Home-Browsers-The tls greeting ended with an invalid server certificate. Unknown CA certificate

The tls greeting ended with an invalid server certificate. Unknown CA certificate

Stability and reliability of operation are one of the main reasons for using an email client on your computer. Moreover, none of the currently existing analogues this program cannot boast of such functionality for managing a large number email boxes.

Like any complex software product product, The Bat! is by no means immune from rare malfunctions. One of these malfunctions is the error "Unknown CA certificate", ways to eliminate which we will consider in this article.

Most often with an error "Unknown CA certificate" users encounter problems after reinstallation operating system Windows when trying to receive mail using the secure SSL protocol.


The full description of the problem states that the root SSL certificate was not presented mail server in the current session, as well as the absence of such in address book programs.

In general, it is impossible to link the error to a specific situation, but its meaning is absolutely clear: The Bat! does not have the required SSL certificate at the time of receiving mail from the secure server.

The main reason for the problem is that the mailer from Ritlabs uses own storage certificates, while the vast majority of other programs are content with the expandable Windows database.

Thus, if for some reason a certificate later used by The Bat! was added to the Windows storage, mail client will in no way find out about this and will immediately “spit” an error at you.

Method 1: Reset the certificate store

Actually, this decision is the simplest and most understandable. All we need is to make The Bat! completely recreate the CA certificate database.

However, in the program itself it will not be possible to perform such an action. To do this, you need to completely pause The Bat!, and then delete the files "RootCA.ABD" And "TheBat.ABD" from the main directory of the mail client.

The path to this folder can be found in the client menu "Properties""Settings""System" at point "Mail catalogue".

The default location of the mailer data directory is as follows:

C:\Users\Username\AppData\Roaming\The Bat!

Here "Username"- this is the name of your account on a Windows system.

Method 2: Enable "Microsoft CryptoAPI"

Another troubleshooting option is to switch to Microsoft's encryption system. When you change crypto provider, we automatically transfer The Bat! for use system storage certificates and thereby eliminate database conflicts.

Implementing the above task is very simple: go to "Properties"« S/MIME AND TLS" and in the block "Implementing S/MIME and TLS Certificates" mark the item "Microsoft CryptoAPI".

Then click "OK" and restart the program to apply the new parameters.

All these simple steps will completely prevent further errors from occurring. "Unknown CA certificate" in The Bat!

This is an example of a certificate - issued to localhost and signed by our CA. If the question is only about encrypting channels during transmission within the LAN (and in general for your users anywhere), then you can use it. If you also need to prove to external senders that “you are you,” then you can obtain server certificates from generally recognized CAs - Thawte, VeriSign, etc. It is generally accepted that the authenticity of signatures on certificates issued by them can be verified using built-in postal agents and browsers to the certificates of these CAs. Those. user programs trust them by default (whether users trust them is another matter). The certificates of these CAs are paid. In many cases, self-issued certificates or certificates not included in the lists of trusted CAs are used (for example, from Russian CryptoVendors or from). In this case user program displays a window asking whether the user trusts this certification authority.

If I understand correctly, after I obtain a certificate for my server and install it on it, from it I will have to create trust certificates - which I will implement in the mail clients on the end stations, correct?

Not really. Not "certificates of trust". When connecting to your server via SSL/TLS client program on the user side receives a server certificate (this certificate, in particular, contains public key, which signs the symmetric session key of the encrypted connection) and attempts to verify the authenticity of the CA signature on it. If the certificate of this issuer (certification authority, CA) is not in the list of trusted ones, then the program will ask the client whether to trust this issuer, and how to trust it - for the duration of this particular session, or until the end of the certificate's validity period. If the user chooses the latter, the issuer's certificate is placed in the trusted list, and no more such questions will be asked. This is exactly the “incorporation into email clients” that you are talking about. In addition to the authenticity of the signature, it is compared domain name, specified in the signed subject, with the domain name to which the client connects. If they do not match, then a corresponding warning is issued (just as when checking an ~S/MIME signature in Email, the sender's address is compared with the address in the signing certificate). And it checks whether the certificate has expired.

