SmtpCurl error: Peer certificate cannot be authenticated with given CA certificates.

Hello world, 

we are experiencing some issues with SuO 8.1 Service and SMTP. 
I get the following error when testing a SMTP-server on port 25: 

Feil: SMTP-serveren returnerer følgende feil: SmtpCurl error: Peer certificate cannot be authenticated with given CA certificates. SSL certificate problem: unable to get local issuer certificate 


What i have tried so far: 

I tried sending an email with the same settings through telnet (on the same server) and it goes through just fine. 

This happens on easyMail and mailKit (i tried setting it back to easyMail to make sure the new standard for 8.1 wasnt the issue). 

I tried running ejOutbox.exe with -debug -maxdebug but it just gives me the same message: 
Outbox::sendMails() Error: SmtpCurl error: Peer certificate cannot be authenticated with given CA certificates. SSL certificate problem: unable to get local issuer certificate 

I tried using the smtp-server outside SuperOffice, in outlook, to verify it works there. 

Does anyone know any way to get a more detailed log of what exacly is going wrong when i use the SMTP-server through SuperOffice? It is a certificate-error but i cant grasp what exactly is wrong and on what end..


//Eivind

RE: SmtpCurl error: Peer certificate cannot be authenticated with given CA certificates.

I don't know enough of this issue to be of any help, but a way to skip cURL is to set the registry setting with reg_id = 320 to value = 0

Av: Simen Mostuen Iversen 9. nov 2017

RE: SmtpCurl error: Peer certificate cannot be authenticated with given CA certificates.

Hi Eivind,

This issue has been address in a previously post (here)

But I give you a recap:

Most SMTP servers support encrypted connections form the start of the connection - Office365 does currently not, afaik.

- TLS uses STARTTLS - which upgrades the connection to an encrypted connection.

In Office365, it starts off with an unencrypted connection, and let's cURL know it supports STARTSTLS. This will make the connection upgrade to an encrypted connection.

EasyMail (before 8.1) did actually downgrade to a non-encrypted connection if the connection failed! We don't want that :) (that is why it worked before with EasyMail (before 8.1) - and do not with cURL (8.1)

- We want to be sure the connection is encrypted all the way if you have told so explicitly.

So - in scenarios where customers use Service and O365 - you may uncheck  "Use SSL" - and the connection will get upgraded to an encrypted connection. - NOTE: No username or password will be sent unencrypted!

Av: Jan Andersen 10. nov 2017

RE: SmtpCurl error: Peer certificate cannot be authenticated with given CA certificates.

Hello, 

thanks for the replies :)

Simen: 
"Which email implementation to use. 2 = old email implementation" was already set to 0.. 
This is an upgraded database from 8.0 SR4 to 8.1, so maybe it isnt set by default? 
What is the 8.1 default-value?

Jan: 
If i understand you correctly, shouldnt setting it back to easyMail then make it work again?
That is one of the first things i tried:

<Mail>
<Component>
<!--
<add key="Reader" value="MailKit" />
<add key="Sender" value="MailKit" />
-->
<add key="Reader" value="easyMail" />
<add key="Sender" value="easyMail" />
</Component>
</Mail>

Setting this makes no difference as far as i can see :( It might be connected to the reg-value Simen mentioned (?). 

This is the SMTP-settings: 


We dont use SSL at all. 

NB: This is not o365, if the scenario you explained only occurs there =)

//Eivind

Av: Eivind Johan Fasting 10. nov 2017

RE: SmtpCurl error: Peer certificate cannot be authenticated with given CA certificates.

Hi Eivind,

of course - I meant set it to 2, not 0. That would make it work.

Av: Simen Mostuen Iversen 10. nov 2017

RE: SmtpCurl error: Peer certificate cannot be authenticated with given CA certificates.

Hello, 
Fantastic, now it works like a charm :)

Might be a bug here, where the value is set to 0 by default when upgrading from 8.0 to 8.1. I'll report it if i find other examples. 

conclusion: 
This works:
MailKit
update crm.registry set value = 2 where reg_id = 320 

(y) 

Thanks for your help!

//Eivind



Av: Eivind Johan Fasting 10. nov 2017

RE: SmtpCurl error: Peer certificate cannot be authenticated with given CA certificates.

Hijacking this thread a bit.

Anyone got a solution if you want to use Curl but is given this error message?

We cant use the old webclient cause it stops working about onces a day due to to long subjects, message includes emoijs and all the other buggs related to mail import, hoping the new curl import can fix these bugs that causes so much free work for us every week.

Do we need to import a certificate to the CS server, in that case, what certificate?

They are using an on-premise Exchange 2010

Regards

Av: Pär Pettersson 6. dec 2017

RE: SmtpCurl error: Peer certificate cannot be authenticated with given CA certificates.

Hi Pär!

 

In Exchange the certificate, is it a 3rd party certificate? or self signed?

Av: Emilija Vilija Treciokaite 6. dec 2017

RE: SmtpCurl error: Peer certificate cannot be authenticated with given CA certificates.

We've got the same problem with Curl now. The customer has their own CA (Certificate Authority).

Changing reg_id=320 to 2 might be a potential solution, but since they have a lot of mailboxes, and the old mail implementation is slower than Curl, it would be nice to get this solved using Curl.

Av: Frode Lillerud 23. maj 2018

RE: SmtpCurl error: Peer certificate cannot be authenticated with given CA certificates.

Had a similar issue where the the authentication was rejected because the SMTP address was an IP address and the certificate expected a domain name.

Might be a long shot, but just throwing it out there.

Av: Hans Wilhelmsen 23. maj 2018

RE: SmtpCurl error: Peer certificate cannot be authenticated with given CA certificates.

Hi Frode,

become a CA is not the big Problem i think the Problem they have is that they not a Trusted CA.

 

@Hans

 

Thanks for this hint never payed attention to this.

 

greetings

 

Alex

Av: Alexander Wohland 23. maj 2018