SSL certificate error when trying to enable Premium AntiSpam
search cancel

SSL certificate error when trying to enable Premium AntiSpam

book

Article ID: 161253

calendar_today

Updated On:

Products

Mail Security for Microsoft Exchange

Issue/Introduction

In Symantec Mail Security for Exchange (SMSMSE), when trying to enable Premium AntiSpam the deployment fails with the following generic error:

"Symantec Premium AntiSpam registration failed. The product will not receive definition updates".

In Conduit.log:

(ERROR:4632.4636): [12034] Network error occurred, SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (60), check your network connection settings, check your proxy settings (if applicable), and check to ensure that port 443 (HTTPS) is open through any relevant firewalls.

Curl for Windows:

C:\Temp\curl>Curl.exe -v -1 -4 -i -cacert CURL_CA_BUNDLE https://register.brightmail.com:443
curl: (6) Could not resolve host: -v; Host not found
curl: (6) Could not resolve host: -i; Host not found
curl: (6) Could not resolve host: -cacert; Host not found
curl: (6) Could not resolve host: CURL_CA_BUNDLE; Host not found
curl: (1) Protocol https not supported or disabled in libcurl

The license is confirmed to be correct and the communication to register.brightmail.com 443 is also working fine.

Environment

Symantec Mail Security for Exchange version 6.x or 7.x

Cause

The network Firewall or Proxy inspects and intercepts the SSL validation between the Exchange/SMSMSE server and register.brightmail.com
 

Although the Firewall port 443 is open, an additional inspection on SSL traffic is intercepting the SSL traffic between the SMSMSE server and register.brightmail.com. This causes SMSMSE to fail verifying its internal SSL certificate and then fail the registration.

Resolution

 To get a clearer idea of the SSL error the tool curl for windows can be downloaded. Run the following command:

curl.exe -v -1 -4 -i -cacert CURL_CA_BUNDLE https://register.brightmail.com:443

The output will provide a better idea on where in the Firewall the verification process is failing. In addition the manual register script for PAS or a Wireshark capture can also be used for further output. Please see the attached articles on how to run the manual PAS register script and a Wireshark capture. Then provide the output to the Firewall administrator which can then disable the SSL inspection or whitelist the appropriate process. Once SSL traffic is no longer intercepted, the Premium AntiSpam can be enabled and the antispam definitions downloaded correctly.

 

 


 

Additional Information

How to manually register the license for Premium Antispam

How to capture a network packet trace using Wireshark

Powered by Wolken Software