cancel
Showing results for 
Search instead for 
Did you mean: 

Outlook.com security certificates?

IanSn
Rising Star
Posts: 565
Thanks: 31
Registered: ‎25-09-2011

Outlook.com security certificates?

(Not sure where to drop this query - I use a mac so put in here.)
Getting this message trying to download from via POP3 on outlook.com --
"Unable to establish a secure connection to
pop3.glbdns2.microsoft.com because a certificate
on the server's certificate chain has expired or is
not yet valid.
Please check that your computer's clock is set to
the correct time."

Has always been ok. Was fine in the morning, then since this afternoon this error shows up...
Have posted on MS Outlook forums but no answer.
Anyone got any ideas what's up?
20 REPLIES 20
MJN
Pro
Posts: 1,318
Thanks: 161
Fixes: 5
Registered: ‎26-08-2010

Re: Outlook.com security certificates?

At the time of writing, it looks to be fine on the face of it...
You can download the certificate with:
openssl s_client -connect pop3.glbdns2.microsoft.com:995 > cert

And then extract the validity period with:
openssl x509 -in cert -noout -text |grep -A 2 Validity

Which gives:
 Validity
           Not Before: Apr 24 20:35:09 2013 GMT
           Not After : Apr 24 20:35:09 2016 GMT

Hence it is well in date, and has been for some time.
That said, there is a certificate chain:
 0 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=*.hotmail.com
  i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - G2
1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - G2
  i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA

But these aren't being sent by the server - their verification will depend on local lookups in your certificate store. Is your machine uptodate? (These certificates usually have long lifetimes though so it'd likely have to be pretty old)
Mathew
IanSn
Rising Star
Posts: 565
Thanks: 31
Registered: ‎25-09-2011

Re: Outlook.com security certificates?

Hi Mathew, thanks for this  Smiley
Interesting. Those dates certainly are ok. Yes, time/date here is right.
Had another look at the wording of that error.
Where might those local certs be stored? (This is new to me!) Is it possible to update them?
Machine in question is 2009 iMac.
btw, had very similar error a few months ago with a Yahoo account. There was no resolution from them, but their forum rep was not at all helpful.
But has me wondering if might be something local...
dvorak
Moderator
Moderator
Posts: 29,473
Thanks: 6,623
Fixes: 1,482
Registered: ‎11-01-2008

Re: Outlook.com security certificates?

what are you using for the mail client - Mail?
Seems to be ok here on my 2013 MBP.
Customer / Moderator
If it helped click the thumb
If it fixed it click 'This fixed my problem'
IanSn
Rising Star
Posts: 565
Thanks: 31
Registered: ‎25-09-2011

Re: Outlook.com security certificates?

From terminal getting -
"depth=1 /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - G2
verify error:num=20:unable to get local issuer certificate
verify return:0"

does this mean a local problem?
If so, what happened? It was working fine!
btw -
No response to ticket with MS. No answer on Outlook forum.
MJN
Pro
Posts: 1,318
Thanks: 161
Fixes: 5
Registered: ‎26-08-2010

Re: Outlook.com security certificates?

The openssl client won't have access to your local root certificate store so that is just a red herring. Your apps in the OS will though. I'm not at all familiar with the Mac but you might be able to find a certificate store somewhere in the settings etc.
IanSn
Rising Star
Posts: 565
Thanks: 31
Registered: ‎25-09-2011

Re: Outlook.com security certificates?

Ah! Thanks for that. Just having conversation on Twitter with MShelp.
Same problem on two, apps 'Mail' and 'Entourage', so must be referring to something in the system locally -- sounds like?
How ever do you update local certs ?!
Anyway, see what MS have to say...
MJN
Pro
Posts: 1,318
Thanks: 161
Fixes: 5
Registered: ‎26-08-2010

Re: Outlook.com security certificates?

