A third party's Encryption Management Server is trying to lookup keys on your Encryption Management Server over LDAPS but cannot do so.
Encryption Management Server can lookup keys using LDAP or LDAPS. By default it will use LDAP and try to connect to keys.example.com where example.com is the domain name of the recipient's email address.
However, Encryption Management Server can also be configured to do key lookups using LDAPS. Once the key server entry is created, a mail rule is required to do the lookup.
In some cases, LDAPS key lookups fail, even though the remote Encryption Management Server has inbound LDAPS permitted.
The remote Encryption Management Server is located behind a firewall or load balancer that does SSL Offloading. This means that the inbound LDAPS connection is terminated by the firewall and the firewall creates a new connection to Encryption Management Server.
However, Encryption Management Server does not trust the inbound TLS connection from the firewall because it does not trust the certificate that the firewall is using.
Encryption Management Server 3.4.2 and above.
You can confirm that Encryption Management Server does not trust the certificate that the firewall is using by checking the /var/log/ovid/stunnel.log file. This log will contain entries about incoming LDAPS connections. You will need to ssh to Encryption Management Server to view this log.
Enter this command to search for LDAPS entries:
grep -B1 'unable to get local issuer certificate' /var/log/ovid/stunnel.log
If you see entries like this where 10.1.2.3 is the firewall IP and the firewall certificate has a CN of firewall.example.com then this confirms that Encryption Management Server does not trust the firewall's issuing certificate chain:
2021.03.17 12:36:24 LOG5[29022:3069881200]: ldaps2 accepted connection from 10.1.2.3:43410
2021.03.17 12:36:24 LOG4[29022:3069881200]: VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /CN=firewall.example.com
Encryption Management Server needs to trust the certificates in the issuing chain of the firewall's certificate.
To do this, obtain the issuing certificates of the firewall's certificate and add them to Encryption Management Server. If the firewall is using a self-signed certificate, add the public self-signed certificate to Encryption Management Server: