Knowledge Base

Due to Gmail’s recent enforcement of strict SSL security, you may have received something similar to the following error when attempting to access third-party email through Gmail:

"SSL error: Unable to verify the first certificate."

Note: You may also receive a protocol error or an ‘SSL Certificate expired’ error.

Background

As of December 2012, Google's Gmail servers are configured not to connect to remote POP3 servers that have either no certificate or a self-signed certificate. Gmail will also check to make sure that the third-party email provider’s remote server has a valid SSL Certificate. By default, Gmail will now always use a secure (SSL) connection when retrieving mail.

When connecting Gmail to third-party mail providers, the provider’s server must have a valid SSL Certificate from a trusted Certificate Authority (CA) installed on the POP3 SSL port (default: 995, see below). If a certificate is not installed or if there is a problem, you may not be able to access your third-party mail account and messages.

What Can I Do?

• If you are the mail server administrator or if you have access to the mail server, you can troubleshoot and resolve this error using the steps below.
• If you do not have access to your mail server, we suggest that you contact your mail system administrator and request that the issue be fixed on the server.

The above error is caused by the absence of a publicly-trusted SSL Certificate on the mail server.

Here are a few possible reasons for this issue:

1. The mail server either has no certificate or a self-signed certificate on the POP3 SSL port. There could be two reasons for this:
   
   

   1. The server doesn’t have a publicly-trusted SSL Certificate installed. If this is the case, you need to purchase and install one from a trusted CA like DigiCert®.

   2. The server has a publicly-trusted certificate, but it was never installed on the POP3 SSL port.
       
2. The mail server has a publicly-trusted SSL Certificate installed on the POP3 SSL port, but there are intermediate certificate issues.
   Intermediate certificate issues would cause Gmail to not be able to access the root certificate.

Troubleshooting steps

1. Using the DigiCert SSL Certificate Tester, test your server’s certificate chain. To check the certificate chain for the POP3 SSL port, type yourdomain:995. (The default port for POP3 SSL is 995. If you aren’t using the default, be sure to change this to match the port you are using for POP3 SSL.)

2. If the certificate chain appears, continue to step 3. If you receive an error, skip to step 4.

3. In the certificate chain, there could be a few problems:
   
   

   • There is a self-signed certificate in your chain. If this is the case, you need to install a publicly-trusted certificate in its place. If you already have a publicly-trusted certificate on the server, you simply need to install it on the default POP3 SSL port. If you do not have a publicly-trusted certificate, purchase an SSL Certificate from a trusted CA like DigiCert.

   • There is a broken link in your chain. If this is the case, your server is probably missing one or more intermediate. This would cause Gmail to not trust your certificate because it cannot access the root certificate at the end of the chain. The root certificate is what validates your SSL Certificate’s identity. To fix this issue, you need to install your intermediate certificate(s) on your server.
4. If you receive an error, there could be a few problems:
   
   

   • There is no publicly-trusted SSL Certificate installed on the POP3 SSL port. If you already have a publicly-trusted certificate on the server, you simply need to install it on the default POP3 SSL port. Note that the certificate on this port cannot be self-signed.

   • If a publicly-trusted certificate is installed on the POP3 SSL port, check that the intermediate certificate is installed. If you believe you are having intermediate certificate issues, make sure your intermediate certificate(s) are installed on your server. See step 3b above for more information on intermediate certificate issues.

Note: Other sources currently suggest unchecking the Always use a secure connection (SSL) when retrieving mail option on the Accounts and Import tab in the Gmail settings menu to fix this problem. Unchecking this box may make it so that all information passing between your computer and the mail server is not secure, including your username and password, leaving you vulnerable to a man-in-the-middle attack.

If you have any questions, please contact DigiCert Support.