Problem with Office365 Certificate file is affecting the mail notifications

Document ID : KB000126320

Last Modified Date : 06/02/2019

Issue:

The pdm_mail_nxd stopped sending notifications due to the error in the log:

02/05 21:12:15.54 sdmserver pdm_mail_nxd 11680 ERROR
02/05 21:12:15.73 sdmserver pdm_mail_nxd 11680 ERROR hunny_mail_intf.c 2173 ThrdLogger Sess:11:0 Unable to connect to mail servers (outlook.com). Last message: TLS Connection to SMTP Server: outlook.com at Port: 587 failed. Error (15) Failed to find the CA certificate
02/05 21:12:15.73 sdmserver pdm_mail_nxd 11680 SIGNIFICANT hunny_mail_intf.c 1335 Send Mail retry scheduled

Environment:

Service Desk Manager 14.x / 17.x

Cause:

The certificate is not valid, expired or corrupted

Resolution:

1. If the Certificate file name has format <name>.txt, it should be renamed as <name>.cer

2. After gathering the information for your root certificate, create a file using Notepad with the certificate's information. For the example below, we are using the DigiCert Global Root CA which is valid for Office 365 as of Dec 2016:

See below:

User-added image

Valid certificate for Office 365 (copy and past it to a file using Notepad):

-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
-----END CERTIFICATE-----

3. Save the file and copy it to the primary server and make note of the path.

4. To import the new valid certificate do the following procedure:
4.1. Remove NX_ROOT\pdmconf\nx.keystore
4.2. Create a new certification file by copying the certificate content from STEP 2 to a text file and saved it at root C drive as cert.cer
4.3. Run pdm_perl pdm_keystore_mgr.pl -import c:\cert.cer (manually)
4.4. Restart pdm_mail_nxd via pdm_kill command:
pdm_kill pdm_mail_nxd

Additional Information:

An alert to step 4.3 - Run pdm_perl pdm_keystore_mgr.pl -import c:\cert.cer (manually):

In case you get error in the command such as:

C:\PROGRA2\CA\SERVIC1\bin>pdm_perl pdm_keystore_mgr.pl -import C:\DigiCertGlob
alRootCA.cer
Generating 2.048 bit RSA key pair and self-signed certificate (SHA256withRSA) wi
th a validity of 36.500 days
for: CN=CA, OU=CA Service Desk Manager, O=EITM, L=Islandia, ST=NY, C=US
[Storing D:\PROGRA2\CA\SERVIC1\pdmconf\nx.keystore]
Certificate was added to keystore
[Storing D:\PROGRA2\CA\SERVIC1\pdmconf\nx.keystore]

FAILED: The certificate was not imported into the keystore.
Exiting at pdm_keystore_mgr.pl line 170.

Then try to copy the certificate content from STEP 2 to a text file, and re-ran the command to manually import it. The expected result is:

C:\PROGRA2\CA\SERVIC1\bin>pdm_perl pdm_keystore_mgr.pl -import C:\cert.cer
Generating 2.048 bit RSA key pair and self-signed certificate (SHA256withRSA) wi
th a validity of 36.500 days
for: CN=CA, OU=CA Service Desk Manager, O=EITM, L=Islandia, ST=NY, C=US
[Storing D:\PROGRA2\CA\SERVIC1\pdmconf\nx.keystore]
Certificate was added to keystore
[Storing D:\PROGRA2\CA\SERVIC1\pdmconf\nx.keystore]

SUCCESS!
The certificate cert.cer has been imported.
Use -list to see the contents of the keystore.

If it fail to import the certificate, run the command to see if it's already there:

C:\PROGRA2\CA\SERVIC1\bin>pdm_perl pdm_keystore_mgr.pl -list -v

You may see something similar to:

Alias name: cert.cer
Creation date: 06/02/2019
Entry type: trustedCertEntry

Owner: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Issuer: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Serial number: 83be056904246b1a1756ac95991c74a
Valid from: Thu Nov 09 22:00:00 BRST 2006 until: Sun Nov 09 22:00:00 BRST 2031
Certificate fingerprints:
MD5: 79:E4:A9:84:0D:7D:3A:96:D7:C0:4F:E2:43:4C:89:2E
SHA1: A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36
SHA256: 43:48:A0:E9:44:4C:78:CB:26:5E:05:8D:5E:89:44:B4:D8:4F:96:62:BD:
26:DB:25:7F:89:34:A4:43:C7:01:61
Signature algorithm name: SHA1withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 03 DE 50 35 56 D1 4C BB 66 F0 A3 E2 1B 1B C3 97 ..P5V.L.f.......
0010: B2 3D D1 55 .=.U
]
]

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]

#3: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]

#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 03 DE 50 35 56 D1 4C BB 66 F0 A3 E2 1B 1B C3 97 ..P5V.L.f.......
0010: B2 3D D1 55 .=.U
]
]

*******************************************
*******************************************

It means that the certificate is already imported. So go to the next step 4.4.

Was this information helpful?