Community Discussions and Support
Mercury 4.8 Certificate Replacement Woes

I think you missed the message previous to yours, where the solution was posted.

I think you missed the message <span style="font-size: 13.3333px;">previous to yours,</span> where the solution was posted.

I had been using a self-signed security certificate for the past 2 years, realized that it expired (whoops).  I purchased a proper certificate, and set it up on Mercury (replacing the .PEM with the .CRT on the config screen for each module's SSL).  But, mail clients are still reporting the expired certificate! 

(Thinking maybe it was not liking the format of the third-party certificate...) I tried creating a new self-signed cert using Mercury's built-in tool, but found it wasn't creating the file as it says it was doing!  I thought maybe my install was corrupt or obsolete (I have been upgrading since I first installed Mercury on Windows 98, now on Windows 10), so tried creating a second, clean installation of Mercury in another folder, ran the tool to create a self-signed certificate, but got the same result (says a certificate file was created, but it's not there).

Anybody else on Windows 10 / Mercury 4.8, tried making self-signed certificate and had it work (that is, produce the desired file)? 

Any other thoughts on why Mercury would still be distributing the certificate I thought replaced? 

Can I manually find the text version of the key somewhere to confirm it took?  I tried removing the old certificate from the folder, but it still is distributing the old cert, so I assume it must copy the certificate into the config files somewhere?

About ready to lose my mind, any insight would be helpful! 

<p><span style="font-size: 10pt;">I had been using a self-signed security certificate for the past 2 years, realized that it expired (whoops).  </span><span style="font-size: 10pt;">I purchased a proper certificate, and set it up on Mercury (replacing the .PEM with the .CRT on the config screen for each module's SSL).  <b>But, mail clients are still reporting the expired certificate! </b></span></p><p><span style="font-size: 10pt;">(Thinking maybe it was not liking the format of the third-party certificate...) I tried creating a new self-signed cert using Mercury's built-in tool, but found <b>it wasn't creating the file as it says it was doing</b>!  I thought maybe my install was corrupt or obsolete (I have been upgrading since I first installed Mercury on Windows 98, now on Windows 10), so tried creating a second, clean installation of Mercury in another folder, ran the tool to create a self-signed certificate, but got the same result (says a certificate file was created, but it's not there).</span></p><p>Anybody else on Windows 10 / Mercury 4.8, tried making self-signed certificate and had it work (that is, produce the desired file)?  </p><p><span style="font-size: 10pt;">Any other thoughts on why Mercury would still be distributing the certificate I thought replaced? </span></p><p>Can I manually find the text version of the key somewhere to confirm it took?  I tried removing the old certificate from the folder, but it still is distributing the old cert, so I assume it must copy the certificate into the config files somewhere?</p><p>About ready to lose my mind, any insight would be helpful! </p>

Update: the old key seems to have gone away on its own - maybe it was cached somewhere and finally refreshed.  But TLS still not working.
 
Did a session log, saw this error:
 
21:43:00.726: << * OK d IMAP4rev1 Mercury/32 v4.80.145 server ready.<cr><lf>
21:43:00.773: >> 1 CAPABILITY<cr><lf>
21:43:00.773: << * CAPABILITY IMAP4rev1 STARTTLS LOGINDISABLED X-MERCURY-1<cr><lf>
21:43:00.773: << 1 OK CAPABILITY complete.<cr><lf>
21:43:00.836: >> 2 STARTTLS<cr><lf>
21:43:00.836: << 2 OK Begin SSL/TLS negotiation now.<cr><lf>
21:43:00.976: [!] OpenSSL reported errors during handshake - error queue follows:
21:43:00.976: [!] -------------------------------------------------------------------------
21:43:00.976: [!] error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
21:43:00.976: [!] -------------------------------------------------------------------------
 
