an AJAX-built webmail client that they don't even maintain but contract from Zimbra who are v-e-r-y slow to fix defects), I will just move to another better educated and better maintained e-mail service. The only reason why I use a Comcast e-mail account is that I managed after months of repeated whining to get them to modify their e-mail address parser (on replies). E-mail RFCs allow non-alphabetic special characters in the left-side token of e-mail addresses. "#" is an allowed special character. Comcast's parser would puke on "#" in the left-side token (aka username field) of an e-mail address. Microsoft used to allow "#", then quit, then supported it again, then quit, then supported it again (for a few days), and quit again. They just cannot make up their collective mind on what characters their parser will permit in the left-side token. Gmail allows the "#" in the left-side token. Since Comcast eventually supported "#" in the username field, I created an account at Comcast from which I could send replies where the recipient's e-mail address had an "#" in it. But now Comcast is too lazy and very obviously too ignorant to maintain their site certs. So I'll go back to using Gmail for those special replies (*).

 

(*) I use Spamgourmet aliasing to protect my true e-mail address. They have a masking feature that modifies the Reply-To header when someone sends a message through an alias. They use the "#" character (parsed from the left to right of the left token just in case the sender also has a "#" in their username) to identify sender's e-mail address and the alias through which the message was delivered. To reply to such senders (and keep private my true e-mail address), those go back through Spamgourmet. My reply looks like it originated from Spamgourmet instead of my true e-mail address (the domain can still be seen in the headers but not my e-mail address there). Hotmail supported "#" in the left token so I started with them. Then Microsoft screwed up their parser multiple times and I moved to Gmail who supported "#" in the left token.

 

For reasons in Google's oddball POP and IMAP implementations (which differ significantly from RFCs that I refer to Google's e-mail protocols as gPOP and gIMAP), I decided to wander back to Comcast. A couple months later and Comcast's cert has expired and it will likely take them months to renew their cert (took them 5 months to fix problems with their HTTPS cert). So I'll go back to Gmail. Why? Because Comcast forces me to Gmail by them not permitting secure connections to their e-mail servers. I'm not keen on Google sifting through my e-mails but then I'm not a terrorist trying to kill civilians. I use a local e-mail client so I won't be nuisanced in using a webmail-designed-for-boobs client.

 

Having to use Gmail is a sad commentary on how bad is Comcast. You eat a turd to avoid eating puke. Used to be we made fun of gov't workers: slow to cogitate, slow to act, lots of paperwork, took an expert to figure out who to talk to (get through the red tape). I remember a cruise where the comedian was getting some jeers from a gov't joke and said, "Oh, we have some gov't people in the audience. Okay, I talk s-l-o-w-e-r." Comcast long ago surpassed the [lack of] expectation for quality in support typical of the gov't. In the gov't, one is promoted until they rise to to a level at which they become incompetent and then they /STAY/ there (Peter Principle). At Comcast, it seems they are hiring, well, contracting at that level of incompetence. They hire out their support to contracted help centers and those reps are, um, mentally challenged.

 

Their new push to advertise improved support is a sad joke. Doesn't fool anyone. Advertising is not the same as doing. Proclamations don't magically train their employees or up the base salaries so they end up hiring better educated employees. Considering the ignorance of their tech/chat/support reps, I have to wonder if Comcast even requires their help staff to have a high school diplomas. Sure makes what I'm paying them very expensive: erratic service with no support.

New Poster

Has the certificate for mail.comcast.net expired?

Has the certificate for mail.comcast.net really expired?  Am I safe in continuing to use the system for email?  When will this be fixed?

 

Frequent Visitor

Re: Has the certificate for mail.comcast.net expired?

"Has the certificate really expired?"

 

Yes.  There is no such thing as an eternal certificate.  You pay for a lease on the certificate (just like you pay for a lease on a domain registration).  You can pay for 1 year, 2 years, 5 years, or 10 years (there may be other increments depending on the certificate issuer's attempt to segment the market).  Comcast's e-mail certificate had only a 2-year lease: 22-Sep-2013 to 27-Sep-2015.  Usually large companies buy much longer leases.  Repeatedly buying short leased certificates bodes badly for a service. 

 

"Am I safe in using the system?"

 

That depends on your need for privacy and security.  POPS and IMAPS encrypt the login credentials.  Without encryption, your login is sent "in the clear" and anyone sniffing your network traffic can see your login credentials.  As for encrypting the traffic to the e-mail servers, SSL/TLS are often used only to encrypt the login credentials, not the data (e-mail content). 

