Abstract: If an 3rd party environment (e.g. an Microsoft SQL Server) connect to an Microsoft Exchange Server you might see an error message like "The remote certificate is invalid according to the validation procedure" in the logfiles.

The full error message you might see (depending on the environment which is connecting to the MS Exchange Server) is:

The mail could not be sent to the recipients because of the mail server failure. (Sending Mail using Account 1 (2016-07-16T12:44:02). Exception Message: Cannot send mails to mail server. (The remote certificate is invalid according to the validation procedure.).

 

Root cause:

The root cause here is a problem with the certificate validation. Multiple solutionsmight apply here (some are outlined below).

 

Troubleshooting:

So the first step would be to check which SSL certificate is used on our MS Exchange Server.

1.) On the affected OS (where our application is running on) where we need to troubleshoot the SMTP problem we need to install OpenSSL

2.) Perform an connection from the affected OS to the MS Exchange environment via:

openssl s_client -connect exchange01.int.contoso.com:25 -starttls smtp

or for a standard secure smtp port:

openssl s_client -connect exchange01.int.contoso.com:465

3.) If the port is open you will get an result which should look similar like:

C:\OpenSSL-Win32\bin>openssl s_client -connect exchange01.int.contoso.com:25 -starttls smtp
CONNECTED(000000F4)
depth=1 DC = com, DC = contoso, DC = int, CN = Contoso Subordinate CA
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/CN=exchange01.int.contoso.com
i:/DC=com/DC=contoso/DC=int/CN=Contoso Subordinate CA
1 s:/DC=com/DC=contoso/DC=int/CN=Contoso Subordinate CA
i:/CN=Contoso Offline Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
[SNIP SSL Server certificate here SNIP]
-----END CERTIFICATE-----
subject=/CN=exchange01.int.contoso.com
issuer=/DC=com/DC=contoso/DC=int/CN=Contoso Subordinate CA
---
No client certificate CA names sent
Peer signing digest: SHA1
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 4024 bytes and written 423 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: 6F1D0000A16611FFD0185771000EB3F60C608E3B51363E827BF8CC5F4F1C31DF
Session-ID-ctx:
Master-Key: 26978F25E762B883EA34AC65673D8718A4777ACCF15BC75E7453BB3286BC4A265727C9067A4B8844CB2E20F84034FE29
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1487166762
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: yes
---
250 XRDST

4.) once the connection is active you can try to send an email via the normal telnet way (like mentioned here for example).

 

If that is working, you need to focus on the SSL certificate as depending on your environment multiple solutions might apply here (as already outlined):

 

Solution 01: A certificate chain could not be built to a trusted root authority:

The error mentioned here could be RemoteCertificateChainErrors. To make sure that the SSL certificate chain is trusted on the affected solution you need to focus on the certificates inside the chain. For our environment the chain would be:

Certificate chain
0 s:/CN=exchange01.int.contoso.com
i:/DC=com/DC=contoso/DC=int/CN=Contoso Subordinate CA
1 s:/DC=com/DC=contoso/DC=int/CN=Contoso Subordinate CA
i:/CN=Contoso Offline Root CA

Solution (Windows OS):

The solution here is now to make sure that the full SSL certificate chain is trusted on the affected environment. If that is an Microsoft SQL server which is running on an Windows Server OS (obviously) then make sure that the root (/CN=Contoso Offline Root CA) and intermediate certificates (/DC=com/DC=contoso/DC=int/CN=Contoso Subordinate CA) are in the trusted SSL store on the windows server OS. That solution also should work on all other products which use the Windows OS SSL store.

Solution (Java Certificate store):

The solution here is now to make sure that the full SSL certificate chain is trusted on the affected environment. To do that make sure that the root (/CN=Contoso Offline Root CA) and intermediate certificates (/DC=com/DC=contoso/DC=int/CN=Contoso Subordinate CA) are in the Java Key store. See here for an howto.

 

Solution 02: SSL certificates expired

Make sure that the SSL certificate used for the SMTP service offered by the Microsoft Exchange Server is not expired. If that happen your might also see the error "A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file".

 

Solution 03: Certificate name mismatch

The error could be also RemoteCertificateNameMismatch. Make sure that the SSL certificate used for the SMTP service offered by the Microsoft Exchange Server match the hostname you are using.

 

Solution 04: SSL certificates revoked

Make sure that the SSL certificate used for the SMTP service offered by the Microsoft Exchange Server is not revoked.

 

 

Solution 05: Selfsigned certificate used:

If the response above showed an self signed ssl certificate used for the SMTP service offered by the Microsoft Exchange Server, then you should change that. Get an trusted SSL certificate for your Microsoft Exchange and activate that for the SMTP service via (more infos here):

Enable-ExchangeCertificate -Thumbprint 434AC224C8459924B26521298CE8834C514856AB -Services SMTP

A workaround here would be to add the selfsigned certificate into the trusted root CA folder on the affected Microsoft OS. To do that do the following:

a.) inside a CMD enter MMC

b.) Add the certificate snapin (computer account)

c.) Import the self signed certificate into the "Trusted Root Certification Authorities" folder

 

Cross information:
https://blogs.msdn.microsoft.com/jpsanders/2009/09/16/troubleshooting-asp-net-the-remote-certificate-is-invalid-according-to-the-validation-procedure/

Leave your comments

Post comment as a guest

0

Comments

    • No comments found