What am I doing wrong here?  Thanks! 
&lt;div&gt;Update: the old key seems to have gone away on its own - maybe it was cached somewhere and finally refreshed.&amp;nbsp; But TLS still not working.&lt;/div&gt;&lt;div&gt;&amp;nbsp;&lt;/div&gt;&lt;div&gt;Did a session log, saw this error:&lt;/div&gt;&lt;div&gt;&amp;nbsp;&lt;/div&gt;&lt;div&gt;21:43:00.726: &amp;lt;&amp;lt; * OK d IMAP4rev1 Mercury/32 v4.80.145 server ready.&amp;lt;cr&amp;gt;&amp;lt;lf&amp;gt;&lt;/div&gt;&lt;div&gt;21:43:00.773: &amp;gt;&amp;gt; 1 CAPABILITY&amp;lt;cr&amp;gt;&amp;lt;lf&amp;gt;&lt;/div&gt;&lt;div&gt;21:43:00.773: &amp;lt;&amp;lt; * CAPABILITY IMAP4rev1 STARTTLS LOGINDISABLED X-MERCURY-1&amp;lt;cr&amp;gt;&amp;lt;lf&amp;gt;&lt;/div&gt;&lt;div&gt;21:43:00.773: &amp;lt;&amp;lt; 1 OK CAPABILITY complete.&amp;lt;cr&amp;gt;&amp;lt;lf&amp;gt;&lt;/div&gt;&lt;div&gt;21:43:00.836: &amp;gt;&amp;gt; 2 STARTTLS&amp;lt;cr&amp;gt;&amp;lt;lf&amp;gt;&lt;/div&gt;&lt;div&gt;21:43:00.836: &amp;lt;&amp;lt; 2 OK Begin SSL/TLS negotiation now.&amp;lt;cr&amp;gt;&amp;lt;lf&amp;gt;&lt;/div&gt;&lt;div&gt;21:43:00.976: [!] OpenSSL reported errors during handshake - error queue follows:&lt;/div&gt;&lt;div&gt;21:43:00.976: [!] -------------------------------------------------------------------------&lt;/div&gt;&lt;div&gt;21:43:00.976: [!] error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher&lt;/div&gt;&lt;div&gt;21:43:00.976: [!] -------------------------------------------------------------------------&lt;/div&gt;&lt;div&gt;&amp;nbsp;&lt;/div&gt;&lt;div&gt;What am I doing wrong here?&amp;nbsp; Thanks!&amp;nbsp;&lt;/div&gt;

Removing the old cert from the folder is not enough, you have to restart mercury.

Removing the old cert from the folder is not enough, you have to restart mercury.

[quote user="cretson"]Update: the old key seems to have gone away on its own - maybe it was cached somewhere and finally refreshed.  But TLS still not working. [/quote]

 

What exactly goes wrong with you, I can not say that either. I am using a certificate from LetsEncrypt and it works without problems. I see sometimes the SSL error message in the logfile too, but this is almost always a SSL test server.

 

A tip maybe: The Mercury SSL libraries are ancient. You should simply replace the two SSL-files with current ones [;)].

&lt;p&gt;[quote user=&quot;cretson&quot;]Update: the old key seems to have gone away on its own - maybe it was cached somewhere and finally refreshed.&amp;nbsp; But TLS still not working. [/quote]&lt;/p&gt;&lt;p&gt;&amp;nbsp;&lt;/p&gt;&lt;p&gt;&lt;span class=&quot;tlid-translation translation&quot;&gt;&lt;span title=&quot;&quot; class=&quot;&quot;&gt;What exactly goes wrong with you, I can not say that either. &lt;/span&gt;&lt;/span&gt;&lt;span class=&quot;tlid-translation translation&quot;&gt;&lt;span title=&quot;&quot; class=&quot;&quot;&gt;I am using a certificate from LetsEncrypt and it works without problems. I see sometimes the SSL error message in the logfile too, but this is almost always a SSL test server.&lt;/span&gt;&lt;/span&gt; &lt;/p&gt;&lt;p&gt;&amp;nbsp;&lt;/p&gt;&lt;p&gt;&lt;span class=&quot;tlid-translation translation&quot;&gt;&lt;span title=&quot;&quot; class=&quot;&quot;&gt;A tip maybe: The Mercury SSL libraries are ancient.&lt;/span&gt; &lt;span title=&quot;&quot;&gt;You should simply replace the two SSL-files with current ones [;)].&lt;/span&gt;&lt;/span&gt;&lt;/p&gt;