By the way, not all email clients check the certificate and issue any messages. Some accept any certificates silently (unlike browsers).

Where can I get a certificate for my server, or can I somehow create it myself?

As mentioned above, you can obtain them from certificate authorities. Which one depends on the required level of trust. You can do self-issuing (using OpenSsl, for example), this makes it absolutely overwhelming for server owners. Or you can obtain a certificate signed by a CA that is not included in the default trusted lists. If we are only talking about channel encryption and not about trust, then in most cases our server.pem will be enough for you.

What is the key in eserv3.ini SSLverifyClient - how does it work and what is it for?

Isn’t it written there in the tooltip for this key in the web interface?

When registering Eserv, certificates were installed, is it really necessary to create your own certificate for each user?

No. Users only need certificates if the server also validates the user's certificate (in most cases this is not the case). Or for ~S/MIME signatures of letters.

TheBat says "TLS hello failed. The server name ("123.123.123.3") does not match the certificate." I look at the certificate: server name: localhost...

If TheBat does not give the user a request in which you can ignore the discrepancy between the server name and the name in the certificate (as described above), then all that remains is to obtain a certificate with specified name server (in your case 123.123.123.3, although it is better to configure the client to a domain name instead

Error The Bat! " Unknown CA certificate":

The server did not present a root certificate in the session and the corresponding root certificate was not found in the address book.

This connection cannot be secret. Please contact your server administrator.

Occurs when The Bat! does not have the required SSL certificate when receiving mail.

This can occur in various situations and the reason is that, unlike most programs that use the Windows certificate store, The Bat! - yours. And if for some reason some program adds important certificate"standard" method (only in Windows storage), then The Bat! will not know about this and, focusing on its own, will produce an error " Unknown CA certificate".

RootCA.ABD and TheBat.ABD

The easiest way to try to overcome the error " Unknown CA certificate" - simply delete The Bat! certificate store so that when next boot made something new. The files "RootCA.ABD" and "TheBat.ABD" are located in the main directory of The Bat!, which can be found by clicking/looking at " Properties - Settings - System - Mail catalog".

The TLS hello did not complete. Invalid server certificate (The chain provider for this S/MIME certificate was not found)

The first method may not help and you will get the same error" Unknown CA certificate", and in the mailbox log there will be something like:

>22.03.2013, 13:39:53: FETCH - Certificate properties: 16B0A68A00000000D49E, algorithm: RSA (2048 bits), Valid from: 21.12.2012 16:05:32, to: 17.01.2014 15:15:46, to hosts in quantity 17 pcs.: Yandex Mail Service, pop.yandex.ru, pop.yandex.com, pop.yandex.by, pop.yandex.kz, pop.yandex.ua, pop.yandex.com.tr, pop.narod.ru, pop.ya. ru, pop3.yandex.ru, pop3.yandex.com, pop3.yandex.by, pop3.yandex.kz, pop3.yandex.ua, pop3.yandex.com.tr, pop3.narod.ru, pop3.ya. ru.
>22.03.2013, 13:39:53: FETCH - Owner: RU, Russia, Moscow, Yandex, ITO, Yandex Mail Service, This e-mail address is protected from spambots; you must have Javascript enabled to view it.
>22.03.2013, 13:39:53: FETCH - Supplier: generated by avast! antivirus for SSL scanning, avast! Mail Scanner, avast! Mail Scanner Root.
!2013-03-22 13:39:53: FETCH - TLS hello not completed. Invalid server certificate (The chain provider for this S/MIME certificate was not found).

The main thing here for us:

Supplier: generated by avast! antivirus for SSL scanning, avast! Mail Scanner, avast! Mail Scanner Root.

In particular, the problem is when "the certificate provider is unknown" (in our case - " avast! Mail Scanner Root") is obtained by those who use Avast versions 8 and newer, where he learned to check mail on SSL-encrypted connections, and The Bat! I don’t know about this (and about Avast).

