How to (Possibly) Fix “TLS Negotiation failed, the certificate doesn’t match the host.” Gmail Error
Using Gmail to manage your emails?
Suddenly getting the “TLS Negotiation failed, the certificate doesn’t match the host.” Error?
After some trial and error, I seem to have fixed it. Like, really fixed it.
A. Temporary Solution
As many in the forum message suggest, it’s a encryption certification issue.
That’s why the only real suggestion in the google help thread that works so far is the one about using an Unsecured Connection on port 25. But that’s not good enough yes?
Please don’t ever use unsecured email protocols. This is a temporary solution at best, while you work out the real problem.
B. Possible *Permanent* Fix
I’m going to assume that you have control over your domain and WebHost. By now, most of you should be on some sort of SSL certificate, like the free one from Let’s Encrypt. If you haven’t upgraded your sites to use secured HTTPS instead, you should check it out.
In summary, you need to make sure that whatever mail-related subdomains you’re using (smtp.youdomain, mail.yourdomain, etc) are included in your SSL/TLS Certificates.
1. Check your SSL/TLS cert control panel.
Some hosts have ‘components’ you can choose to secure. Make sure your Mail Access components like IMAP, SMTP and POP is selected. If not selected previously, select them now and reissue the cert.
2. Wildcard Certification
If that still doesn’t work (which it didn’t in my case), try adding a wildcard certification. Wildcard certs automatically certify any sub-domains, which will include mail.yourdomain and smtp.yourdomain.
2a. Cloudflare / CDNs
If you’re using Cloudflare or other CDNs, depending on how you set it up, you might need to manually create a TXT Record in your DNS settings in Cloudflare. Check for instructions from your WebHost.
3. Set Gmail Encryption Settings
Go back to Gmail, and choose your preferred secured method of email communication. Use whatever subdomain you were using previously (switching to mail.yourdomain to smtp.yourdomain, or vice versa, doesn’t fix the problem). As a reference, I used to be on Secured TLS on 25 before this problem. Using 465 SSL now. Make sure you test with 2-3 emails a few minutes apart. Sometimes when the problem isn’t fixed, the first mail would still go through, but subsequent ones wouldn’t, and you’re back to square one.
I’ve tried to be as general yet as detailed as possible because there are so many different settings, hope I haven’t confused anyone.
What Caused This Problem?
According to an expert on the google help thread, it seems like google recently started stricter reinforcement of encryption certificates.
Just like the recent push for HTTPS, this is a step in the right direction, in my opinion. So, endure the inconvenience for now?
(Header image from Google’s Gmail ‘about’ page)