Cannot Send Testing E-mail (Security Certificates Issue)

Sending Test Email Fails Due to Security Certificates Issue.

The test mail is not successful due to the security certificate being not trusted.

Encountering difficulties in sending a testing email, particularly due to security certificate issues, can be a common challenge in email communication. Security certificates play a crucial role in ensuring the integrity and security of email transmissions. In this article, we'll address the issue of being unable to send a testing email and explore solutions related to security certificates. By understanding the nature of these certificate issues and following the recommended steps, administrators can troubleshoot and resolve the problem effectively, ensuring smooth email communication within their system.


Applies to YSoft SafeQ 5 and YSoft SafeQ 6.

Excerpt from the log file:

2017-02-22 14:12:13,887 http-apr- ERROR EmailTestService [user=13, session=616A8B7] - Cannot send testing e-mail with parameters: 'EmailConnectionParameters{smtpHost='', smtpPort=587,smtpLogin='', smtpPass='*****', smtpSsl=false, smtpTls=true}', recipients: '[]'.
javax.mail.MessagingException: Could not convert socket to TLS
at com.sun.mail.smtp.SMTPTransport.startTLS( ~[javax.mail-1.5.6.jar:1.5.6]
at com.sun.mail.smtp.SMTPTransport.protocolConnect( ~[javax.mail-1.5.6.jar:1.5.6]

The error could also look like this:

2017-02-23 14:12:13,271 ERROR nection(881)-|          MessageSystem| E-mail sending failed
javax.mail.MessagingException: Could not convert socket to TLS;
  nested exception is: PKIX path building failed: unable to find valid certification path to requested target


  1. First, we need to have a valid certificate for the server we connect to:
    1. The certificate must be issued to the hostname/IP address that is configured in Ysoft SafeQ
    2. The certificate must be type X.509 format
    3. The certificate is possible to download manually using the sslscan application from the following website: Github

       sslscan.exe --starttls-smtp --show-certificate --no-cipher-details --no-ciphersuites --no-compression --no-fallback --no-groups --no-heartbleed --no-renegotiation --no-sigs <CUSTOMERS_MAILSERVER>:587
    4. From the output extract the returned certificate and save it into a file NAME.crt the content will look as follows:

      -----BEGIN CERTIFICATE-----
      Something HERE.
      -----END CERTIFICATE-----
  2. Make sure that only one of the following options is enabled "mailSmtpTls" or "mailSmtpSsl" (mailSmtpTls in our case)
  3. Import the certificate into YSoft SafeQ truststore:
    • %SAFEQ6_HOME%\Management\java\bin\keytool.exe -import -alias <YOUR_CERTIFICATE_ALIAS> -file <PATH_TO_CERTIFICATE> -keystore %SAFEQ6_HOME%\Management\conf\ssl-truststore
    Note: that alias is an identificator in trustore, we recommended to use the hostname for the alias in this case
    • The default password is: 39nrqoge332fgomeer3405
    • Verify that the certificate was really imported by (it can be found according to an alias specified above):
      %SAFEQ6_HOME%\Management\java\bin\keytool.exe -list -keystore %SAFEQ6_HOME%\Management\conf\ssl-truststore
  4. Finally, restart all YSoft SafeQ Services

Please note that the respective truststore must be updated on the Site Servers or ORSes as well.

The paths for YSoft SafeQ 6 Site Servers would be:

  • %SAFEQ6_HOME%\SPOC\conf\
  • %SAFEQ6_HOME%\SPOC\java\bin\

The paths for YSoft SafeQ 5 would change to:

  • C:\SafeQ5\java\bin\keytool.exe OR C:\SafeQORS\java\bin\keytool.exe
  • C:\SafeQ5\conf\ssl-truststore OR C:\SafeQORS\conf\ssl-truststore

NOTE: You may run into the following issue:

c:\>C:\SAFEQ_DIR\Management\java\bin\keytool.exe -list -keystore C:\SAFEQ_DIR\Management\conf\ssl-truststore
Error: missing `client' JVM at `C:\SAFEQ_DIR\Management\java\bin\client\jvm.dll'.
Please install or use the JRE or JDK that contains these missing components.

The Solution is to run the keytool commands with "-server" parameter:
keytool.exe - server -list -keystore %SAFEQ6_HOME%\Management\conf\ssl-truststore