Tuesday, November 27, 2018

OCI Email Delivery gives “Error in certificate: Peer's certificate issuer is not recognized.”


  We plan to use mailx in  Oracle Linux 7.6 VM to send emails via smtp services provided by OCI Email Delivery Service
   We followed the instructions of  the official doc and get smtp credential and smtp connections setup
When we run this command:

echo "test test from henry" | mailx  -v -s "test test test"  \
-S nss-config-dir=/etc/certs  \
-S smtp-use-starttls \
-S smtp-auth=plain \
-S smtp=smtp.us-ashburn-1.oraclecloud.com \
-S from="no-reply@test.com(henryxie)" \
-S smtp-auth-user="<ocid from smtp credentials doc >" \
-S smtp-auth-password="<password from smtp credentials doc>"  henry.xie@oracle.com

We get error
“Error in certificate: Peer's certificate issuer is not recognized.”


The reason is due to  nss-config-dir  has not included the CA publisher of the smtp.us-ashburn-1.oraclecloud.com . We need to add them into the nss-config-dir

  • To get details of CA details ,run this 
  •  openssl s_client -showcerts -connect smtp.us-ashburn-1.oraclecloud.com:587 -starttls smtp  > /etc/certs/mycerts
  • Vi mycerts and copy each certificate including the --BEGIN CERTIFICATE-- and --END CERTIFICATE-- and paste them into their respective files. ie:  ocismtp-ashburn1.pem ocismtp-ashburn2.pem
  • Import them into the nss-config-dr  /etc/certs  via below commands
  • certutil -A -n "DigiCert SHA2 Secure Server CA" -t "TC,," -d /etc/certs -i /etc/certs/ocismtp-ashburn1.pem
  • certutil -A -n "DigiCert SHA2 Secure Server CA smtp" -t "TC,," -d /etc/certs -i /etc/certs/ocismtp-ashburn2.pem
  • use certutil -L -d  /etc/certs   to verify they are imported well

The error should be gone

No comments: