This article applies to Centro, Treo 755p, 700p and 680 smartphones. It also applies to Treo 650, Palm TX and LifeDrive devices that have added VersaMail 3.5.
Starting with VersaMail version 3.5, a change was made to better accommodate SSL encryption. VersaMail version 3.5 and higher now references the Certificate Authority of your SSL Certificate used by your Exchange Server and compares it to a list of trusted Certificate Authorities in the permanent memory of the device to ensure it is valid.
Because of this, you may receive an SSL error when using VersaMail 3.5 with Exchange ActiveSync if the Certificate Authority of the SSL Certificate you are using is not included in the trust list on the device. This can happen if your company uses:
- A self-signed certificate
- A public root newer than those included
- An intermediate certificate that is newer than those included on the device
- An intermediate certificate that did not yet exist at the time the device was released or updated
If the Certificate Authority for your SSL Certificate is not in the trust list included on the device, and you are using SSL with Exchange ActiveSync, you will not be able to send or receive mail from your device, and will receive an SSL error. Typical error messages include:
- "There was a problem syncing messages. SSL Error: No trusted root. Update certificate authority list."
- "No Trusted Root Certificate Authority"
The error messages appear because VersaMail cannot match the Certificate Authority of your SSL Certificate to the approved list. It is also possible to get SSL errors if the server public name dues not match the name the certificate was issued under, or if the server-side certificate actually expired.
To determine if an SSL issue actually exists and whether it should be fixed on the server being accessed or on your Palm device:
- Ensure a network connection to the Internet is active (cellular access or a Wi-Fi connection if available).
- Launch the Web browser on your device.
- Navigate to: http://mobile.palm.com. This will confirm that a non-SSL connection works and you can access a mobile-optimized web page.
- Enter the root HTTPS (SSL) URL of your Exchange OWA (Outlook Web Access) server followed by the Exchange ActiveSync virtual folder. You may need to get this information from your IT department. Example: https://xxxxxxxxx/Microsoft-server-ActiveSync
- If the Exchange Server is correctly set up for both SSL and Exchange ActiveSync wireless synchronization, you should be prompted for a user name and a password. In this case, the domain is also needed and hence the user name must be entered as "domain\username."
What happens when you try this?
- HTTP Error 501/505 - "Not implemented or not supported." This is a good sign. If credentials are correctly entered, you will receive this error, which means that everything is working as expected. You're seeing the error because ActiveSync is a sync-only protocol and does not understand HTML web page display requests.
- Error - "You are attempting to access a web page that has an invalid security certificate (server name mismatch)." This error means that the server certificate was issued incorrectly. For example, the internal name of the server machine is something like "server1.somecompany.com" but the external name of the site (external DNS name) is something like "webmail.somecompany.com." In a web browser, you can circumvent this error, but Exchange ActiveSync has no user interface to do so. You'll need to contact your IT department, who should either have the certificate re-issued to the correct site name, or should alias the server name both externally and internally.
- Error - "You are attempting to access a web page that has an invalid security certificate (certificate expired)." The error cannot be circumvented for Exchange ActiveSync usage. The certificate must simply be renewed or replaced by the IT department responsible for that server.
- Error - "You are attempting to access a web page that has an invalid security certificate (no trusted root)." This error means that either the server certificate was issued by an internal Private Certificate Authority, or that the device cannot locate matching root and/or intermediate CA certificates in its internal CertMgrDB library. The remainder of this KB articles deals with this specific error.
If you receive the last error, "You are attempting to access a web page that has an invalid security certificate (no trusted root)," in order to continue using VersaMail with Exchange ActiveSync you will need to contact your IT department about using the Palm Certificate Modification Tool.
Note: VersaMail does not have its own certificate library. It references the certificate library used by PalmSource in the Palm OS. The same certificate library is used by all of your device's web browser SSL/HTTPS sessions.
Note for IT professionals: If your organization uses a custom or self-signed certificate, you must use the
Palm Certificate Modification Tool to add a root certificate to the database on the device in order to allow VersaMail 3.5 or higher to access Exchange ActiveSync email.
This software is recommended for IT administrators only. If you are an end-user, please contact your IT department about adding a certificate to the database using this tool; do not attempt to do it yourself, as improper modification of SSL settings may cause other email accounts and web sites to stop working on your device.
