Due to our network setup, when we moved our business last year we switched Exchange 2010 to use AWS SES to relay our outgoing emails. This has worked pretty well up until yesterday, when Exchange began to fail to make the TLS connection to SES with this error in the event logs any time it tries to connect
Unable to validate the TLS certificate of the smart host for the connector Amazon SES. The certificate validation error for the certificate is UntrustedRoot. If the problem persists, contact the administrator of the smart host to resolve the problem.
I put OpenSSL for Windows on the box and ran the command I found in this thread
openssl s_client -connect email-smtp.us-east-1.amazonaws.com:25 -starttls smtp
CONNECTED(000000EC)
depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Secure Server CA - G4
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=email-smtp.us-east-1.amazonaws.com
i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3
Secure Server CA - G4
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc.
- For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
---
Server certificate
[removed for brevity]
subject=/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=email-smtp.us-east-1.amazonaws.com
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
---
No client certificate CA names sent
---
SSL handshake has read 3005 bytes and written 708 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 5576FCDBA77EB88DC9C2678EA399604E0A4543E5CFC0FA1E89F7320A7A84993C
Session-ID-ctx:
Master-Key: CBD8DEA48F07E570896E02CBDC0E1DA08F0DA1D4CA901522B05A9C6F66A3E4F9 811AA12DE24BA0C14402F5585C32BF05
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1433861339
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
The only difference between that on Linux vs Windows is that last line
Verify return code: 20 (unable to get local issuer certificate)
I suspect it's a CA chain problem but how do I fix that? The server running Hub Transport is a Windows Server 2008 box.
So I finally found an answer (others had the same problem). I was correct in that the CA chain was missing something. That something is apparently the Verisign Class 3 Public Primary Certification Authority - G4 (which is also listed as Symantec depending on your browser). You can see this new certificate in use at https://www.amazonsha256.com/
I followed the TechNet steps to install a new root certiciate and there's one minor note here. They don't mention it anywhere but if you take the CERTIFICATE declaration and save it as plain text in a file with a
.cer
extension it will import into Windows without any issues.After the import SES works again. I have no idea why it was missing from the MS computer store but not the IE store.