To fix this, you need to add an issuer certificate" avast! Mail Scanner Root" to trusted root certificates The Bat!, because Avast itself added it to the trusted list only in the Windows certificate storage, but, as stated above, The Bat! it's yours. To do this, run the command "certmgr.msc", find and export " avast! Mail Scanner Root" from "Trusted Root Certification Authorities", or simply take the attached file here below (this is the Avast certificate).

Then we import this certificate into the right box. To do this, you will have to perform a long and non-obvious sequence of actions (hello to the vagabond writers!):

1. Add the certificate itself: Mailbox - Mailbox properties - General information - Certificates - Import - select the desired certificate (for example, avast!MailScannerRoot.cer)

2. Add the added certificate to the trusted ones (see picture): View - Certification Path - Add to Trusted

After this the error " Unknown CA certificate"will definitely disappear. Not forever - until the next one Windows updates, The Bat! , antivirus or something else...



Reception settings TheBat mail in an SSL connection

1. Download and save it locally (i.e. on your computer in some folder).


2. Go: mailbox -> mailbox properties -> general information -> certificates

3. -> import.

4. Select the saved certificate file cacert.pem. Open.



5. Click on the line that appears “Kinetics Certificate Authority”, then click “View”.


6. We see “This certificate is invalid.” Click "Certification Path".


7. Click on “Kinetics Certificate Authority” and “Add to trusted”.

6. Yes.


7. For self-test: the certificate must be valid. OK. OK. OK.


8. For self-test: the “Kinetics Certificate Authority” entry should appear in the address book in the Trusted Root CA folder.

9. Select: mailbox -> mailbox properties -> transport -> connection
-> safe on special. port (995 should appear in the “Port” window).
Now that's it. After which the SSL connection will work.

Attention! In the mail field server value should be ns..85.127.69),
otherwise, with an ordered SSL connection, the mail client will not connect to the server at all.

When you connect to the server, you will see entries like this in your mailbox log:
date, time: FETCH - Receiving new mail
date, time: FETCH - Starting TLS hello
date, time: FETCH - Certificate properties: 02, algorithm: RSA (1024 bits), Valid from: 11/27/2012 9:40:26, to: 11/22/2032 9:40:26, for hosts in quantity 1 piece .: ns.site.
date, time: FETCH - Owner: RU, Novosibirsk, Institute of Chemical Kinetics and Combustion, IT-group, ns..nsc.ru.
date, time: FETCH - Root: RU, Novosibirsk, Novosibirsk, Institute of Chemical Kinetics and Combustion, IT-group, Kinetics Certificate Authority, nina@site
date, time: FETCH - TLS hello completed
date, time: FETCH - Connection to the POP3 server was successful
date, time: FETCH - Authentication successful (Normal method)

For reference: Kinetics Certificate Authority is an agency for issuing SSL certificates, created at the Institute of Chemical Control and Geology of the SB RAS.

For IMAP protocol everything is the same.

can only be guaranteed if its version is 4.0 or higher. If the version of The Bat! 3.99.29 or lower, then it is not safe to use. We recommend installing a newer version of your email client.

Configure via IMAP protocol

To set up The Bat! via IMAP protocol:

4. On this page, enter the following information:

6. On the settings page that opens, enter the following information:

  • To access the server, use the protocol - IMAP;
  • Server for receiving mail - imap.mail.ru;

8. B this section provide the following information:

10. For better protection data you send and receive using mail program, you can enable encryption. To do this, in the window that appears, check the box next to “Yes” after the question “Do you want to check other properties of the mailbox?” and click "Done".

11. In the menu on the left, select “Transport”, and in the “Sending mail” and “Receiving mail” sections, in the “Connection:” drop-down lists, select “Secure on a special port (TLS)”;


Check that the IMAP server port is 993 and the SMTP server port is 465.

