No longer receiving e-mails from NetOps Portal for scheduled reports.

scheduled/live run reports not being received via email

All supported releases

The cause was due to the email server's certificate not being imported on the Portal server.  The following errors were seen in the DMservice.log:

ERROR | EmailJobTaskThreadPool-Thread-106 | 2020-03-13 14:49:30,208 | com.ca.im.portal.dm.scheduling.email.EmailJobTask   
      | Error sending e-mail: Mail server connection failed; nested exception is javax.mail.MessagingException: Can't send command to SMTP host;
  nested exception is:
 javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Failed messages: javax.mail.MessagingException: Can't send command to SMTP host;
  nested exception is:
 javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
org.springframework.mail.MailSendException: Mail server connection failed; nested exception is javax.mail.MessagingException: Can't send command to SMTP host;
  nested exception is:
 javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Failed messages: javax.mail.MessagingException: Can't send command to SMTP host;
  nested exception is:
 javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; message exception details (1) are:
Failed message 1:
javax.mail.MessagingException: Can't send command to SMTP host;
  nested exception is:
 javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 at com.sun.mail.smtp.SMTPTransport.sendCommand(SMTPTransport.java:1564)
 at com.sun.mail.smtp.SMTPTransport.sendCommand(SMTPTransport.java:1551)

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
 at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
 at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
 at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
 at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
 ... 12 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
 at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
 at sun.security.validator.Validator.validate(Validator.java:262)
 at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:330)
 at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:237)
 at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
 at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
 ... 23 more

Perform the following steps to import the certificate.
1. Run: echo quit | openssl s_client -starttls smtp -connect <EMAILSERVERIP>:25 > certcheck.log 
2. Edit certcheck.log 
3. Delete the lines above ------BEGIN CERTIFICATE------ 
4. Delete the lines below ------END CERTIFICATE------
6. Save the file as email.cer. 
5. Run: /opt/CA/jre/bin/keytool -import -file email.cer --cacerts -storepass changeit -alias emailserver
6. Answer "yes" when asked to trust the certificate. 
7. Run /opt/CA/jre/bin/keytool -list -v -cacerts -storepass changeit -alias emailserver 
8. Restart caperfcenter_eventmanager, caperfcenter_sso, caperfcenter_devicemanager, and caperfcenter_console services . 
9. Try sending an email again.

Note:  If you have multiple email servers that are rotated through via a load balancer for the like, you would need to import the certificates from all email servers that may be rotated through.
 
You can run the command in step 1 multiple times, and append using >>

echo quit | openssl s_client -starttls smtp -connect <EMAILSERVERIP>:25 >> multicertcheck.log 

Check multicertcheck.log to see if you see multiple servers/certificates.

Additionally, if the email server certificate is not self-signed, you MUST also import any related root/intermediate certificate(s).

Note: You must use a different alias for each certificate imported. The alias is just an identifier you choose and needs to be unique per certificate imported.

If you are unsure, in the output from the commands above:

You would see lines like: 

subject=<Mail server information>
issuer=<Certificate issuer information>

The certificate is self-signed if the subject and issuer lines are the same.

If they are different, that indicates that the certificate was signed by a root/intermediate certificate which would also need to be imported.

This is referred to as the certificate chain of trust.

The chain of trust must end in a trusted root certificate if the certificate is not self-signed.