Since root SSL certificate expired on May, 30, I am unable to fetch any email from my corporate Microsoft Exchange server using evolution email client, and the error message says just that ssl certificate is not valid, which is perfectly reasonable. Internal IT service says that everything works fine and they are not going to investigate the problem. Indeed, outlook web interface has no problems.

Public SSL certificate checkers (https://ssltools.godaddy.com/views/certChecker, https://www.sslchecker.com/sslchecker) generally agree with me and state that one of the certificates in the chain is invalid.

I'm not expert in ssl certificate chain and the question is what can really fix the problem?

Do I have the certificates that are too old, or the server provides my email client with outdated certificate chain, or there may be some other source?

At the end of the day, should I push IT department stronger, or find a problem in my system configuration, or file a bug to my email client developers?

OS: Arch Linux with the following packages installed:

evolution 3.36.3
ca-certificates 20181109-3
ca-certificates-mozilla 3.53-1

No other services seem to be affected. Any help is appreciated.


Detailed technical description: https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020

Expired certificate, according to https://ssltools.godaddy.com/views/certChecker

Serial Number: 2766EE56EB49F38EABD770A2FC84DE22
Signature Algorithm: Sha384 With RSA Encryption
Issuer Name: AddTrust AB
Common Name: COMODO RSA Certification Authority
Validity Period: May 30, 2000 to May 30, 2020

At the end of the day, should I push IT department stronger, or find a problem in my system configuration, or file a bug to my email client developers?

4 Answers4


You can renew the SSL certificate by using the same CA (if this is the case, do you have CA or client btw?). You need to be assigned permission , so if you do not have one better push your IT departement (they are administrators as well, so should help you out as well by providing all the info. Each certificate has its expiration date (usually expires after 5 years). Hope the link below will be helpfull as well https://docs.microsoft.com/en-us/exchange/architecture/client-access/renew-certificates?view=exchserver-2019#:~:text=Every%20certificate%20has%20a%20built,Shell%20to%20renew%20Exchange%20certificates.

  • Hi, Norka, thanks for the suggestion. Unfortunately, our IT team basically refused to help and that's why I'm here. Luckily, I have found the solution on evolution IRC. – Peter Mukhachev Jun 10 '20 at 18:54
  • I am happy for you, Peter. Thumbs up, You did it even without IT experts ;) If you figured it out, you will help plenty of other users which SSL cert issue has been stuck as well..What helped finally, did you remove the addtrust from Linux or renew the certificate? Cannot wait to see your reply displayed soon. – Nora Kacenova Jun 10 '20 at 23:22

Asking the question on Evolution IRC channel helped to find the right track.

The reason for the error is root ssl certificate expiration on May, 31 2020 and older implementation of algorithm in GnuTLS.

Bug report for evolution: https://gitlab.gnome.org/GNOME/glib-networking/-/issues/136

GnuTLS update is required according to https://mail.gnome.org/archives/distributor-list/2020-June/msg00000.html

GnuTLS bug report: https://gitlab.gnome.org/GNOME/glib-networking/-/issues/136 , which seem to be fixed in GnuTLS 3.6.14

In the end, GNUtls update solved the issue.


CA within PKI need to be trusted by parties that rely on its certificates to prevent gaining acces to systems that trusst CA. When browser is receiving sequence of certificates connects CA’s root to the server’s certificate. Oftentimes browsers have to consider multiple certification paths until they can find a valid one for a given certificate.

Browser is about to validate a certification path if the path is accepted as valid, otherwise become invalid ( expired), CA will revoke the certificate (mainly because domain changed, compromise of private key etc..) => and that is what many other users are facing these days as they reported plenty of bugs regarding verification failures in apps that use GnuTLS (Evolution uses GnuTLS). On this SSL site is recommended to remove the expired AddTrust certificate from the OS root store (but unfortunately no link for your Linux)..


@Рамиль Матрасов Do you think the problem is in server, CA, or just removal from OS would help?


I'm glad that you have fixed the cert issue, at the same time, you could mark your solution to help people who have the same problem.

Besides, you could also see if this certificate is related with Exchange Server by running the command "Get-ExchangeCertificate | fl Subject, NotAfter" in the EMS(Exchange PowerShell), if it's used by your Exchange Server, you'd better renew the expired cert to avoid some possible issues(e.g. Outlook application prompts invalid certificate issue) by referring to the offical documentation which Norka shared.

  • 1,323
  • 1
  • 3
  • 4
  • Hi, Ivan. I do want to do that, but StackExchange allows me to mark my own answer only after two days since the question is posted (or since my answer is posted, I'm not sure). So, I'm waiting 18 hours more. – Peter Mukhachev Jun 10 '20 at 18:47