smtp server certificate change

Julin S

unread,

Jun 5, 2026, 10:53:54 PMJun 5

to mu-discuss

Hi.

I had been able to send mails from my gmail account via mu4e.
But from last day onwards, I have been getting this smtp error.

```
Certificate information
Issued by: WR2
Issued to: CN=smtp.gmail.com
Hostname: smtp.gmail.com
Public key: EC/ECDSA, signature: RSA-SHA256
Public key ID:
sha256:89:bb:f4:d1:36:a4:be:cb:78:f1:44:3d:e8:1b:d5:1e:d9:1c:08:97:4d:f9:d3:a6:14:46:50:d0:82:\
35:37:e5
Session: TLS1.3, key: ECDHE-RSA, cipher: AES-256-GCM, mac: AEAD
Security level: High
Valid: From 2026-05-18 to 2026-08-10

The TLS connection to smtp.gmail.com:587 is insecure
for the following reason:

* fingerprint has changed
```

Upon searching about it, I saw that it is normal for gmail SMTP server
to change their certificate.

But how can we verify that this certificate is indeed okay?

I tried

```
openssl s_client -starttls smtp -connect smtp.gmail.com:587
```

and it gave

```
Connecting to 2404:6800:4000:1025::6d
CONNECTED(00000003)
depth=2 C=US, O=Google Trust Services LLC, CN=GTS Root R1
verify return:1
depth=1 C=US, O=Google Trust Services, CN=WR2
verify return:1
depth=0 CN=smtp.gmail.com
verify return:1
---
Certificate chain
0 s:CN=smtp.gmail.com
i:C=US, O=Google Trust Services, CN=WR2
a:PKEY: EC, (prime256v1); sigalg: sha256WithRSAEncryption
v:NotBefore: May 18 18:37:13 2026 GMT; NotAfter: Aug 10 18:37:12 2026 GMT
1 s:C=US, O=Google Trust Services, CN=WR2
i:C=US, O=Google Trust Services LLC, CN=GTS Root R1
a:PKEY: RSA, 2048 (bit); sigalg: sha256WithRSAEncryption
v:NotBefore: Dec 13 09:00:00 2023 GMT; NotAfter: Feb 20 14:00:00 2029 GMT
2 s:C=US, O=Google Trust Services LLC, CN=GTS Root R1
i:C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
a:PKEY: RSA, 4096 (bit); sigalg: sha256WithRSAEncryption
v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEVjCCAz6gAwIBAgIQAgFaLWUsWTwQb1jPWRAb2TANBgkqhkiG9w0BAQsFADA7
MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVR29vZ2xlIFRydXN0IFNlcnZpY2VzMQww
CgYDVQQDEwNXUjIwHhcNMjYwNTE4MTgzNzEzWhcNMjYwODEwMTgzNzEyWjAZMRcw
FQYDVQQDEw5zbXRwLmdtYWlsLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
BHa3YrkqLGRXUIGlEUAMg3JCWBDHSxq7F/DZbEKd6o11Vt9sJ/8L2hjc1YCA3irJ
VzWKm2n092GlhEkSizkCWpijggJBMIICPTAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0l
BAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUlF+k7eHfkWOk
EvkcwDxqxUey5mUwHwYDVR0jBBgwFoAU3hse7XkV1D43JMMhu+w0OW1CsjAwWAYI
KwYBBQUHAQEETDBKMCEGCCsGAQUFBzABhhVodHRwOi8vby5wa2kuZ29vZy93cjIw
JQYIKwYBBQUHMAKGGWh0dHA6Ly9pLnBraS5nb29nL3dyMi5jcnQwGQYDVR0RBBIw
EIIOc210cC5nbWFpbC5jb20wEwYDVR0gBAwwCjAIBgZngQwBAgEwNgYDVR0fBC8w
LTAroCmgJ4YlaHR0cDovL2MucGtpLmdvb2cvd3IyLzlVVmJOMHc1RTZZLmNybDCC
AQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2AK9niDtXsE7dj6bZfvYuqOuBCsdxYPAk
XlXWDC/nhYc6AAABnjyXr2EAAAQDAEcwRQIhAIs4CjVmS+pb8GajJHbOnUaqFUy5
JGdIzVHAj0XeUexbAiAdEXnPkadRCMUtESr/oqEoDRz+ZVn54Iidgbwe5YMEPQB2
ANgJVTuUT3r/yBYZb5RPhauw+Pxeh1UmDxXRLnK7RUsUAAABnjyXrrEAAAQDAEcw
RQIgCMuFjxjrm5WXiBN9vtYEbE2d/ktEr6TyAK0ck/KZWC8CIQDkhbAVUhV6wHl4
I65T7hWvT/xWKtUrDbWlH7wG3COkyTANBgkqhkiG9w0BAQsFAAOCAQEANoWvEZxF
W0pmGwqQDlGycohNHDXpdg374ET1ezC5s61SHVnPNkVB+dcxG859nnEOzNtDYhpl
ZU8hnis9mmqmE5zeEyExv5o9Tm+vKa190UWBxGWnhS8vPM37pLt76gxXY0WaJnIa
7gI9WFWEkdZaFLktPxUUSe3oxzCdJk0SAgN7OjiEnJDiL2F+AQVANaFfXkEhG0Qc
mvqkYsoWITDcsFBYxfuJXv/GMQ2nTjCHcSJ4Kx+1wS533YtD6Jjd0hRtXdjScXkZ
B7mw/9yFAzwS0HUksXU5AoOO6praN/DeZiXq25hOrvyTjCTxNt2KvTywrHe26AUR
/9qVV8OkVAK2KQ==
-----END CERTIFICATE-----
subject=CN=smtp.gmail.com
issuer=C=US, O=Google Trust Services, CN=WR2
---
No client certificate CA names sent
Requested Signature Algorithms: ECDSA+SHA256:RSA-PSS+SHA256:RSA+SHA256:ECDSA+SHA384:RSA-PSS+SHA384:RSA+SHA384:RSA-PSS+SHA512:RSA+SHA512:RSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA256:RSA-PSS+SHA256:RSA+SHA256:ECDSA+SHA384:RSA-PSS+SHA384:RSA+SHA384:RSA-PSS+SHA512:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: ecdsa_secp256r1_sha256
Negotiated TLS1.3 group: X25519MLKEM768
---
SSL handshake has read 5526 bytes and written 1699 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Protocol: TLSv1.3
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
250 SMTPUTF8
```

