The SSL certificate that identifies gn.apc.org was replaced on Friday 6 May.  Unfortunately, some old software, notably Eudora, doesn't recognise the modern "root certificate", so needs to be told to accept our new certificate manually.  Here's how to do that.

Our old certificate had expired and needed replacement.  Some software automatically trusted the old "GeoTrust Global CA" root certificate authority, but not the newer "GeoTrust Primary Certification Authority - G3".  This includes Eudora, Claws Mail, Dillo, and some older versions of Mac OS X. 

For most software you just need to click "Connect" or accept the certificate. If you want to be sure you are connecting to GreenNet, you may want to check the fingerprint of the certificate manually.  You can see the SHA1 fingerprint in the screenshots at the bottom of this page.

For Eudora (the last version of which was in 2006), you may see a screen like the below when checking or sending mail.

Screenshot of Eudora SSL failure error screen

Unfortunately "Yes" doesn't help for Eudora because it can't really cope with the new certification process.  Close this box. 

Step 1

Go to the "Tools" menu and then "Options".

Select the "Checking Mail" icon or category.  If you have been able to receive incoming email, but get an error on sending then choose "Sending Mail" instead.  In either case you should see options about SSL towards the bottom of the box.

Eudora 'checking mail' options, showing 'Last SSL' button
Eudora 'checking mail' options, showing 'Last SSL' button

Step 2

Click the "Last SSL Info" button, and you should get a dialogue box like that below.  If you do not and instead get a box saying "You have never done any SSL negotiation....", have a look under the "Sending Mail" category and try "Last SSL Info" there, or click the rightmost "Persona" tab, and choose Properties of the persona you are trying to use (see below Step 2B).

Eudora SSL connection manager dialogue
Eudora SSL connection manager dialogue

Step 3

Click on the "Certificate Information Manager".  You should see the certificate involved highlighted under the top category "Server Certificates".  Expand this by clicking on the "+" sign and you should see another level within this.  Again expand this, and you should see the gn.apc.org certificate, which is the one to select and trust.

Screenshot of Eudora Certificate Information Manager

So, ensuring that the *.gn.apc.org is selected, you may want to check the "SHA" (actually SHA1) thumbprint is that shown above.  Click "Add To Trusted", and then "Done".

If you're still having problems please let us know.  We don't want to go back to an older less secure root certificate on web services for documented reasons, but may need to for email services.

Step 2B. As stated above in Step 2, you may not be using the Dominant persona in Eudora, and so when you click on "Last SSL Info", you may get a notice that no SSL sessions were used to send or receive.  So click on the rightmost "Persona" tab, right-click on the address or account you were using and choose Properties.  Most likely you were checking mail, so click on the Incoming Mail tab.

Screenshot of Eudora personality settings

Then try "Last SSL Info".

That should be it, at least for two years when you may need to do the same thing if you're still using Eudora in 2018.