Sending Test Email Fails Due to Security Certificates Issue

The test email fails due to an untrusted security certificate.


Applies to YSoft SafeQ 5 and YSoft SafeQ 6.

Excerpt from the log file:

2017-02-22 14:12:13,887 http-apr- ERROR EmailTestService [user=13, session=616A8B7] - Cannot send testing e-mail with parameters: 'EmailConnectionParameters{smtpHost='', smtpPort=587,smtpLogin='', smtpPass='*****', smtpSsl=false, smtpTls=true}', recipients: '[]'.
javax.mail.MessagingException: Could not convert socket to TLS
at com.sun.mail.smtp.SMTPTransport.startTLS( ~[javax.mail-1.5.6.jar:1.5.6]
at com.sun.mail.smtp.SMTPTransport.protocolConnect( ~[javax.mail-1.5.6.jar:1.5.6]

The error could also look like this:

2017-02-23 14:12:13,271 ERROR nection(881)-|          MessageSystem| E-mail sending failed
javax.mail.MessagingException: Could not convert socket to TLS;
  nested exception is: PKIX path building failed: unable to find valid certification path to requested target


  1. First, we need to have a valid certificate for the server we connect to:
    1. The certificate must be issued to the hostname/IP address that is configured in Ysoft SafeQ
    2. The certificate must be type X.509 format
    3. The certificate is possible to download manually using the sslscan application from the following website:

       sslscan.exe --starttls-smtp --show-certificate --no-cipher-details --no-ciphersuites --no-compression --no-fallback --no-groups --no-heartbleed --no-renegotiation --no-sigs <CUSTOMERS_MAILSERVER>:587
    4. From the output extract the returned certificate and save it into a file NAME.crt the content will look as follows:

      -----BEGIN CERTIFICATE-----
      Something HERE.
      -----END CERTIFICATE-----
  2. Make sure that only one of the following options is enabled "mailSmtpTls" or "mailSmtpSsl" (mailSmtpTls in our case)
  3. Import the certificate into YSoft SafeQ truststore:
    • %SAFEQ6_HOME%\Management\java\bin\keytool.exe -import -alias <YOUR_CERTIFICATE_ALIAS> -file <PATH_TO_CERTIFICATE> -keystore %SAFEQ6_HOME%\Management\conf\ssl-truststore
    Note: that alias is an identificator in trustore, we recommended to use the hostname for the alias in this case
    • The default password is: 39nrqoge332fgomeer3405
    • Verify that the certificate was really imported by (it can be found according to an alias specified above):
      %SAFEQ6_HOME%\Management\java\bin\keytool.exe -list -keystore %SAFEQ6_HOME%\Management\conf\ssl-truststore
  4. Finally, restart all YSoft SafeQ Services

Please note that the respective truststore must be updated on the Site Servers or ORSes as well.

The paths for YSoft SafeQ 6 Site Servers would be:

  • %SAFEQ6_HOME%\SPOC\conf\
  • %SAFEQ6_HOME%\SPOC\java\bin\

The paths for YSoft SafeQ 5 would change to:

  • C:\SafeQ5\java\bin\keytool.exe OR C:\SafeQORS\java\bin\keytool.exe
  • C:\SafeQ5\conf\ssl-truststore OR C:\SafeQORS\conf\ssl-truststore

NOTE: You may run into the following issue:

c:\>C:\SAFEQ_DIR\Management\java\bin\keytool.exe -list -keystore C:\SAFEQ_DIR\Management\conf\ssl-truststore
Error: missing `client' JVM at `C:\SAFEQ_DIR\Management\java\bin\client\jvm.dll'.
Please install or use the JRE or JDK that contains these missing components.

The Solution is to run the keytool commands with "-server" parameter:
keytool.exe - server -list -keystore %SAFEQ6_HOME%\Management\conf\ssl-truststore