Thanks for the feedback!  I reached out to the issuing company, and they built me a .PEM with the private/public keys just as I'd done, but used a different keys (I think they re-issued my key).  Using that, I started getting a different error: 


 
08:33:55.008: [!] OpenSSL reported errors during handshake - error queue follows:
08:33:55.008: [!] -------------------------------------------------------------------------
08:33:55.008: [!] error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
 
I thought about upgrading the SSL engine, but thought I had read a post saying David didn't think it was wise to upgrade to the newest SSL for some reason.  Which are the "two SSL files" you refer, the OpenSSL.exe and OpenSSL.cnf?  I noticed their is a CFG file as well, I assume this is something not needed to be user-configured. 
 
Thanks again! 
Thanks for the feedback!&amp;nbsp; I reached out to the issuing company, and they built me a .PEM with the private/public keys just as I&#039;d done, but used a different keys (I think they re-issued my key).&amp;nbsp; Using that, I started getting a different error:&amp;nbsp; &lt;div&gt; &lt;/div&gt;&lt;div&gt;&amp;nbsp;&lt;/div&gt;&lt;div&gt;08:33:55.008: [!] OpenSSL reported errors during handshake - error queue follows:&lt;/div&gt;&lt;div&gt;08:33:55.008: [!] -------------------------------------------------------------------------&lt;/div&gt;&lt;div&gt;08:33:55.008: [!] error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher&lt;/div&gt;&lt;div&gt;&amp;nbsp;&lt;/div&gt;&lt;div&gt;I thought about upgrading the SSL engine, but thought I had read a post saying David didn&#039;t think it was wise to upgrade to the newest SSL for some reason.&amp;nbsp; Which are the &quot;two SSL files&quot; you refer, the OpenSSL.exe and OpenSSL.cnf?&amp;nbsp; I noticed their is a CFG file as well, I assume this is something not needed to be user-configured.&amp;nbsp;&lt;/div&gt;&lt;div&gt;&amp;nbsp;&lt;/div&gt;&lt;div&gt;Thanks again!&amp;nbsp;&lt;/div&gt;

Oh, should have mentioned I did restart Mercury, rebooted the computer too.  I also removed the old key from Windows 10's key store (I had done this trying to get it to stop giving me warnings that I'm using a self-signed cert while connecting to the mail server from the mail server)

Oh, should have mentioned I did restart Mercury, rebooted the computer too.&amp;nbsp; I also removed the old key from Windows 10&#039;s key store (I had done this trying to get it to stop giving me warnings that I&#039;m using a self-signed cert while connecting to the mail server from the mail server)

OK, so still struggling. Tried installing Mercury 4.80 on a old Windows 7 machine, and the certificate generation works!  I created a CSR using this copy, revoked my certificate, and requested a new one using the CSR.  I compiled them into a single file (PRIVATE KEY and CERTIFICATE), as I gather you're supposed to do.  Now I'm getting a new error, seems to make 2 session logs when I attempt to connect.  Any hints?

 
12:59:56.261: --- 14 Jan 2019, 12:59:56.261 ---
12:59:56.261: Accepted connection from 'xxx.xxx.xxx.xxx', timeout 120 seconds.
12:59:56.266: Connection from xxx.xxx.xxx.xxx, Mon, 14 Jan 2019 12:59<cr><lf>
12:59:56.266: << * OK d IMAP4rev1 Mercury/32 v4.80.145 server ready.<cr><lf>
12:59:56.331: >> 1 CAPABILITY<cr><lf>
12:59:56.331: << * CAPABILITY IMAP4rev1 STARTTLS LOGINDISABLED X-MERCURY-1<cr><lf>
12:59:56.331: << 1 OK CAPABILITY complete.<cr><lf>
12:59:56.391: >> 2 STARTTLS<cr><lf>
12:59:56.391: << 2 OK Begin SSL/TLS negotiation now.<cr><lf>