jman

unread,

Jun 7, 2026, 7:23:03 AMJun 7

to Julin S, mu-discuss

Julin S <julins...@gmail.com> writes:

> But how can we verify that this certificate is indeed okay?
> I tried
> ```
> openssl s_client -starttls smtp -connect smtp.gmail.com:587
> ```

That's correct, just one more step is needed: dumping the fingerprint in plain text

```
openssl s_client -starttls smtp -connect smtp.gmail.com:587 | openssl x509 -noout -fingerprint
-sha256
```

See also: man openssl_x509(1)
source: https://computingforgeeks.com/how-to-check-ssl-certificate-expiration-with-openssl

Julin S

unread,

Jun 7, 2026, 8:39:52 AMJun 7

to jman, mu-discuss

> That's correct, just one more step is needed: dumping the
> fingerprint in plain text

I ran that command and it gave:

```
$ openssl s_client -starttls smtp -connect smtp.gmail.com:587 | openssl x509 -noout -fingerprint -sha256

Connecting to 2404:6800:4000:1025::6d

depth=2 C=US, O=Google Trust Services LLC, CN=GTS Root R1
verify return:1
depth=1 C=US, O=Google Trust Services, CN=WR2
verify return:1
depth=0 CN=smtp.gmail.com
verify return:1

250 SMTPUTF8
sha256 Fingerprint=38:F0:06:21:75:DC:DC:CD:DE:97:9B:47:A5:77:AC:3C:19:C6:FF:BA:9D:40:11:26:D0:4D:EA:CE:D9:42:D9:1E
```

These look like different fingerprints:

```
mu4e: 89:bb:f4:d1:36:a4:be:cb:78:f1:44:3d:e8:1b:d5:1e:d9:1c:08:97:4d:f9:d3:a6:14:46:50:d0:82:35:37:e5
openssl: 38:F0:06:21:75:DC:DC:CD:DE:97:9B:47:A5:77:AC:3C:19:C6:FF:BA:9D:40:11:26:D0:4D:EA:CE:D9:42:D9:1E
```

Am I looking at the wrong portion of the output?

