Problem with Office365 Certificate file is affecting the mail notifications

Document ID : KB000126320
Last Modified Date : 06/02/2019
Show Technical Document Details
Issue:
The pdm_mail_nxd stopped sending notifications due to the error in the log:

02/05 21:12:15.54 sdmserver pdm_mail_nxd 11680 ERROR 
02/05 21:12:15.73 sdmserver pdm_mail_nxd 11680 ERROR hunny_mail_intf.c 2173 ThrdLogger Sess:11:0 Unable to connect to mail servers (outlook.com). Last message: TLS Connection to SMTP Server: outlook.com at Port: 587 failed. Error (15) Failed to find the CA certificate 
02/05 21:12:15.73 sdmserver pdm_mail_nxd 11680 SIGNIFICANT hunny_mail_intf.c 1335 Send Mail retry scheduled 
Environment:
Service Desk Manager 14.x / 17.x
Cause:
The certificate is not valid, expired or corrupted
Resolution:

1. If the Certificate file name has format <name>.txt, it should be renamed as <name>.cer

2. After gathering the information for your root certificate, create a file using Notepad with the certificate's information. For the example below, we are using the DigiCert Global Root CA which is valid for Office 365 as of Dec 2016:

See below:

User-added image

Valid certificate for Office 365 (copy and past it to a file using Notepad):

-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
-----END CERTIFICATE-----

3. Save the file and copy it to the primary server and make note of the path.

4. To import the new valid certificate do the following procedure:
    4.1. Remove NX_ROOT\pdmconf\nx.keystore 
    4.2. Create a new certification file by copying the certificate content from STEP 2 to a text file and saved it at root C drive as cert.cer 
    4.3. Run pdm_perl pdm_keystore_mgr.pl -import c:\cert.cer (manually) 
    4.4. Restart pdm_mail_nxd via pdm_kill command:
           pdm_kill pdm_mail_nxd

Additional Information:
An alert to step 4.3 - Run pdm_perl pdm_keystore_mgr.pl -import c:\cert.cer (manually):

In case you get error in the command such as:

C:\PROGRA2\CA\SERVIC1\bin>pdm_perl pdm_keystore_mgr.pl -import C:\DigiCertGlob 
alRootCA.cer 
Generating 2.048 bit RSA key pair and self-signed certificate (SHA256withRSA) wi 
th a validity of 36.500 days 
for: CN=CA, OU=CA Service Desk Manager, O=EITM, L=Islandia, ST=NY, C=US 
[Storing D:\PROGRA2\CA\SERVIC1\pdmconf\nx.keystore] 
Certificate was added to keystore 
[Storing D:\PROGRA2\CA\SERVIC1\pdmconf\nx.keystore] 


FAILED: The certificate was not imported into the keystore. 
Exiting at pdm_keystore_mgr.pl line 170. 


Then try to copy the certificate content from STEP 2 to a text file, and re-ran the command to manually import it. The expected result is: 

C:\PROGRA2\CA\SERVIC1\bin>pdm_perl pdm_keystore_mgr.pl -import C:\cert.cer 
Generating 2.048 bit RSA key pair and self-signed certificate (SHA256withRSA) wi 
th a validity of 36.500 days 
for: CN=CA, OU=CA Service Desk Manager, O=EITM, L=Islandia, ST=NY, C=US 
[Storing D:\PROGRA2\CA\SERVIC1\pdmconf\nx.keystore] 
Certificate was added to keystore 
[Storing D:\PROGRA2\CA\SERVIC1\pdmconf\nx.keystore] 


SUCCESS! 
The certificate cert.cer has been imported. 
Use -list to see the contents of the keystore. 


If it fail to import the certificate, run the command to see if it's already there:

C:\PROGRA2\CA\SERVIC1\bin>pdm_perl pdm_keystore_mgr.pl -list -v

You may see something similar to:

Alias name: cert.cer
Creation date: 06/02/2019
Entry type: trustedCertEntry
 
Owner: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Issuer: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Serial number: 83be056904246b1a1756ac95991c74a
Valid from: Thu Nov 09 22:00:00 BRST 2006 until: Sun Nov 09 22:00:00 BRST 2031
Certificate fingerprints:
         MD5:  79:E4:A9:84:0D:7D:3A:96:D7:C0:4F:E2:43:4C:89:2E
         SHA1: A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36
         SHA256: 43:48:A0:E9:44:4C:78:CB:26:5E:05:8D:5E:89:44:B4:D8:4F:96:62:BD:
26:DB:25:7F:89:34:A4:43:C7:01:61
         Signature algorithm name: SHA1withRSA
         Version: 3
 
Extensions:
 
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 03 DE 50 35 56 D1 4C BB   66 F0 A3 E2 1B 1B C3 97  ..P5V.L.f.......
0010: B2 3D D1 55                                        .=.U
]
]
 
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]
 
#3: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_CertSign
  Crl_Sign
]
 
#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 03 DE 50 35 56 D1 4C BB   66 F0 A3 E2 1B 1B C3 97  ..P5V.L.f.......
0010: B2 3D D1 55                                        .=.U
]
]
 
 
 
*******************************************
*******************************************


It means that the certificate is already imported. So go to the next step 4.4.