search cancel

Scheduled E-mails Are Not Received

book

Article ID: 187068

calendar_today

Updated On:

Products

CA Infrastructure Management CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

No longer receiving e-mails from CAPC for scheduled reports.

scheduled/live run reports not being received via email

Environment

CA Performance Management r3.7.x, 20.x, 21.2.x

Cause

The cause was put down to certificate was not imported on CAPC server from the mail server.  We saw the following errors in the DMservice.log:

ERROR | EmailJobTaskThreadPool-Thread-106 | 2020-03-13 14:49:30,208 | com.ca.im.portal.dm.scheduling.email.EmailJobTask   
      | Error sending e-mail: Mail server connection failed; nested exception is javax.mail.MessagingException: Can't send command to SMTP host;
  nested exception is:
 javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Failed messages: javax.mail.MessagingException: Can't send command to SMTP host;
  nested exception is:
 javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
org.springframework.mail.MailSendException: Mail server connection failed; nested exception is javax.mail.MessagingException: Can't send command to SMTP host;
  nested exception is:
 javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Failed messages: javax.mail.MessagingException: Can't send command to SMTP host;
  nested exception is:
 javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; message exception details (1) are:
Failed message 1:
javax.mail.MessagingException: Can't send command to SMTP host;
  nested exception is:
 javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 at com.sun.mail.smtp.SMTPTransport.sendCommand(SMTPTransport.java:1564)
 at com.sun.mail.smtp.SMTPTransport.sendCommand(SMTPTransport.java:1551)

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
 at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
 at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
 at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
 at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
 ... 12 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
 at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
 at sun.security.validator.Validator.validate(Validator.java:262)
 at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:330)
 at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:237)
 at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
 at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
 ... 23 more

Resolution

Perform the following steps to import the certificate.
1. Run: echo quit | openssl s_client -starttls smtp -connect <EMAILSERVERIP>:25 > certcheck.log 
2. Edit certcheck.log 
3. Delete the lines above ------BEGIN CERTIFICATE------ 
4. Delete the lines below ------END CERTIFICATE------
6. Save the file as email.cer. 
5. Run: /opt/CA/jre/bin/keytool -import -file email.cer -keystore /opt/CA/jre/lib/security/cacerts -storepass changeit -alias emailserver
6. Answer "yes" when asked to trust the certificate. 
7. Run /opt/CA/jre/bin/keytool -list -v -keystore /opt/CA/jre/lib/security/cacerts -storepass changeit -alias emailserver 
8. Restart DM and PC service. 
9. Try sending an email.

Note:  If you have multiple email servers that are rotated through via a load balancer for the like, you would need to import the certificates from all email servers that may be rotated through.
 
You can run the command in step 1 multiple times, and append using >>

echo quit | openssl s_client -starttls smtp -connect <EMAILSERVERIP>:25 >> multicertcheck.log 

Check multicertcheck.log to see if you see multiple servers/certificates.

Additionally, if the email server certificate is not self-signed you also need to import any related root/intermediate certificate(s).

Note: You must use a different alias for each certificate imported. The alias is just an identifier you choose and needs to be unique per certificate imported.

If you are unsure, in the output from the commands above:

You would see lines like: 

subject=<Mail server information>
issuer=<Certificate issuer information>

If the subject and issuer lines are the same the certificate is self-signed.

If they are different that indicates that the certificate was signed by a root/intermediate certificate which would also need to be imported.

This is referred to as the certificate chain of trust.

The chain of trust must end in a trusted root certificate if the certificate is not self-signed.