I try to setup an IMAP connection using MS Outlook from several remote sites to a central nethserver. It works except one thing:
Outlook shows the message “target principal name is incorrect”. I can see the self-signed certificate from the Nethserver, can install it, but it does not help. I always have to confirm twice by clicking on “Yes” to finally get the connection from Outlook to nethserver.
Solution 2 that I tried: setup a record in the hosts file on the client:
hostname.domain.tld
The hostname is exactly the name on the certificate from Nethserver. I can use the FQDN hostname in the Outlook settings to access the mailbox, but the message still appears.
Does not work either.
Solution 3 that I tried: found a registry entry called “SuppressNameChecks”, but that is only for the certificate checking of incoming signed or encrypted e-mail.
Solution 4: Use Thunderbird. That one works fine, I can add an exception and that’s it… the problem is: the customer doesn’t want that.
Does anyone have a real solution? How can I configure the client with MS Outlook, so that the message does not appear any more?
Can’t you assign a let’s encrypt certificate to your Nethserver?
If you have a static public ip and ports 80 and 443 of the Nethserver which are reachable from the internet, you can run the appropriate wizard on the certificates page.
It did not work to use Let’s Encrypt… but the problem was in your reply, thank you very much. For my Nethserver, only the port 443 was reachable… port 80 was still forwarded to the old machine… now I changed port forwarding for port 80 on the router to the new Nethserver and that was it… I now have a Let’s Encrypt certificate and it seems to work.
Self-signed certificates have gotten harder and harder to work with over the years, in that many applications have just refused to trust them, or have made it unnecessarily difficult. A better way to go is to set up a local CA (e.g., Build a Tiny Certificate Authority For Your Homelab), and then trust that CA’s certificate. But better yet (and all but mandatory if you’re going to have external users) is to just get a trusted certificate. For machines that you don’t want to be accessible from the outside world, you can use DNS validation; I have a couple of articles in the wiki about that.
