Overview

Sometimes, the MyKerio connection cannot be established, as a result managing a Kerio Connect appliance from a remote address is not possible. If you check the debug logs, with MyKerio logging enabled, you will find entries such as:

The certificate '*.kerio.com' was not validated.
Failed to verify SSL certificate: (19) self signed certificate in certificate chain.

This article describes the process of resolving this issue.

Prerequisites

Linux Kerio Connect installations such as CentOS, Ubuntu, Debian.

SSH access to the Linux server

Diagnosis

• The standard certificate packages on CentOS/Debian are not up-to-date.
• SSL certificate is not being updated automatically.

Solution

Important: for CentOS SSL issues with Kerio Connect 9.3.0 and up, the workaround is to execute the following command.
mv /etc/pki/tls/certs/ca-bundle.trust.crt /etc/pki/tls/certs/ca-bundle.trust.crt.bak

1. Login as root user to the server.

2. Upgrade currently installed system packages in your Linux server.

   1. Debian: apt-get upgrade
   2. RPM: yum upgrade

3. Install gnupg2-smime (optional).

4. Restart the machine.

5. (Optional) If the Kleopatra tool is installed on CentOS:

   1. Open the terminal and run Kleopatra.
   2. Navigate to Settings > Configure Kleopatra > GnuPg System > gpg agent.
   3. Select the option: Allow clients to mark key as trusted.

6. Run the following command:

   curl http://curl.haxx.se/ca/cacert.pem -o /etc/pki/tls/certs/ca-bundle.crt

   Note: For Debian-based servers, the certificates should be added to the /etc/ssl/localcerts folder.

7. Add the trusted root certificate to the server:

   update-ca-trust enable
   update-ca-trust extract

Confirmation

The MyKerio connection displays Ready.