Mail notification: certificate revocation
Windows 2022 with DVLS 2025.2.4
The SMTP server had it's SSL\TLS certificate renewed. The Windows local certificate management has the new root and intermediates.
When attempting to run a test of mail notification get the error:
SslHandshakeException - An error occurred while attempting to establish an SSL or TLS connection.
The server's SSL certificate could not be validated for the following reasons:
• The server certificate has the following errors:
• The revocation function was unable to check revocation for the certificate.
• The revocation function was unable to check revocation because the revocation server was offline.
• An intermediate certificate has the following errors:
• The revocation function was unable to check revocation for the certificate.
• The revocation function was unable to check revocation because the revocation server was offline.
at MailKit.Net.Smtp.SmtpClient.PostConnect(Stream stream, String host, Int32 port, SecureSocketOptions options, Boolean starttls, CancellationToken cancellationToken)
at MailKit.Net.Smtp.SmtpClient.Connect(String host, Int32 port, SecureSocketOptions options, CancellationToken cancellationToken)
at Devolutions.Server.V2.Application.SmtpService.CreateService(EmailConfigurationEntity emailConfiguration)
at Devolutions.Server.EmailManager.CreateService(EmailConfigurationEntity settings)
at Devolutions.Server.EmailManager.<>c__DisplayClass41_0.<DoSendEmail>b__0()
------------------------------------------
AuthenticationException - The remote certificate was rejected by the provided RemoteCertificateValidationCallback.
at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)
at System.Net.Security.SslStream.AuthenticateAsClient(SslClientAuthenticationOptions sslClientAuthenticationOptions)
at MailKit.Net.Smtp.SmtpClient.PostConnect(Stream stream, String host, Int32 port, SecureSocketOptions options, Boolean starttls, CancellationToken cancellationToken)
Is there another certificate store that needs to be updated?
All Comments (6)
Hi Scott,
I forwarded the information to the developers and asked for a second opinion. In the meantime, here's what I have in mind:
It's hard to pinpoint the exact issue as the stack seems generic, but my understanding of the validation is that .NET does it through this function: https://learn.microsoft.com/en-us/dotnet/api/system.net.security.remotecertificatevalidationcallback?view=net-9.0
It creates an X509 certificate object for the verification, so I guess that you could use openssl to verify the certificate of your SMTP server and get a better idea: https://stackoverflow.com/questions/7885785/using-openssl-to-get-the-certificate-from-a-server
Let me know your thoughts.
Best regards,
Marc-Antoine Dubois
Hi Scott,
I've attached a PowerShell script given to me by one of the devs. It should give you a better idea of what's wrong with the certificate validation.
Let us know if this helps!
Best regards,
Marc-Antoine Dubois
Test-SmtpServerCertificate.ps1
Thanks for the suggestions. The work week was crazy. I configured it to work with SSL till I can get to it next week.
Hi Scott,
Sounds good, keep us posted.
Enjoy the weekend!
Best regards,
Marc-Antoine Dubois
Working with my internal support team, we found an issue with the linking on the certificate.
Thank you for the assist.
Hi Scott,
I appreciate the confirmation.
I'm marking this thread as resolved.
Have a great day!
Best regards,
Marc-Antoine Dubois