-Then- 
 
12:59:56.651: --- 14 Jan 2019, 12:59:56.651 ---
12:59:56.651: Accepted connection from 'xxx.xxx.xxx.xxx', timeout 120 seconds.
12:59:56.656: Connection from xxx.xxx.xxx.xxx, Mon, 14 Jan 2019 12:59<cr><lf>
12:59:56.656: << * OK d IMAP4rev1 Mercury/32 v4.80.145 server ready.<cr><lf>
12:59:56.661: >>
12:59:56.666: << * BAD Malformed command or oversize literal.<cr><lf>
12:59:56.666: >> ÀÀ
12:59:56.666: << * BAD Malformed command or oversize literal.<cr><lf>
12:59:56.666: >> retson.net
12:59:56.666: << * BAD Malformed command or oversize literal.<cr><lf>
12:59:56.726: 7: Socket read error 10054 (connection aborted by remote host)
12:59:56.731: --- Connection closed normally at 14 Jan 2019, 12:59:56.731. ---
12:59:56.731: 
 
OK, so still struggling. Tried installing Mercury 4.80 on a old Windows 7 machine, and the certificate generation works!&amp;nbsp; I created a CSR using this copy, revoked my certificate, and requested a new one using the CSR.&amp;nbsp; I compiled them into a single file (PRIVATE KEY and CERTIFICATE), as I gather you&#039;re supposed to do.&amp;nbsp; Now I&#039;m getting a new error, seems to make 2 session logs when I attempt to connect.&amp;nbsp; Any hints? &lt;div&gt;&lt;span style=&quot;font-size: 10pt;&quot;&gt;&amp;nbsp;&lt;/span&gt;&lt;/div&gt;&lt;div&gt;12:59:56.261: --- 14 Jan 2019, 12:59:56.261 ---&lt;/div&gt;&lt;div&gt;12:59:56.261: Accepted connection from &#039;xxx.xxx.xxx.xxx&#039;, timeout 120 seconds.&lt;/div&gt;&lt;div&gt;12:59:56.266: Connection from xxx.xxx.xxx.xxx, Mon, 14 Jan 2019 12:59&amp;lt;cr&amp;gt;&amp;lt;lf&amp;gt;&lt;/div&gt;&lt;div&gt;12:59:56.266: &amp;lt;&amp;lt; * OK d IMAP4rev1 Mercury/32 v4.80.145 server ready.&amp;lt;cr&amp;gt;&amp;lt;lf&amp;gt;&lt;/div&gt;&lt;div&gt;12:59:56.331: &amp;gt;&amp;gt; 1 CAPABILITY&amp;lt;cr&amp;gt;&amp;lt;lf&amp;gt;&lt;/div&gt;&lt;div&gt;12:59:56.331: &amp;lt;&amp;lt; * CAPABILITY IMAP4rev1 STARTTLS LOGINDISABLED X-MERCURY-1&amp;lt;cr&amp;gt;&amp;lt;lf&amp;gt;&lt;/div&gt;&lt;div&gt;12:59:56.331: &amp;lt;&amp;lt; 1 OK CAPABILITY complete.&amp;lt;cr&amp;gt;&amp;lt;lf&amp;gt;&lt;/div&gt;&lt;div&gt;12:59:56.391: &amp;gt;&amp;gt; 2 STARTTLS&amp;lt;cr&amp;gt;&amp;lt;lf&amp;gt;&lt;/div&gt;&lt;div&gt;12:59:56.391: &amp;lt;&amp;lt; 2 OK Begin SSL/TLS negotiation now.&amp;lt;cr&amp;gt;&amp;lt;lf&amp;gt;&lt;/div&gt;&lt;div&gt; &lt;/div&gt;&lt;div&gt;-Then-&amp;nbsp;&lt;/div&gt;&lt;div&gt;&amp;nbsp;&lt;/div&gt;&lt;div&gt;12:59:56.651: --- 14 Jan 2019, 12:59:56.651 ---&lt;/div&gt;&lt;div&gt;12:59:56.651: Accepted connection from &#039;xxx.xxx.xxx.xxx&#039;, timeout 120 seconds.&lt;/div&gt;&lt;div&gt;12:59:56.656: Connection from xxx.xxx.xxx.xxx, Mon, 14 Jan 2019 12:59&amp;lt;cr&amp;gt;&amp;lt;lf&amp;gt;&lt;/div&gt;&lt;div&gt;12:59:56.656: &amp;lt;&amp;lt; * OK d IMAP4rev1 Mercury/32 v4.80.145 server ready.&amp;lt;cr&amp;gt;&amp;lt;lf&amp;gt;&lt;/div&gt;&lt;div&gt;12:59:56.661: &amp;gt;&amp;gt; &lt;/div&gt;&lt;div&gt;12:59:56.666: &amp;lt;&amp;lt; * BAD Malformed command or oversize literal.&amp;lt;cr&amp;gt;&amp;lt;lf&amp;gt;&lt;/div&gt;&lt;div&gt;12:59:56.666: &amp;gt;&amp;gt; &Agrave;&Agrave;&lt;/div&gt;&lt;div&gt;12:59:56.666: &amp;lt;&amp;lt; * BAD Malformed command or oversize literal.&amp;lt;cr&amp;gt;&amp;lt;lf&amp;gt;&lt;/div&gt;&lt;div&gt;12:59:56.666: &amp;gt;&amp;gt; retson.net&lt;/div&gt;&lt;div&gt;12:59:56.666: &amp;lt;&amp;lt; * BAD Malformed command or oversize literal.&amp;lt;cr&amp;gt;&amp;lt;lf&amp;gt;&lt;/div&gt;&lt;div&gt;12:59:56.726: 7: Socket read error 10054 (connection aborted by remote host)&lt;/div&gt;&lt;div&gt;12:59:56.731: --- Connection closed normally at 14 Jan 2019, 12:59:56.731. ---&lt;/div&gt;&lt;div&gt;12:59:56.731:&amp;nbsp;&lt;/div&gt;&lt;div&gt;&amp;nbsp;&lt;/div&gt;

