Web Interface
      Back to home
      1. Knowledge Base
      2. SAFEQ 5, 6, and Managed
      3. Web Interface

      Sending Test Email Fails Due to Security Certificates Issue

      The test email fails due to an untrusted security certificate.

      Summary:

      Applies to YSoft SafeQ 5 and YSoft SafeQ 6.

      Excerpt from the log file:

      2017-02-22 14:12:13,887 http-apr-10.0.7.27-81-exec-2 ERROR EmailTestService [user=13, session=616A8B7] - Cannot send testing e-mail with parameters: 'EmailConnectionParameters{smtpHost='smtp.office365.com', smtpPort=587,smtpLogin='user@office.com', smtpPass='*****', smtpSsl=false, smtpTls=true}', recipients: '[next@office365.com]'.
      javax.mail.MessagingException: Could not convert socket to TLS
      at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:2064) ~[javax.mail-1.5.6.jar:1.5.6]
      at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:724) ~[javax.mail-1.5.6.jar:1.5.6]

      The error could also look like this:

      2017-02-23 14:12:13,271 ERROR nection(881)-127.0.0.1|          MessageSystem| E-mail sending failed
      javax.mail.MessagingException: Could not convert socket to TLS;
        nested exception is:
          javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

      Resolution:

      1. First, we need to have a valid certificate for the server we connect to:
        1. The certificate must be issued to the hostname/IP address that is configured in Ysoft SafeQ
        2. The certificate must be type X.509 format

        3. The certificate is possible to download manually using the sslscan application from the following website: https://github.com/rbsec/sslscan/releases/latest

           sslscan.exe --starttls-smtp --show-certificate --no-cipher-details --no-ciphersuites --no-compression --no-fallback --no-groups --no-heartbleed --no-renegotiation --no-sigs <CUSTOMERS_MAILSERVER>:587

        4. From the output extract the returned certificate and save it into a file NAME.crt the content will look as follows:

          -----BEGIN CERTIFICATE-----
          Something HERE.
          -----END CERTIFICATE-----
      2. Make sure that only one of the following options is enabled "mailSmtpTls" or "mailSmtpSsl" (mailSmtpTls in our case)
      3. Import the certificate into YSoft SafeQ truststore:
        • %SAFEQ6_HOME%\Management\java\bin\keytool.exe -import -alias <YOUR_CERTIFICATE_ALIAS> -file <PATH_TO_CERTIFICATE> -keystore %SAFEQ6_HOME%\Management\conf\ssl-truststore
        Note: that alias is an identificator in trustore, we recommended to use the hostname for the alias in this case
        • The default password is: 39nrqoge332fgomeer3405
        • Verify that the certificate was really imported by (it can be found according to an alias specified above):
          %SAFEQ6_HOME%\Management\java\bin\keytool.exe -list -keystore %SAFEQ6_HOME%\Management\conf\ssl-truststore
      4. Finally, restart all YSoft SafeQ Services

      Please note that the respective truststore must be updated on the Site Servers or ORSes as well.


      The paths for YSoft SafeQ 6 Site Servers would be:

      • %SAFEQ6_HOME%\SPOC\conf\
      • %SAFEQ6_HOME%\SPOC\java\bin\

      The paths for YSoft SafeQ 5 would change to:

      • C:\SafeQ5\java\bin\keytool.exe OR C:\SafeQORS\java\bin\keytool.exe
      • C:\SafeQ5\conf\ssl-truststore OR C:\SafeQORS\conf\ssl-truststore


      NOTE: You may run into the following issue:

      c:\>C:\SAFEQ_DIR\Management\java\bin\keytool.exe -list -keystore C:\SAFEQ_DIR\Management\conf\ssl-truststore
      Error: missing `client' JVM at `C:\SAFEQ_DIR\Management\java\bin\client\jvm.dll'.
      Please install or use the JRE or JDK that contains these missing components.

      The Solution is to run the keytool commands with "-server" parameter:
      keytool.exe - server -list -keystore %SAFEQ6_HOME%\Management\conf\ssl-truststore