Resolved TLS Negotiation failed, the certificate doesn't match the host.

[voyager1204]

In Onyx, and earlier, the email server (Postfix) can only have one SSL/TLS certificate.
You set this in Tools & Settings > SSL/TLS Certificates > Certificate for securing mail.

All that matters is that you enter the domain that has the SSL certificate used by mail in the SMTP box.

Had the same problem and solved it for my first domain. Now I need to fix it for another domain on the same server. I do have Obsidian I believe, but can't find settings for the individual domains. Is there any way to resolve this problem for my (multiple) other domains?

 

[beerikNL]

Got same issue's with Let's Encrypt certificate and Gmail errors - TLS Negotiation failed, the certificate doesn't match the host

 

[DiogoR]

Is Google blacklisting Let's Encrypt certificates?

 

[mgyc8888]

I had the same problem. After three days of googling, I discovered on reddit that this is happening to a bunch of people:

https://www.reddit.com/r/GMail/comments/fykt5f

Here's what worked for me:

1. I found my host email server address, which is mail3.[hostingservice].com
2. I then went into Gmail settings and changed my SMTP server from smtp.[domainname].com to my host's email server name as follows:

• Settings > Accounts and Import > Send mail as...
• inserted my alias email address
• unticked "Treat as an alias"
• clicked Next
• entered my SMTP email server address: mail3.[hostingservice].com
• then carried on with all the other steps
• I was then able to verify my email alias

SIDENOTE: After doing the above, when I first went to send a test email from my alias, it didn't work. The email just hung when I pressed SEND. However, this may have been because:
a) just a few minutes before, I had renewed my Let's Encrypt certificate (because I wasn't sure before doing the above whether it was a certificate problem), and
b) a few people were reporting that Gmail was down on downdetector.com in my area.

So I gave it a few minutes for the new SSL certificate to cache, and did a full shut down and restart. (Yes, basic I know, but I am not a techie.) Anyway, whatever, I can now send emails from my alias again. Hurrah!

Thanks to everyone on this thread - your comments helped me eventually work out how to fix this problem. I hope this helps someone else.
Stay safe and well everyone!

 

[DiogoR]

Hi there.

I'm starting to suspect that the problem is related to this verify errors that appear when I check my Let's Encrypt certificate.

If it is possible that this could be the problem, how can we solve it?

openssl s_client -starttls smtp -showcerts -connect my_server.com:587
CONNECTED(00000003)
depth=0 CN = my_server.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = my_server.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=my_server.com
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

The verify errors don't appear when I do the same command for the gmail smtp

openssl s_client -starttls smtp -showcerts -connect smtp.gmail.com:587
CONNECTED(00000003)
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = smtp.gmail.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=smtp.gmail.com
i:/C=US/O=Google Trust Services/CN=GTS CA 1O1

And another thing:
I tested my server address in Make your website better and noticed the lack of "Mail certificate is valid" for SMTP and also the "Chain - incomplete" in several protocols at the connections section.



Cheers

 

[abcph]

still having the same problem and my hosting is godaddy.. im tired of this and the company using 300+ email and i cant fix it since everyone is working at home and the email is link to gmail ..

 

[DiogoR]

Hi there.

I think I solved my problem.
There was an inconsistency on the certificate creation/update with the chain.crt that wasn't being updated despite plesk showing it correctly on the panel.

I updated it manually through the command line and it worked correctly.

Despite Gmail not complaining anymore, the massage "Mail certificate is valid" does not appear at port 587 and "Chain - incomplete" still appear in some lines at check-your-website.server-daten.de

Cheers.

 

[Lewutan]

Hya,

I am facing another problem (under Plesk 12.5 and Centos 6). I do create a Let's Encrypt certificate in "Tools & settings" but although Plesk tells me i's been created successfully, I never get the options to secure my plesk webserver and secure email. They are just not there.
The certificate is not in the list either.

So I am pretty stuck !
Any Ideas ?

 

[LuBre]

I can't find a way to fix this TLS error with Gmail. Plesk seems to be perfectly fine?

This is the domain panel:

and this is the global server setting (under SSL settings):

But the only way to make it work is by using unsecure connection on port 25. Any other combination will always fail and return the TLS error. I'm a bit desperate and my hosting doesn't have a clue about it.

What else could I do?

 

[LuBre]

I'm starting to suspect that the problem is related to this verify errors that appear when I check my Let's Encrypt certificate. If it is possible that this could be the problem, how can we solve it? The verify errors don't appear when I do the same command for the gmail smtp. I tested my server address in Make your website better and noticed the lack of "Mail certificate is valid" for SMTP and also the "Chain - incomplete" in several protocols at the connections section.

It appears I have a similar issue...

 

[LuBre]

So I managed to fix it and I can use TLS again with Gmail.

Fix
Use Postfix as main mail server (Qmail does not work) and enable the 4th option inside Let's Encrypt options panel

Despite having all my Let's Encrypt configured as intended, the issue was with the mail hosting server:

Tools & Settings > Updates > Add/Remove Components > Mail Hosting

It was set on Qmail. By switching to Postfix I could enable a missing option under my domain's Let's Encrypt configuration, which is essential to let Google accept the TLS certificate:

Check the box, renew the certificate and you're good to go.

 

[ChrisCP]

Same problem here. I have already Postfix in use but i have not the 4th option in let's encrypt panel. What can i do?

 

[LuBre]

Do you have the latest Plesk version? I am not sure if this is available both on 18 and 12.

 

[ChrisCP]

I use Version 18.0.26

 

[LuBre]

Did you specify Let's Encrypt for the mail server under the server settings?

 

[ChrisCP]

I renewed the ssl certificates and found a button under domains > SSL > protect Emails. And now it works again with gmail.

 

[LuBre]

Glad you did it, it's a pain in the /\ss to fix it, sometimes!

 

[xarly89]

Hi everyone!

I've experiencied this problem as well and thanks to you I've selected the TLS/SSL certificate that I have for my Plesk domain with Let's Encrypt.

Now I can log in with Google and send emails again. However, it only works with SSL and port 465. If I choose TLS and port 465, or SSL/TLS and port 587, it spits this error:

"It wasn't possible to connect with the server. Check the server and the port number."

Is there anything else I need to do?