Some apps will provide their own stores (web browsers in particular) but yes, the OS normally provides a certifiate store (possibly accessible via the 'Keychain Access' on macs by the looks of things) for general use.
dvorak
Moderator
Moderator
Posts: 29,473
Thanks: 6,623
Fixes: 1,482
Registered: ‎11-01-2008

Re: Outlook.com security certificates?

Think you'll find some certificates in the keychain.
I can see the invalid ones Lync serves in there, so wouldn't surprise me if it is a Microsoft issue Wink
Customer / Moderator
If it helped click the thumb
If it fixed it click 'This fixed my problem'
IanSn
Rising Star
Posts: 565
Thanks: 31
Registered: ‎25-09-2011

Re: Outlook.com security certificates?

Did an update on 'Entourage' hoping something might be jogged into action --- It seems to be working again!
(Except that the passwords no longer stay in the keychain no matter how many times I tell it to save. Same thing happened on Outlook on the PC after an update a while back. Again, no resolution from MS.)
Not sure if it was the update that fixed the SSL or if MS altered something on outlook.com.
'Mail' still gives the previous error, so none the wiser. (Don't care, don't use it.)
Conversation on Twitter with MShelp ended with no further replies.
Still no response from ticket with MS.
So thanks to folks on PN as usual  Smiley
I'd like to have a look at the keychain but  Roll_eyes  no idea how you do that... can you point me at it please!
dvorak
Moderator
Moderator
Posts: 29,473
Thanks: 6,623
Fixes: 1,482
Registered: ‎11-01-2008

Re: Outlook.com security certificates?

Just type keychain into spotlight Smiley
Customer / Moderator
If it helped click the thumb
If it fixed it click 'This fixed my problem'
RPMozley
Pro
Posts: 1,339
Thanks: 83
Fixes: 13
Registered: ‎04-11-2011

Re: Outlook.com security certificates?

Keychain Access is in the Utilities folder (within the Applications folder).  Roll_eyes
There'll be lots of different keychains listed on the left pane (well, more than one anyway). The certificates should be listed in one of those and you can use the category filter "My Certificates".  Cool
That's RPM to you!!
IanSn
Rising Star
Posts: 565
Thanks: 31
Registered: ‎25-09-2011

Re: Outlook.com security certificates?


Arrr, yes.  Roll_eyes  Removed a few superfluous password entries and the passwords are saving again.
But the SSL error remains after all.
Had a browse thru the certs but no idea which one pertains to this issue.
Nothing expires before end 2014.
Annoyingly there is a link on the error message saying 'find out more about installing certificates' but takes you to an MS help window with links to unresolved issues on their forum which say nothing about installing. Grrr.
RickK
Grafter
Posts: 60
Registered: ‎03-07-2013

Re: Outlook.com security certificates?

Just to cover the issue and resurrect a thread  Crazy
The reason you were getting errors is because the GlobalSign Root CA on your machine expired on the 28th of Jan 2014 Smiley
So delete that Root in your keychain and download the new one.
More on this here; https://support.globalsign.com/customer/portal/articles/1426272-expiration-of-old-globalsign-2014-ro...
This would generally be covered by OS updates though, but the manual process should be covered in the link above.
IanSn
Rising Star
Posts: 565
Thanks: 31
Registered: ‎25-09-2011

Re: Outlook.com security certificates?

Thanks for reminding me!
But nope, wasn't that. Did certs update, etc.
Quite a few others on this on the various forums. Didn't find anyone with solution.
One MS techie suggested Thunderbird to see if that resolved the SSL issue.
Installed TB and problem over.
Been using Thunderbird ever since! (Much improved since the last time I tried it some years ago.)
Following prob was getting a very large amount of emails out of Entourage and into some archivable format, pref HTML. Ever tried that? Jeez! Entourage was a pig, didn't realise. The MBOX and RGE files I have are still sitting there waiting for a solution - and I've trawled all the boards from one end to the other...
Its possible to do them one by one, yes. But....