Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1681
Views
0
Helpful
7
Replies

TLS Settings on Cisco C170

ZimTaylor
Level 1
Level 1

‎01-09-2020 08:13 AM

Hi, 

 

I've setup TLS and certificate on my cisco c170, i've used https://www.checktls.com/TestReceiver and everything is OK and 100% but i have a sender that is using minecast that seems to have this error when they're sending encrypted emails:

 

"Unable to negotiate Opportunistic TLS due to Received fatal alert: unknown_ca"

 

Is there something i need to change on the c170 device?

 

Thanks

Labels:
0 Helpful
7 Replies 7

Ken Stieers
VIP
VIP

‎01-09-2020 09:02 AM

Is the cert on your ESA signed by a public CA?




0 Helpful

ZimTaylor
Level 1
Level 1
In response to Ken Stieers

‎01-10-2020 12:19 AM

Yes its signed by RapidSSL 

0 Helpful

dmccabej
Cisco Employee
Cisco Employee

‎01-09-2020 09:54 AM

Hello,

 

One thing to note would be that CheckTLS automatically rearranges (or corrects if not already) your certificate chain. So, that is one thing you'll want to confirm. You can check this by selecting the certificate on the ESA and then confirming the chain is in the correct order.

 

Correct chain example:

 

Server Certificate: esa1.abc.com issued by ca-int.xyz.com

Intermediate Certificate: ca-int.xyz.com issued by ca-root.xyz.com

 

Incorrect chain example:

 

Server Certificate: esa1.abc.com issued by ca-int.xyz.com

Intermediate Certificate: ca-root.xyz.com issued by ca-root.xyz.com

 

If the chain is correct then it is most likely one of two things, either the ESA does not trust the Mimecast CA or Mimecast does not trust the ESA CA. 

 

Thanks!

-Dennis M.

 

 

0 Helpful

ZimTaylor
Level 1
Level 1
In response to dmccabej

‎01-10-2020 12:37 AM

not sire if i got this in the right
Certificate 1 of 3 in chain: Cert VALIDATED: ok
subject= /CN=*(Wildcard domain name)
issuer= /C=US/O=DigiCert Inc/OU=www.digicert.com/
CN=RapidSSL RSA CA 2018
Certificate 2 of 3 in chain: Cert VALIDATED: ok
Not Valid Before: Nov 6 12:23:33 2017 GMT
Not Valid After: Nov 6 12:23:33 2027 GMT
subject= /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=RapidSSL RSA CA 2018
issuer= /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
Certificate 3 of 3 in chain: Cert VALIDATED: ok
Not Valid Before: Nov 10 00:00:00 2006 GMT
Not Valid After: Nov 10 00:00:00 2031 GMT
subject= /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
issuer= /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
0 Helpful

marc.luescherFRE
Spotlight
Spotlight
In response to ZimTaylor

‎01-13-2020 10:27 AM

Please ask your customer to open a ticket with MimeCast and ask them to disable certificate verification for your domain.

 

Had this 2 x in last 36 months, dont know why but this is the only workaround possible.

0 Helpful

dmccabej
Cisco Employee
Cisco Employee
In response to ZimTaylor

‎01-15-2020 05:53 AM

What does the output show on the ESA itself? Can you share a screenshot?

 

Thanks!

-Dennis M.

0 Helpful

marc.luescherFRE
Spotlight
Spotlight
In response to dmccabej

‎01-14-2020 10:06 AM

MIMECast does cert validation which requires the hostnames, certnames and trusts to be correctly aligned. Since they only have a subset of CA chains in their store we had to ask them to disable some of those features for us in the past.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents