New mail.messagingengine.com SSL certificate

Sometime in the next 24 hours we’ll be changing over the SSL certificate for mail.messagingengine.com to a new one. In theory, users shouldn’t notice any change at all. However there are two changes in the new certificate that might affect some users.

  1. We’re changing our SSL provider from Thawte to Digicert. Some users using older devices may have had to install the Thawte root certificate into their device to be recognised properly. Those devices may also be missing the Digicert root certificate. A copy of the Digicert root certificate can be downloaded from http://www.fastmail.fm/DigiCertCA.crt (It’s actually a chained certificate, and the correct root to use is http://www.fastmail.fm/Entrust.net_Secure_Server_CA.pem). Most devices that don’t recognise the Digicert certificate by default should allow you to install a root certificate from the above URL.
  2. We’re changing from a pure mail.messagingengine.com certificate to a wildcard *.messagingengine.com certificate. Some old devices may not understand wildcard certificates properly. For those devices, we’ve included mail.messagingengine.com as a “server alternate name” in the certificate, which should work.

We’ve checked that compatibility with this new certificate should be good, but as always, there are edge cases and some users may have issues. If you do have any problems, please email me directly at robm@fastmail.fm with details of the device you’re using and the error you’re getting.

The reason we’re changing is that Digicert offer more flexibility with their SSL certificates, such as wildcard certificates with multiple “server alternative name” options.

Update: I rolled out the new certificate, and shortly afterwards had some reports of problems with Eudora/iPhone/Thunderbird/etc. I contacted Digicert support who were very helpful. Turns out I’d forgotten to RTFM fully, and hadn’t included the chained certificate in the PEM file. I’ve now done that, so things should be better for Eudora/iPhone/Thunderbird/etc users that were having problems.

Update: Unfortunately for Eudora users, it seems Eudora does not come with the required root certificate built in. This means Eudora users will still see an error message with the new certificate. Fortunately, it’s easy to fix this, just follow the directions here to add the list of trusted certificates in Eudora.

Posted in Technical. Comments Off
Follow

Get every new post delivered to your Inbox.

Join 5,279 other followers

%d bloggers like this: