Problem with Office365 Certificate file is affecting the mail notifications
Article ID: 126320
Updated On:
Products
SUPPORT AUTOMATION- SERVER
CA Service Desk Manager - Unified Self Service
KNOWLEDGE TOOLS
CA Service Management - Asset Portfolio Management
CA Service Management - Service Desk Manager
Issue/Introduction
The pdm_mail_nxd stopped sending notifications due to the error in the log:
02/05 21:12:15.54 sdmserver pdm_mail_nxd 11680 ERROR
02/05 21:12:15.73 sdmserver pdm_mail_nxd 11680 ERROR hunny_mail_intf.c 2173 ThrdLogger Sess:11:0 Unable to connect to mail servers (outlook.com). Last message: TLS Connection to SMTP Server: outlook.com at Port: 587 failed. Error (15) Failed to find the CA certificate
02/05 21:12:15.73 sdmserver pdm_mail_nxd 11680 SIGNIFICANT hunny_mail_intf.c 1335 Send Mail retry scheduled
02/05 21:12:15.54 sdmserver pdm_mail_nxd 11680 ERROR
02/05 21:12:15.73 sdmserver pdm_mail_nxd 11680 ERROR hunny_mail_intf.c 2173 ThrdLogger Sess:11:0 Unable to connect to mail servers (outlook.com). Last message: TLS Connection to SMTP Server: outlook.com at Port: 587 failed. Error (15) Failed to find the CA certificate
02/05 21:12:15.73 sdmserver pdm_mail_nxd 11680 SIGNIFICANT hunny_mail_intf.c 1335 Send Mail retry scheduled
Cause
The certificate is not valid, expired or corrupted
Environment
Service Desk Manager 14.x / 17.x
Resolution
1. If the Certificate file name has format <name>.txt, it should be renamed as <name>.cer
2. After gathering the information for your root certificate, create a file using Notepad with the certificate's information. For the example below, we are using the DigiCert Global Root CA which is valid for Office 365 as of Dec 2016:
See below:
NOTE: THE FOLLOWING CERTIFICATE IS NO LONGER VALID AS OF SEPT, 2020. THE UPDATED CERTIFICATE FILE IS AVAILABLE IN THIS TECH DOC:
https://knowledge.broadcom.com/external/article?articleId=198751
Original certificate for Office 365 (valid until Aug, 2020)
-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
-----END CERTIFICATE-----
NOTE: THE ABOVE CERTIFICATE IS NO LONGER VALID AS OF SEPT, 2020. WE ARE PROVIDING THE ABOVE CERTIFICATE TEXT FOR HISTORICAL CONTENT.
3. Save the file and copy it to the primary server and make note of the path.
4. To import the new valid certificate do the following procedure:
4.1. Remove NX_ROOT\pdmconf\nx.keystore
4.2. Create a new certification file by copying the certificate content from STEP 2 to a text file and saved it at root C drive as cert.cer
4.3. Run pdm_perl pdm_keystore_mgr.pl -import c:\cert.cer (manually)
4.4. Restart pdm_mail_nxd via pdm_kill command:
pdm_kill pdm_mail_nxd
Additional Information
An alert to step 4.3 - Run pdm_perl pdm_keystore_mgr.pl -import c:\cert.cer (manually):
In case you get error in the command such as:
C:\PROGRA2\CA\SERVIC1\bin>pdm_perl pdm_keystore_mgr.pl -import C:\DigiCertGlob
alRootCA.cer
Generating 2.048 bit RSA key pair and self-signed certificate (SHA256withRSA) wi
th a validity of 36.500 days
for: CN=CA, OU=CA Service Desk Manager, O=EITM, L=Islandia, ST=NY, C=US
[Storing D:\PROGRA2\CA\SERVIC1\pdmconf\nx.keystore]
Certificate was added to keystore
[Storing D:\PROGRA2\CA\SERVIC1\pdmconf\nx.keystore]
FAILED: The certificate was not imported into the keystore.
Exiting at pdm_keystore_mgr.pl line 170.
Then try to copy the certificate content from STEP 2 to a text file, and re-ran the command to manually import it. The expected result is:
C:\PROGRA2\CA\SERVIC1\bin>pdm_perl pdm_keystore_mgr.pl -import C:\cert.cer
Generating 2.048 bit RSA key pair and self-signed certificate (SHA256withRSA) wi
th a validity of 36.500 days
for: CN=CA, OU=CA Service Desk Manager, O=EITM, L=Islandia, ST=NY, C=US
[Storing D:\PROGRA2\CA\SERVIC1\pdmconf\nx.keystore]
Certificate was added to keystore
[Storing D:\PROGRA2\CA\SERVIC1\pdmconf\nx.keystore]
SUCCESS!
The certificate cert.cer has been imported.
Use -list to see the contents of the keystore.
If it fail to import the certificate, run the command to see if it's already there:
C:\PROGRA2\CA\SERVIC1\bin>pdm_perl pdm_keystore_mgr.pl -list -v
You may see something similar to:
Alias name: cert.cer
Creation date: 06/02/2019
Entry type: trustedCertEntry
Owner: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Issuer: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Serial number: 83be056904246b1a1756ac95991c74a
Valid from: Thu Nov 09 22:00:00 BRST 2006 until: Sun Nov 09 22:00:00 BRST 2031
Certificate fingerprints:
MD5: 79:E4:A9:84:0D:7D:3A:96:D7:C0:4F:E2:43:4C:89:2E
SHA1: A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36
SHA256: 43:48:A0:E9:44:4C:78:CB:26:5E:05:8D:5E:89:44:B4:D8:4F:96:62:BD:
26:DB:25:7F:89:34:A4:43:C7:01:61
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 03 DE 50 35 56 D1 4C BB 66 F0 A3 E2 1B 1B C3 97 ..P5V.L.f.......
0010: B2 3D D1 55 .=.U
]
]
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 03 DE 50 35 56 D1 4C BB 66 F0 A3 E2 1B 1B C3 97 ..P5V.L.f.......
0010: B2 3D D1 55 .=.U
]
]
*******************************************
*******************************************
It means that the certificate is already imported. So go to the next step 4.4.
In case you get error in the command such as:
C:\PROGRA2\CA\SERVIC1\bin>pdm_perl pdm_keystore_mgr.pl -import C:\DigiCertGlob
alRootCA.cer
Generating 2.048 bit RSA key pair and self-signed certificate (SHA256withRSA) wi
th a validity of 36.500 days
for: CN=CA, OU=CA Service Desk Manager, O=EITM, L=Islandia, ST=NY, C=US
[Storing D:\PROGRA2\CA\SERVIC1\pdmconf\nx.keystore]
Certificate was added to keystore
[Storing D:\PROGRA2\CA\SERVIC1\pdmconf\nx.keystore]
FAILED: The certificate was not imported into the keystore.
Exiting at pdm_keystore_mgr.pl line 170.
Then try to copy the certificate content from STEP 2 to a text file, and re-ran the command to manually import it. The expected result is:
C:\PROGRA2\CA\SERVIC1\bin>pdm_perl pdm_keystore_mgr.pl -import C:\cert.cer
Generating 2.048 bit RSA key pair and self-signed certificate (SHA256withRSA) wi
th a validity of 36.500 days
for: CN=CA, OU=CA Service Desk Manager, O=EITM, L=Islandia, ST=NY, C=US
[Storing D:\PROGRA2\CA\SERVIC1\pdmconf\nx.keystore]
Certificate was added to keystore
[Storing D:\PROGRA2\CA\SERVIC1\pdmconf\nx.keystore]
SUCCESS!
The certificate cert.cer has been imported.
Use -list to see the contents of the keystore.
If it fail to import the certificate, run the command to see if it's already there:
C:\PROGRA2\CA\SERVIC1\bin>pdm_perl pdm_keystore_mgr.pl -list -v
You may see something similar to:
Alias name: cert.cer
Creation date: 06/02/2019
Entry type: trustedCertEntry
Owner: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Issuer: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Serial number: 83be056904246b1a1756ac95991c74a
Valid from: Thu Nov 09 22:00:00 BRST 2006 until: Sun Nov 09 22:00:00 BRST 2031
Certificate fingerprints:
MD5: 79:E4:A9:84:0D:7D:3A:96:D7:C0:4F:E2:43:4C:89:2E
SHA1: A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36
SHA256: 43:48:A0:E9:44:4C:78:CB:26:5E:05:8D:5E:89:44:B4:D8:4F:96:62:BD:
26:DB:25:7F:89:34:A4:43:C7:01:61
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 03 DE 50 35 56 D1 4C BB 66 F0 A3 E2 1B 1B C3 97 ..P5V.L.f.......
0010: B2 3D D1 55 .=.U
]
]
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 03 DE 50 35 56 D1 4C BB 66 F0 A3 E2 1B 1B C3 97 ..P5V.L.f.......
0010: B2 3D D1 55 .=.U
]
]
*******************************************
*******************************************
It means that the certificate is already imported. So go to the next step 4.4.
Attachments
Feedback
Powered by