 

To protect your e-mail content, you need to get your own e-mail certificate to install for use by your e-mail client.  then you digitally sign an e-mail you send to someone so they can store your public key.  When they want to encrypt their e-mail to you, they use your public key.  Only you can decrypt their e-mail using your private key which only you have.  Encrypted e-mail is by invitation: you dole out your public key to those from whom you want to receive encrypted e-mail.

 

However, if you don't protect your login credentials using a secured connection then anyone that steals them can do the same as you can do in your account because they can login as you.  If you don't care that someone can steal your login credentials then there is no point in using a secured connection to the e-mail server.  Use non-encrypted logins (POP or IMAP), send your login credentials in the clear, and hope no one snags your login credentials.

 

Note that some e-mail providers will not even let you connect to their e-mail server using POP or IMAP.  They require you use POPS (secured POP) and IMAPS (secured IMAP).  This reduces the number of tech calls they get from customers whose accounts have been compromised.  Many also require SMTPS (secured SMTP) for you to send e-mails.  For those e-mail providers, you must used secured connections (POPS, IMAPS, or SMTPS).  For example, while you can use POP or IMAP to retrieve e-mails from Microsoft's servers (Hotmail/Live/Outlook.com), you must use SMTPS to send e-mails AND Microsoft demanded that TLS be used to connect to their SMTPS server (they stopped supporting SSL connects).  That change occurred a couple years ago.  Users of Outlook 2003 suddenly found out they couldn't send e-mails because that e-mail client has no support for TLS.  They had to use TLS for a secure SMTP connection so they had to switch to a newer version of Outlook or move to a different e-mail client that did support TLS.  I have not bothered to check if Comcast permits non-secure connects to their POP, IMAP, and SMTP servers (I'll be leaving Comcast's e-mail service so it would be a waste of my time to check).

 

"When will this be fixed?"

 

This is a peer community: users helping other users.  Comcast's support doesn't visit here.  If you try to use Comcast's chat, call their main support number, or call their Assurance department, they will try to convince that their certificate's expiration is somehow your fault.  They will deny it is their problem.  Their employer can do no wrong.  Pushing off the customer is how they are trained to reduce support costs.  The only way to tell when Comcast renews their certificate's lease is when the problem goes away.  They will not announce their misstep.  So only Comcast knows when they may address the problem and users will know Comcast fixed the problem only after they no longer get "certificate expired" errors when trying to securely connect to Comcast's servers.

 

Know any journalists that publish in trade journals that would embarass Comcast by divulging how lax in certificate maintenance is Comcast?  Or how their new image push claiming "customer is number one" is a lie because their chat and tech reps will deny that Comcast forgot to renew their server certificate?  Know a community of users willing to call Comcast en masse to rack up a high call count regarding the same complaint about certificate expiration?  It will take a very long time before Comcast does anything if the call count just trickles upward.

 

Comcast dropped Usenet access.  Comcast dropped personal web pages (and its corresponding online file storage).  They have dropped other services.  Yet prices never dropped.  E-mail (other than for business accounts) brings no revenue to Comcast, only expenditures.  Only by not expending resources on e-mail services, like contracting it out to Zimbra, can Comcast justify continuing to provide an e-mail service.  With so many free or cheap e-mail providers out there (who deal solely in e-mail service and not the myriad of other services provided by Comcast which do generate revenue), I fully expect Comcast to eventually drop their e-mail service.  Businesses typically drop or abandon no-gain services (i.e., loss leaders don't last forever).

 

Official Employee

Re: Has the certificate for mail.comcast.net expired?

We are looking into this issue.


Community Icon
I am an Official Comcast Employee.
Official Employees are from multiple teams within Comcast: Product, Support, Leadership.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark a Best Answer!solution Icon
Community Icon
I am an Offical Comcast Employee.
Official Employees are from multiple teams within Comcast.
We ask that you post publicly so people with similar questions may benefit.
Was your question answered? Mark a Best Answer!solution Icon
Community Icon
I am a Comcast Employee.
Please post so people with similar questions may benefit.
Was your question answered?
Mark a Best Answer!solution Icon

Frequent Visitor

Re: Has the certificate for mail.comcast.net expired?

Just how much "looking" does it take for Comcast to understand that the SSL certificate for mail.comcast.net has expired?

Official Employee

Re: Anyone getting certificate expired for mail.comcast.net?

Thanks for your patience!


We have verified the certificate is updated on our servers. Assuming everything is working as designed the update should have been in effect towards the end of August.


I suspect this may be related to clients caching the older certificate. This sometimes happens with firewall or anti-virus software as well. You may want to start with the easy option of rebooting, this *may result in clearing out these old saved certificates.