Solved it! 

For others' reference:

.PEM file should contain the entire trust chain.  Like this:


-----PRIVATE KEY-----Private key data-----END PRIVATE KEY-----

-----CERTIFICATE-----Your certificate-----END CERTIFICATE-----

-----CERTIFICATE----- Trust chain certificate 1 -----END CERTIFICATE-----

-----CERTIFICATE----- Trust chain certificate 2-----END CERTIFICATE-----

&lt;p&gt;Solved it!&amp;nbsp;&lt;/p&gt;&lt;p&gt;For others&#039; reference:&lt;/p&gt;&lt;p&gt;.PEM file should contain the entire trust chain.&amp;nbsp; Like this:&lt;/p&gt;&lt;p&gt; -----PRIVATE KEY-----&lt;span style=&quot;font-size: 10pt;&quot;&gt;Private key data&lt;/span&gt;&lt;span style=&quot;font-size: 10pt;&quot;&gt;-----END PRIVATE KEY-----&lt;/span&gt;&lt;/p&gt;&lt;p&gt;-----CERTIFICATE-----&lt;span style=&quot;font-size: 10pt;&quot;&gt;Your certificate&lt;/span&gt;&lt;span style=&quot;font-size: 10pt;&quot;&gt;-----END CERTIFICATE-----&lt;/span&gt;&lt;/p&gt;&lt;p&gt;-----CERTIFICATE-----&lt;span style=&quot;font-size: 10pt;&quot;&gt;&amp;nbsp;Trust chain certificate 1&amp;nbsp;&lt;/span&gt;&lt;span style=&quot;font-size: 10pt;&quot;&gt;-----END CERTIFICATE-----&lt;/span&gt;&lt;/p&gt;&lt;p style=&quot;font-size: 13.3333px;&quot;&gt;-----CERTIFICATE-----&lt;span style=&quot;font-size: 13.3333px;&quot;&gt;&amp;nbsp;Trust chain certificate 2&lt;/span&gt;&lt;span style=&quot;font-size: 13.3333px;&quot;&gt;-----END CERTIFICATE-----&lt;/span&gt;&lt;/p&gt;

I have the exact same problem - did you ever find a fix?

I have the exact same problem - did you ever find a fix?
live preview
enter atleast 10 characters
WARNING: You mentioned %MENTIONS%, but they cannot see this message and will not be notified
Saving...
Saved
With selected deselect posts show selected posts
All posts under this topic will be deleted ?
Pending draft ... Click to resume editing
Discard draft