GFI Support Home Start a conversation Sign in
Start a conversation
  1. KerioConnect
  2. KerioConnect - Administration
  3. Articles

SSL certificate problem: "EE certificate key too weak" on Modern Linux Distributions

Overview

On modern Linux distributions using OpenSSL 3.x (such as Amazon Linux 2023, RHEL 9, and Ubuntu 22.04+), Kerio Connect may experience intermittent license validation failures.

Symptoms include:

  • License appears to expire every 24-48 hours despite being valid
  • Webmail prompts users to install a license
  • Restarting the Kerio Connect service temporarily restores the license
  • Error logs show "Server license expired" messages

Root Cause: The default Kerio Connect licensing endpoint (update.kerio.com) uses an older TLS certificate with RSA 1024-bit key and SHA-1 signature. Modern Linux distributions with OpenSSL 3.x enforce stricter security policies (SECLEVEL=2) that reject these weak certificates, preventing Kerio Connect from refreshing license validation.

Affected Systems: Amazon Linux 2023, RHEL 9, Ubuntu 22.04 LTS and later, Fedora 36 and later, and any other Linux distribution enforcing OpenSSL 3.x SECLEVEL=2 security policies.

Solution

Diagnostic Test: Run curl -I https://update.kerio.com on the affected server. If you see "SSL certificate problem: EE certificate key too weak", this confirms the issue.

Configure Kerio Connect to use the alternative update endpoint (https://prod-update.kerio.com) which has a modern TLS certificate compatible with OpenSSL 3.x security requirements.

Step 1: Stop the Kerio Connect Service

Depending on your Linux Distro, there are several ways to stop the service; you can check the article on Stopping and Starting the Kerio Connect Service on macOS and Linux

Step 2: Edit the Configuration File

Open the mailserver configuration file for editing. The file is typically located at /opt/kerio/mailserver/mailserver.cfg:

sudo vi /opt/kerio/mailserver/mailserver.cfg
📌 Note: You can use any text editor (vi, nano, etc.) that you're comfortable with. 

Step 3: Locate the Update Section

Find the XML section in the configuration file that looks like this:

<table name="Update">
  <variable name="Server"></variable>
</table>

Step 4: Configure the New Update Server

Modify the empty Server variable to point to the new endpoint: https://prod-update.kerio.com

<table name="Update">
  <variable name="Server">https://prod-update.kerio.com</variable>
</table>
Important: Ensure there are no extra spaces or characters in the URL. The XML syntax must be exact for the configuration to work properly.

Step 5: Save and Exit

Save the changes and exit the text editor:

  • In vi: Press Esc, then type :wq and press Enter
  • In nano: Press Ctrl+X, then Y, then Enter

Step 6: Start the Kerio Connect Service

Restart the service to apply the configuration change: Stopping and Starting the Kerio Connect Service on macOS and Linux 

Step 7: Verify the Configuration

Test connectivity to the new endpoint:

curl -I https://prod-update.kerio.com

You should see a successful response (HTTP 200 or 301) with no SSL errors.

Step 8: Confirm License Status

  1. Log in to Kerio Connect Administration
  2. Navigate to the Dashboard
  3. Verify that the license information is displayed correctly
  4. Click "Update registration info" to force a license refresh

Step 9: Monitor Stability

Monitor the system for 48-72 hours to confirm that:

  • The license remains stable and does not expire intermittently
  • Users can access webmail without license prompts
  • No "Server license expired" errors appear in the logs

Summary

This issue affects Kerio Connect installations on modern Linux distributions that use OpenSSL 3.x with strict security policies. The solution involves configuring Kerio Connect to use an alternative update endpoint (https://prod-update.kerio.com) that has a modern TLS certificate compatible with current security standards.

Key Points:

  • The configuration change is made in the mailserver.cfg file
  • This change persists across Kerio Connect restarts and updates
  • No system crypto policy changes or OpenSSL modifications are required
  • The new endpoint uses a valid Starfield certificate compatible with OpenSSL 3.x SECLEVEL=2

FAQ

Q1: Will this configuration change persist after Kerio Connect updates?

A1: Yes, the configuration change in mailserver.cfg persists across Kerio Connect restarts and updates. You do not need to reapply this change after upgrading Kerio Connect.

Q2: Do I need to lower my system's crypto policies to LEGACY mode?

A2: No, you should not lower your system's crypto policies. The solution uses the modern prod-update.kerio.com endpoint which has a valid certificate that works with OpenSSL 3.x default security settings (SECLEVEL=2). Lowering crypto policies would reduce your system's security unnecessarily.

Q3: What should I do if the license still expires after applying this fix?

A3: First, verify the configuration change was saved correctly by viewing the mailserver.cfg file. Then confirm the server can reach https://prod-update.kerio.com using curl, and check that firewall rules allow outbound HTTPS (port 443) connections. If the issue persists, check the error log and contact GFI Kerio Connect Support for further assistance.

Related Articles


Choose files or drag and drop files
ai_initiated
atlas_studio
kb_automation
Was this article helpful?
Yes
No

  1. Ciprian Nastase

  2. Posted

Comments