If you are on a Mac or Linux, you can help us out by running the below command and verifying the certificate expiration date and post the results here. This is assuming your anti-virus or firewall is not setup to grab these connections as well.


If your server settings are setup to use mail.comcast.net, run the 3 below commands:

  openssl s_client -connect mail.comcast.net:995 2>/dev/null | openssl x509 -noout -dates
  openssl s_client -connect 96.114.157.77:995 2>/dev/null | openssl x509 -noout -dates
  openssl s_client -connect 68.87.20.9:995 2>/dev/null | openssl x509 -noout -dates


If your server settings are setup to use imap.comcast.net (first of all good for you!)

  openssl s_client -connect imap.comcast.net:993 2>/dev/null | openssl x509 -noout -dates
  openssl s_client -connect 68.87.20.10:993 2>/dev/null | openssl x509 -noout -dates
  openssl s_client -connect 96.114.157.78:993 2>/dev/null | openssl x509 -noout -dates

Please post the above results and send your server settings as well. If you would prefer, you can send a direct message.


Community Icon
I am an Official Comcast Employee.
Official Employees are from multiple teams within Comcast: Product, Support, Leadership.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark a Best Answer!solution Icon
Community Icon
I am an Offical Comcast Employee.
Official Employees are from multiple teams within Comcast.
We ask that you post publicly so people with similar questions may benefit.
Was your question answered? Mark a Best Answer!solution Icon
Community Icon
I am a Comcast Employee.
Please post so people with similar questions may benefit.
Was your question answered?
Mark a Best Answer!solution Icon

Frequent Visitor

Re: Anyone getting certificate expired for mail.comcast.net?

You are correct, and this would explain why everything started working normally this morning, on both my desktop (Thunderbird) and Android phone (K9 Mail).

 

I've never before seen a certificate that took this long to update, but it did eventually mangage to do it on it's own.

 

And why did the warnings for an expired certificate not show up for more than a week after the expiration date???

 

Here are the results of your commands:

 

$ openssl s_client -connect imap.comcast.net:993 2>/dev/null | openssl x509 -noout -dates
notBefore=Aug 18 00:00:00 2015 GMT
notAfter=Aug 17 23:59:59 2017 GMT

$ openssl s_client -connect 68.87.20.10:993 2>/dev/null | openssl x509 -noout -dates
notBefore=Aug 18 00:00:00 2015 GMT
notAfter=Aug 17 23:59:59 2017 GMT

$ openssl s_client -connect 96.114.157.78:993 2>/dev/null | openssl x509 -noout -dates
notBefore=Aug 18 00:00:00 2015 GMT
notAfter=Aug 17 23:59:59 2017 GMT

IMAP settings (Thunderbird):
Server Name imap.comcast.net
Port: 143
Connection Security: STARTTLS
Authentication: Normal Password

IMAP settings (Android - K9 Mail):
Server Name imap.comcast.net
Port: 993
Security: SSL/TLS
Authentication: Normal Password

Official Employee

Re: Anyone getting certificate expired for mail.comcast.net?

Thanks to all who replied, it looks like this issue has been resolved by clearing out the old certificates in the email client.  I suspect a restart for most clients takes care of the refresh of the certificate.

 

Please let us know if you are still continuing to see the problem. We will keep an eye out for related responses.

 

 


Community Icon
I am an Official Comcast Employee.
Official Employees are from multiple teams within Comcast: Product, Support, Leadership.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark a Best Answer!solution Icon
Community Icon
I am an Offical Comcast Employee.
Official Employees are from multiple teams within Comcast.
We ask that you post publicly so people with similar questions may benefit.
Was your question answered? Mark a Best Answer!solution Icon
Community Icon
I am a Comcast Employee.
Please post so people with similar questions may benefit.
Was your question answered?
Mark a Best Answer!solution Icon

Regular Contributor

Re: Anyone getting certificate expired for mail.comcast.net?

would this be part of the problem because this kept happening to me last night when I tried to access my email trying to access email using chrome on xfinity.com I receive this message Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have. I am using windows 8 64 bit and chrome is up to date. thank you
Xfinity Forum Archive
About the archive project

Xfinity Forum Archive...

This is an archived section of the community.

Content in this area has been identified as outdated or irrelevant.

This change was done in an effort to make the forum easier to use and to keep only the most helpful and recent content active.

Post your questions in the Xfinity Community

Discussion stats
  • 16 replies
  • 4573 views
  • 5 kudos
  • 11 in conversation