Cannot register new Submitter ID
search cancel

Cannot register new Submitter ID

book

Article ID: 281789

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

When registering for new Submitter ID an error appears:

curl: (60) Peer's Certificate issuer is not recognized. More details here: http://curl.haxx.se/docs/sslcerts.htmlcurl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL).If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.

Cause

The reason behind such an issue is the SMG not being able to read the correct certificate information from one of repository servers.
The certificate was changed by one of your server's SSL/TLS inspection features.

Resolution

Set the control center logs to debug:

cc-config cclog --level debug

Then try to register new submitter ID once more - [Spam > Settings > Submission Settings].
Tick the checkbox Enable Customer-specific Spam Submission, agree to the terms of privacy and click the Enable button.
Then click the button Register for a New Submitter ID Now.

Now you can bring back the log level to default value:

cc-config cclog --level warnings

Retrieve the log from [Status → System → Logs] then filter logs for the Control Center component and download BrightmailLog.log.

You can also get the file from diagnostics package in /logs/bcc/ folder.

Open the BrightmialLog.log file and search for aztec.brightmail.com phrase in the bottom rows of it.

 

The correct certificate details should look like below:

* Server certificate:
*       subject: CN=aztec.brightmail.com,O=Symantec Corporation,L=San Jose,ST=California,C=US
*       start date: Feb 08 00:00:00 2024 GMT
*       expire date: Feb 07 23:59:59 2025 GMT
*       common name: aztec.brightmail.com
*       issuer: CN=DigiCert TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US

If your environment is using TLS/SSL inspection feature the details will be changed.
e.g.

* Server certificate:
*       subject: CN=aztec.brightmail.com,O=Symantec Corporation,L=San Jose,ST=California,C=US
*       start date: Feb 08 00:00:00 2024 GMT
*       expire date: Feb 07 23:59:59 2025 GMT
*       common name: aztec.brightmail.com
*       issuer: CN=firepower
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)

As you can see in the above example the issuer is changed to firepower, which indicates a TLS/SSL inspection feature used in Cisco firewall devices.

To fix the issue work with your internal network team to disable the feature or exclude SMG traffic from it.

Additional Information

Powered by Wolken Software