Office 365 – The case of an incomplete chain [EN]

We have migrated to Office 365 and Exchange Online a while ago. It was working fine on our mobile phones (email, Skype for Business, etc.). But a few months ago we had to update SSL certificate on our website, which is the same domain name we use for our email. Its DNS also hosts a few Office 365 related records. And after updating certificate to a new one problems started appearing on mobile. Already setup clients were fine. But adding fresh Exchange account on a new phone resulted in weird SSL errors. Sometimes it somehow magically worked, but most of the time it was showing a warning for less than a second and then an error. That’s on Android. iOS simply showed an error that it can’t check the cert and that’s it. Skype for Business was also showing a warning, but at least there was a checkbox to accept it anyway. I was puzzled as website was working fine in browsers, no complains about it being not trusted. OWA and Outlook on PC also worked fine. This time we have purchased a wildcard certificate, so i thought maybe this is related. Lastly i had an idea, that maybe our certificate is new and phones don’t have some intermediate certificate to be able to check it. Although updating phones to latest updates didn’t help. I was going to file a support request with Microsoft. Until..

Recently i had to check what is our website’s certificate’s key length and which ciphers are presented by our server. I’ve been using Qualys SSL Server Test for a while to do SSL checks on websites. I was surprised to see that our main website got B rating, while secondary one (with a different domain name) had A. Although it still was looking green and no red errors were shown in the report. The reason for it being capped at B was incomplete certificate path chain. Expanding Certification Paths section showed 3 chain segments: *.ourdomain.tld, RapidSSL SHA256 CA and GeoTrust Global CA. And the RapidSSL was showing “Extra download” instead of a normal “Sent by server” state. Our hosting providers did a sloppy work installing new certificate and didn’t put the whole chain in there (well, i was also sloppy not to catch that, but i don’t have that much expertize with certificates yet). And mobile clients probably are not capable of doing additional downloads to determine certificate’s origin (well, at least not the regular email client with Exchange ActiveSync or Skype for Business app). Once certificate was properly installed the errors went away.

Leave a Reply

Your email address will not be published. Required fields are marked *