Are you receiving the message, “TLS Negotiation failed, the certificate doesn’t match the host., code: 0” in Gmail setup? If you are receiving this message when adding a new imported email account or using your existing email account, then you will need to make some changes. Google announced starting on April 2, 20, that Gmail will be verifying that the CN (common name) of the SSL certificate is the same as for the outgoing mail server.
What is an SSL certificate?
Secure Sockets Layer (SSL) is also referred to as a “digital certificate,” and the SSL provides authentication for a domain name, server name, or the hostname. SSL enables an encrypted connection that encrypts the data that’s being transmitted. It protects sensitive data from being intercepted from non-authorized parties. If you need an SSL certificate for your website, you can get one from free at Let’s Encrypt.
An SSL certificate will help you keep data secure between servers, and enhance your customer’s trust along with improving your conversion rates.
What is a CN?
The Common Name or also known as CN represents the server name that’s is protected by the SSL certificate. It is only valid if the hostname matches the certificate CN. An example would be if your website name is “www.yourwebsite.com” then the SSL certificate must also be issued to “www.yourwebsite.com”. You can also get a wildcard SSL certificate that will also secure your subdomains such as “mail.yourwebsite.com” or “subdomain.yourwebsite.com”.
The CN format must match the domain where the certificate is installed. If the CN is issued for a subdomain, it should be the full subdomain as in the above example “subdomain.yourwebsite.com”. If you are using subdomains then use the CN “www.yourwebsite.com” and not “yourwebsite.com”.
In a lot of cases, the following fix will resolve your TLS error. The CN must be the same as your website address that you have issued an SSL certificate to. For example, if your SSL certificate is issued to “yourwebsite.com”, you will receive a warning message when accessing a website named “www.yourwebsite.com” or “subdomain.yourwebsite.com”. The CN “www.yourwebsite.com” and “subdomain.yourwebsite.com” are different from “yourwebsite.com”.
You must create a CN to match your website. If you are using subdomains (subdomain.yourwebsite.com), then registering your CN as “www.yourwebsite.com” should resolve your issues with a wildcard SSL certificate. If this is the case, then you must correct CN to resolve your problem.
You can check your TLS email settings and confidence factor for free at checktls.com. Enter your domain name and receive your confidence factor rating along with detailed results.
On the results page, take note of the results at the top of the results page. You can quickly discover any problems here.
If everything is correct you shouldn’t receive any issues in the SSL section as shown above and below.
If your results show issues, then you will get a warning message such as “Cert Hostname DOES NOT VERIFY (mail.yourwebsite.com != yourwebsite.com | DNS:*.yourwebsite.com | DNS:yourwebsite.com) So email is encrypted but the host is not verified”.
Using the warning example above, mail.yourwebsite.com is not equal to (!=) yourwebsite.com, and you will receive a TLS error in Gmail. A fix for this example would be to issue a wildcard SSL certificate as “*.yourwebsite.com”. Or you could issue a new one for “mail.yourwebsite.com”.
This may require you to ask your host provider to change your domain hosting settings for the preferred domain name. For example, currently its “yourwebsite.com”, you need to change it to “www.yourwebsite.com”. Most of the time you can do this yourself if you have access to the hosting control panel.
Also, check with your email provider and try switching between ports 465, 587, and 25.
By no means is it recommend to use a non-secure connection to send an email. You can use “port 25 unsecured”, but use it at your own risk.
