Skip to main content

  • Home

  • Getting Started

    • Offers

U
user_zm89tu
1st Topic

7 Messages

Friday, July 26th, 2024 7:55 PM

the certificates in the pop3 server certificate chain file are not in the correct order

Last Friday, 7/19, I was alerted there was a change in the pop3 995 TLS Certificates and there was the following issue:

    No certificate issuer found
Trust / do not trust?

I elected not to trust at the time.  Hoped it would be resolved quickly.

The problem still exists.

I manually downloaded the pop3 995 server certificate chain (pem file).

I verified the chain and the following results were similar to the warning I saw on Friday:

    Chain verification output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown.
The smtp 587 TLS Certificates had no changes and no issues.

I manually downloaded the smtp 587 server certificate chain (pem file).

I verified the chain and there were no issues.

What is the difference between the two files?

The order of the certificates.

I reordered the certificates in the pop3 995 server certificate chain file to reflect the order of the certificates in the smtp 587 server certificate chain file and manually verified:

    Chain verification output: Verified. The certificate is trusted.

If the pop3 995 server certificate chain was fixed on the server end would the issue I am seeing be resolved at my end?  I think so, but this has been a learning curve.

 

Question

 • 

Updated 

1 month ago

97

1

0

Was this helpful?

XfinityEmilyB

Official Employee

 • 

1.7K Messages

3 months ago

@user_zm89tu Welcome to our community forum! I want to make sure you're able to use your Email account without errors. Are you having trouble sending or receiving mail? 

16

0

user_zm89tu

7 Messages

> I want to make sure you're able to use your Email account without errors.

I am still being asked if I want to trust a "TLS certificate is unknown" and "No certificate issuer found" certificate for the pop3 995 certificate.

Like

Reply

3 months ago

0

XfinityEmilyB

Official Employee

 • 

1.7K Messages

@user_zm89tu I appreciate you keeping me posted! Please provide more details about when you see this error: during the sign-in process, after you sign in, etc. Are you checking your Email from our website or a third party mail app?

I am an Official Xfinity Employee.
Official Employees are from multiple teams within Xfinity: CARE, Product, Leadership.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Please, mark a reply as the Accepted Answer.tick

Like

Reply

3 months ago

0

user_zm89tu

7 Messages

Third party mail app.  My guess is 7/19 was a kind of panic, the certificate had to be reissued, everything was done in a rush.  Thus, the order of certificates was not checked.  Clearly some programs do not use this method of verifying certificates.  Otherwise everyone would have been blocked, warned, ....

Like

Reply

3 months ago

0

XfinityEmilyB

Official Employee

 • 

1.7K Messages

@user_zm89tu Gotcha, are you able to sign into our website to send and receive Email? 

I am an Official Xfinity Employee.
Official Employees are from multiple teams within Xfinity: CARE, Product, Leadership.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Please, mark a reply as the Accepted Answer.tick

Like

Reply

3 months ago

0

user_zm89tu

7 Messages

The certificate is NOT trusted:

certtool --verify-chain --infile pop3.pem
Note that no verification profile was selected. In the future the medium profile will be enabled by default.
Use --verify-profile low to apply the default verification of NORMAL priority string.
        Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
        Issuer: CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
        Signature algorithm: RSA-SHA384
        Output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown.

        Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
        Issuer: CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
        Signature algorithm: RSA-SHA384
        Output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown.

Chain verification output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown.

Like

Reply

3 months ago

0

forum icon

New to the Community?

Start Here