edoc Knowledge Base
edoc Knowledge Base
Breadcrumbs

E-mail connection test fails ("certificate verify failed")

Component

edoc invoice

Version

25.7.1

Created on

Last modified on

Review status

KB article number

2235564424

Summary

The connection test for e-mail notifications for edoc invoice in the workflow settings fails. You receive the following message when testing the connection:

Error: Connection to the server could not be established. Please check your entries.

You will also find the following error message in the workflow-deploy log:

OpenSSL Error messages: error:0A000086:SSL routines::certificate verify failed

With version 25.7.1, the edoc software automatically enforces an encrypted connection to the e-mail server if the e-mail server provides an encrypted connection. For security reasons, unencrypted connections are no longer accepted as a fallback solution.

If you have updated your system in edoc system control to version 25.7.1 and have previously used unencrypted e-mails, the connection test will fail.

Find out in this KB article how to read out the public certificate of your e-mail server and enter it in your system in order to establish encrypted communication.

Important requirements

  • DNS name instead of IP address: The address of the e-mail server must be specified in the connection settings as the DNS name (e.g. mail.yourdomain.com ), not as the IP address. Certificates are always issued for host names. Validation will fail if an IP address is used.

  • Access to the edoc platform server: You need SSH access to the edoc platform server to query the certificate via the command line.

  • Access to edoc system control: You need access to the customer system in edoc system control to specify the certificate.

Solution

You must query the certificate of your e-mail server and enter it as a trusted certificate in edoc system control.

Check the e-mail server data

Here's how

  1. Check the connection data in edoc invoice under Workflow settings. If an IP address has been entered in the Host field, change the IP address to the corresponding DNS name.

  2. Establish a connection to the edoc platform server via SSH.

  3. Execute the following command in the command line to query the public part of the e-mail server certificate. Replace the placeholder <mailserver:port> and the e-mail protocol according to your environment:

    openssl s_client -connect <mailserver:port> -starttls smtp -showcerts

  4. Copy the displayed certificate completely to your clipboard. The following lines must be included:

    -----BEGIN CERTIFICATE---- 
...
-----END CERTIFICATE-----

Specify the certificate in edoc system control

Here's how

  1. Open edoc system control in your browser.

  2. Select the affected system.

  3. Navigate to Konfiguration > Vertrauenswürdige Zertifikate verwalten (Configuration > Manage trusted certificates).

  4. Paste the copied certificate into the text field provided and enter the name for the certificate, e.g. the name of the e-mail server.

  5. Click on Bestand der Zertifikate übertragen (Transfer inventory of certificates).

  6. Repeat the connection test for the e-mail notifications in the edoc invoice workflow settings.

There is no complete system synchronization. With the edoc agent task SyncTrustedCertificate , only the trusted certificate is added to edoc platform.

Once the SyncTrustedCertificate task has been completed, you can establish encrypted communication.