When choosing to show more details in mu4e, it gave:

```
X.509 Certificate Information:
Version: 3
Serial Number (hex): 02015a2d652c593c106f58cf59101bd9
Issuer: CN=WR2,O=Google Trust Services,C=US
Validity:
Not Before: Mon May 18 18:37:13 UTC 2026
Not After: Mon Aug 10 18:37:12 UTC 2026
Subject: CN=smtp.gmail.com
Subject Public Key Algorithm: EC/ECDSA
Algorithm Security Level: High (256 bits)
Curve: SECP256R1
X:
76:b7:62:b9:2a:2c:64:57:50:81:a5:11:40:0c:83:72
42:58:10:c7:4b:1a:bb:17:f0:d9:6c:42:9d:ea:8d:75
Y:
56:df:6c:27:ff:0b:da:18:dc:d5:80:80:de:2a:c9:57
35:8a:9b:69:f4:f7:61:a5:84:49:12:8b:39:02:5a:98
Extensions:
Key Usage (critical):
Digital signature.
Key Purpose (not critical):
TLS WWW Server.

X.509 Certificate Information:
Version: 3
Serial Number (hex): 7ff005a07c4cded100ad9d66a5107b98
Issuer: CN=GTS Root R1,O=Google Trust Services LLC,C=US
Validity:
Not Before: Wed Dec 13 09:00:00 UTC 2023
Not After: Tue Feb 20 14:00:00 UTC 2029
Subject: CN=WR2,O=Google Trust Services,C=US
Subject Public Key Algorithm: RSA
Algorithm Security Level: Medium (2048 bits)
Modulus (bits 2048):
00:a9:ff:9c:7f:45:1e:70:a8:53:9f:ca:d9:e5:0d:de
46:57:57:7d:bc:8f:9a:5a:ac:46:f1:84:9a:bb:91:db
c9:fb:2f:01:fb:92:09:00:16:5e:a0:1c:f8:c1:ab:f9
78:2f:4a:cc:d8:85:a2:d8:59:3c:0e:d3:18:fb:b1:f5
24:0d:26:ee:b6:5b:64:76:7c:14:c7:2f:7a:ce:a8:4c
b7:f4:d9:08:fc:df:87:23:35:20:a8:e2:69:e2:8c:4e
3f:b1:59:fa:60:a2:1e:b3:c9:20:53:19:82:ca:36:53
6d:60:4d:e9:00:91:fc:76:8d:5c:08:0f:0a:c2:dc:f1
73:6b:c5:13:6e:0a:4f:7a:c2:f2:02:1c:2e:b4:63:83
da:31:f6:2d:75:30:b2:fb:ab:c2:6e:db:a9:c0:0e:b9
f9:67:d4:c3:25:57:74:eb:05:b4:e9:8e:b5:de:28:cd

X.509 Certificate Information:
Version: 3
Serial Number (hex): 77bd0d6cdb36f91aea210fc4f058d30d
Issuer: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE
Validity:
Not Before: Fri Jun 19 00:00:42 UTC 2020
Not After: Fri Jan 28 00:00:42 UTC 2028
Subject: CN=GTS Root R1,O=Google Trust Services LLC,C=US
Subject Public Key Algorithm: RSA
Algorithm Security Level: High (4096 bits)
Modulus (bits 4096):
00:b6:11:02:8b:1e:e3:a1:77:9b:3b:dc:bf:94:3e:b7
95:a7:40:3c:a1:fd:82:f9:7d:32:06:82:71:f6:f6:8c
7f:fb:e8:db:bc:6a:2e:97:97:a3:8c:4b:f9:2b:f6:b1
f9:ce:84:1d:b1:f9:c5:97:de:ef:b9:f2:a3:e9:bc:12
89:5e:a7:aa:52:ab:f8:23:27:cb:a4:b1:9c:63:db:d7
99:7e:f0:0a:5e:eb:68:a6:f4:c6:5a:47:0d:4d:10:33
e3:4e:b1:13:a3:c8:18:6c:4b:ec:fc:09:90:df:9d:64
29:25:23:07:a1:b4:d2:3d:2e:60:e0:cf:d2:09:87:bb
cd:48:f0:4d:c2:c2:7a:88:8a:bb:ba:cf:59:19:d6:af
8f:b0:07:b0:9e:31:f1:82:c1:c0:df:2e:a6:6d:6c:19
0e:b5:d8:7e:26:1a:45:03:3d:b0:79:a4:94:28:ad:0f
```

jman

unread,

Jun 7, 2026, 5:43:25 PMJun 7

to Julin S, mu-discuss

Julin S <julins...@gmail.com> writes:

> These look like different fingerprints:
>
> ```
> mu4e:
> 89:bb:f4:d1:36:a4:be:cb:78:f1:44:3d:e8:1b:d5:1e:d9:1c:08:97:4d:f9:d3:a6:14:46:50:d0:82:35:37:e5
> openssl:
> 38:F0:06:21:75:DC:DC:CD:DE:97:9B:47:A5:77:AC:3C:19:C6:FF:BA:9D:40:11:26:D0:4D:EA:CE:D9:42:D9:1E
> ```

I am not sure why you get two different certificates but unless I am wrong you just need to update
the certificate in your mu4e configuration?
If you want to check for the validity dates, you can run:
```
> $ openssl s_client -starttls smtp -connect smtp.gmail.com:587 | openssl x509 -noout -dates
```

Julin S

unread,

Jun 7, 2026, 11:31:01 PM (14 days ago) Jun 7

to jman, mu-discuss

> I am not sure why you get two different certificates

Could this difference mean that I should be worried?

Certificate from smtp server is valid. And apparently for 3 months.

```

$ openssl s_client -starttls smtp -connect smtp.gmail.com:587 | openssl x509 -noout -dates

Connecting to 192.178.211.108

depth=2 C=US, O=Google Trust Services LLC, CN=GTS Root R1
verify return:1
depth=1 C=US, O=Google Trust Services, CN=WR2
verify return:1
depth=0 CN=smtp.gmail.com
verify return:1
250 SMTPUTF8

notBefore=May 18 18:37:13 2026 GMT
notAfter=Aug 10 18:37:12 2026 GMT
```

Maybe gmail changes certificate every 3 months.
Can mu4e and related tools like smtp.el automatically figure out when
there is a change and make suitable adjustments?

Could switching to msmtp make any difference? Am currently using smtp.el.

> but unless I am wrong you just need to update
> the certificate in your mu4e configuration?

How can that be done? I am on debian and did:

```
sudo update-ca-certificates
```

But still same error.

Reply all

Reply to author

Forward