Call Us! 1-800-383-5193
Call Us! 1-800-383-5193

Need Help?

Our experts will login to your server within 30 minutes to fix urgent issues.

We will keep your servers stable, secure and fast at all times for one fixed price.

TLS Negotiation failed the certificate doesn’t match the host – Top 3 fixes

Is your Gmail showing TLS Negotiation failed the certificate doesn’t match the host error? Let’s fix it.

In April 2020, Gmail started enforcing strict email security measures. This error usually happens due to incorrect SSL on the mail server.

At Bobcares, we frequently get requests to fix email errors as part of our Server Management Services.

Today, we’ll see how our Support Engineers figure out SSL email errors and make it work.

What is TLS Negotiation failed the certificate doesn’t match the host error?

Usually,  this error happens when a user sends emails from their Gmail securely. In the Gmail interface, many users route their emails via their mail server.

In simple words, TLS negotiation is the process that verifies the server, initiates the secure connection, etc. The actual data transfer will proceed only after this successful handshake.

However, if for some reason this communication fails, it results in an error.

Recently, Gmail has strengthened its security measures to fight against attacks. Since April 2, 2020, the Gmail has started verifying whether the Common Name of the SSL certificate matches the mail server. On finding a mismatch, it simply rejects the email.

 

Causes for TLS Negotiation failure and certificate mismatch

Now, let’s see the causes that would trigger TLS Negotiation failure and certificate mismatch.

 

Incorrect mail server

One of the top causes for secure email sending failure is the wrong mail server name. Many times, users put in their domain name as the mail server. However, this mail server will not have a proper SSL certificate.

In shared servers, the SSL will be issued to the hostname of the server. As a result, mails will bounce back with the error:

TLS Negotiation failed, the certificate doesn't match the host., code: 0

 

Wrong mail settings

Similarly, the wrong email settings also can trigger TLS negotiation failure. This often relates to the SMTP port.

For sending emails securely, most email providers use port 587. If there are port blocks, email sending fails.

 

How we fix TLS Negotiation failed the certificate doesn’t match the host error

Recently, one of our customers reported this problem.

For some reason, I cannot send it from my connected Gmail account. I can send and receive find from my webmail just fine and can send emails from an outside source like Yahoo. It shows up in my Gmail just fine, but when I send anything from Gmail it bounced back this error.

The server returned this error when deleting and adding a new email address in Google: “TLS Negotiation failed, the certificate doesn’t match the host., code: 0“.

Moving on, let’s check how our Support Engineers fix the Gmail sending email error.

 

Correcting mail server name

As the first step, we verified the settings used by the customer in his Gmail. He was using his domain name as the mail server. However, the certificate for Exim mail service was for the web.servernamexxx.com hostname. So we asked him to change the Outgoing Server and Incoming Server.

To verify the SSL certificate of the mail server, it’s worth to check it via a browser using the https:// link. For instance, in cPanel servers, it can be easily retrieved from the cPanel link.

 

Choosing the right email settings

Next, we check the settings used in the Gmail interface. Here, we set the correct port, mail server, and email address.

To verify the connection on secure port 587 of the mail server, we use the telnet command. A successful connection result shows up as:

user@myhome:~$ telnet xx.yyy.com 587
Trying 14.xx.yy.34...
Connected to xx.yyy.com.
Escape character is '^]'.
220 xx.yyy.com ESMTP Postfix

However, when port 587 is not listening, the results will be:

telnet: Unable to connect to remote host: Connection refused

The final settings on the Gmail interface appear as:

TLS negotiation failed the certificate doesn't match the host

 

Disable TLS

A third solution to solve SSL email errors will be to send emails via port 25. However, this is not recommended as the mail communication will be unencrypted. We suggest this solution to customers only when the mail server does not support SSL.

 

[Trouble sending secure emails via Gmail? We can fix it for you.]

 

Conclusion

In short, the error TLS Negotiation failed the certificate doesn’t match the host happens due to an incorrect mail server or mail settings. Today, we saw the top 3 fixes that our Support Engineers recommend to customers to make secure email work.


PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

Submit a Comment

Your email address will not be published. Required fields are marked *

Privacy Preference Center

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]
PHPSESSID
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid
smartlookCookie

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie
1P_JAR, NID, DV
NID
hblid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

SID, APISID, HSID, NID, PREF
SID, APISID, HSID, NID, PREF