Due to gmail’s recent enforcement of strict ssl security, you may have received something similar to the following error when trying to access third-party email through gmail:
“ssl error: Could not verify first certificate.”
note: you may also receive a protocol error or an “expired ssl certificate” error.
background
As of December 2012, Google’s gmail servers are configured not to connect to remote pop3 servers that do not have a certificate or have a self-signed certificate. gmail will also verify that the third party email provider’s remote server has a valid ssl certificate. by default, gmail will now always use a secure connection (ssl) when retrieving mail.
When connecting gmail to third-party mail providers, the provider’s server must have a valid ssl certificate from a trusted certificate authority (ca) installed on the pop3 ssl port (default: 995, see below). If a certificate is not installed or there is a problem, you may not be able to access your third-party email and messaging account.
what can I do?
If you are the administrator of the mail server or if you have access to the mail server, you can troubleshoot and resolve this error by following the steps below.
If you don’t have access to your mail server, we suggest you contact your mail system administrator and have the problem fixed on the server.
The above error is due to the absence of a publicly trusted ssl certificate on the mail server. here are some possible reasons for this problem:
- the mail server has no certificate or has a self-signed certificate on the pop3 ssl port. There could be two reasons for this:
-
the server does not have a publicly trusted ssl certificate installed. If this is the case, you should purchase and install one from a reputable CA such as Digicert®.
troubleshooting steps:
-
Using digicert’s ssl certificate tester, test your server’s certificate chain. To check the certificate chain for the pop3 ssl port, type yourdomain:995. (The default port for pop3 ssl is 995. If you’re not using the default, be sure to change it to match the port you’re using for pop3 ssl.)
if the certificate chain appears, continue to step 3. if you get an error, go to step 4.
-
there is a self-signed certificate in your chain. if this is the case, you must install a publicly trusted certificate instead. If you already have a publicly trusted certificate on the server, you simply need to install it on the default pop3 ssl port. if you don’t have a publicly trusted certificate, buy an ssl certificate from a trusted ca like digicert.
-
There is no publicly trusted ssl certificate installed on the pop3 ssl port. If you already have a publicly trusted certificate on the server, you simply need to install it on the default pop3 ssl port. note that the certificate on this port cannot be a self-signed certificate.
note that other sources currently suggest unchecking the always use a secure connection (ssl) when retrieving mail option in the accounts and import tab in the gmail settings menu to solve this problem. unchecking this box can make all information passing between your computer and the mail server insecure, including your username and password, leaving you vulnerable to a man-in-the-middle attack.
If you have any questions, please call us at 1-801-701-9600 or email us at support@digicert.com.
-
-
-
-