12. Click “Authentication...” opposite “SMTP server”, check the box next to “SMTP Authentication”, check the box “Use mail receiving parameters (POP3/IMAP)”, and also uncheck the box next to “POP before SMTP authentication” » click OK.

13. To make the list of folders in your mail program similar to the list of folders in your mailbox, click right click mouse over the name of the newly created account and select “Update folder tree”.

14. Now you need to specify the folders in which all letters sent from the mail program, as well as letters from other system folders mail program. To do this, right-click on the name of the newly created account and select “Mailbox Properties...”.

15. In the window that appears, go to the “Mail Management” section, check the boxes next to “Sent Items” and “Trash”, select “Sent Items” and “Trash” in the drop-down lists, respectively.


16. Go to the “Delete” subsection and check the boxes next to “Place in the specified folder” in the “Normal deletion” and “Alternative deletion” sections, by clicking the “Browse” button, select the “Trash” folder from the proposed lists.

17. Uncheck “Use alternative deletion for old letters”, and opposite “Mark deleted letters as read" set.

18. Click OK - the email program is configured!

Configure via POP3 protocol

To make email settings The Bat! via POP3 protocol, necessary:

1. B top panel in the “Mailbox” menu, select “New mailbox...”;

2. In the “Mailbox Name” field, enter any name, for example: Mail.Ru Mail.
Click Next.

3. On this page, enter the following information:

    • “Your full name” - enter the name that will appear in the “From:” field for all messages sent;
    • “E-mail address” - enter the full name of your mailbox.

4. On the settings page that opens, enter the following information:

    • To access the server, use the protocol - POP3;
    • Server for receiving mail - pop.mail.ru;
    • The SMTP server address is smtp.mail.ru.
      Check the box "My SMTP server requires authentication."

6. In the window that opens, enter the following information:

    • User - the full name of your mailbox in the format [email protected];
    • Password—the current password for your mailbox.

7. Check the “Leave letters on the server” checkbox if you want to leave letters downloaded by the mail program in a mailbox on the server.

9. To better protect the data you send and receive using your email program, you can enable encryption. To do this, in the window that appears, check the box next to “Yes” after the question “Do you want to check other properties of the mailbox?” and click "Done".

10. In the menu on the left, select “Transport”, and in the “Sending mail” and “Receiving mail” sections, in the “Connection:” drop-down lists, select “Secure on a special port (TLS)”.


Check that the POP3 server port is 995 and the SMTP server port is 465.

11. Click “Authentication...” opposite “SMTP server”, check the box next to “SMTP Authentication” and check the box “Use mail receiving settings (POP3/IMAP)”, click OK. The mail program setup is complete!

Change SSL settings

Safety of work in the program The Bat! can only be guaranteed if its version is 4.0 or higher. If the version of The Bat! 3.99.29 or lower , then it is unsafe to use it. We recommend installing a newer version of your email client.

To set up your TheBat! via secure SSL protocol:


4. If your email program is configured using the IMAP protocol.

In the “Sending mail” sections, in the “Connection:” drop-down list, select “Secure on a special port (TLS)”.



Check that the SMTP server port is 465.

If the above settings are already installed in your email program, then no changes need to be made.

Error: The TLS hello did not complete. The server name ("smtp.mail.ru.") does not match the certificate" or another error mentioning the inability to complete the connection using TLS.

Perhaps The Bat!'s root certificate database, which is necessary to work with by mailbox via the secure SSL protocol, is not relevant, in in this case you need to use Microsoft CryptoAPI, for this you need:


Please also note that for correct operation SSL protocol It is necessary that the correct date and time are set on your computer. You can check the date and time, as well as reset them, using our instructions.

send us


Error: “Unable to connect to server” or “TLS hello did not complete. The server name ("217.XX.XXX.XXX") does not match the certificate"

Please check your email client settings:


Follow all the steps described above and resend the email. If the problem persists, please send us your email client's sending log to diagnose the problem.

To get the dispatch log:


If you have problems setting up your email program, use our



Related publications: