Cybergendannelse: Hentning af certifikat mislykkedes med TLS-protokollen
Summary: Efter opgradering til Cyber Recovery 19.17 er der en ny mulighed for at verificere certifikatet, når TLS-protokollen (Transport Layer Security) aktiveres. Denne artikel dækker situationer, hvor hentning af certifikatet mislykkedes med TLS-protokollen. ...
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
Efter opgradering til Cyber Recovery 19.17 er der en ny mulighed for at kontrollere certifikatet, når TLS-protokollen (Transport Layer Security) aktiveres. Når certifikatet kontrolleres, vises følgende fejl i brugergrænsefladen til Cyber Recovery:
Mail server certificate is required when enabling TLS.
Cause
Fra Cyber Recovery-logfilerne udskrives følgende poster.
På crcli.log:
[2024-10-03 11:49:03.273] [DEBUG] [crcli] [restapi_client.go:384 HandleRESTAPIResponse()] : Entering
[2024-10-03 11:49:03.273] [DEBUG] [crcli] [restapi_client.go:392 HandleRESTAPIResponse()] : REST status code :500
[2024-10-03 11:49:03.273] [ERROR] [crcli] [restapi_client.go:401 HandleRESTAPIResponse()] : Failed to retrieve mail server certificate : Failed to connect to mail server: dial tcp: lookup smtp-mail.com: i/o timeout
[2024-10-03 11:49:03.273] [DEBUG] [crcli] [restapi_client.go:402 HandleRESTAPIResponse()] : Exiting
[2024-10-03 11:49:03.273] [ERROR] [crcli] [libcli.go:150 CliErrorExit()] : Failed to retrieve mail server certificate : Failed to connect to mail server: dial tcp: lookup smtp-mail.com: i/o timeoutPå edge.log:
[2024-10-03 11:48:53.268] [DEBUG] [edge] [restapi_client.go:200 callRestApi()] : Perform request.Post path=https://notifications:9096/irapi/v8/notifications/retrieveEmailCert
[2024-10-03 11:49:03.272] [DEBUG] [edge] [restapi_client.go:209 callRestApi()] : status = 500 Internal Server Error
[2024-10-03 11:49:03.272] [DEBUG] [edge] [restapi_client.go:410 GetCRResponse()] : Entering
[2024-10-03 11:49:03.272] [DEBUG] [edge] [restapi_client.go:417 GetCRResponse()] : Exiting
[2024-10-03 11:49:03.272] [DEBUG] [edge] [restapi_client.go:210 callRestApi()] : Exiting
[2024-10-03 11:49:03.272] [DEBUG] [edge] [restapi_client.go:116 CallCRRESTAPI()] : Exiting
[2024-10-03 11:49:03.272] [DEBUG] [edge] [restapi_client.go:57 CallRESTAPIHeader()] : Exiting
[2024-10-03 11:49:03.272] [DEBUG] [edge] [restapi_client.go:384 HandleRESTAPIResponse()] : Entering
[2024-10-03 11:49:03.272] [DEBUG] [edge] [restapi_client.go:392 HandleRESTAPIResponse()] : REST status code :500
[2024-10-03 11:49:03.272] [ERROR] [edge] [restapi_client.go:401 HandleRESTAPIResponse()] : Failed to connect to mail server: dial tcp: lookup smtp-mail.com: i/o timeout
[2024-10-03 11:49:03.272] [DEBUG] [edge] [restapi_client.go:402 HandleRESTAPIResponse()] : Exiting
[2024-10-03 11:49:03.272] [DEBUG] [edge] [jsonerr.go:27 JSONError()] : Entering
[2024-10-03 11:49:03.272] [ERROR] [edge] [jsonerr.go:40 JSONError()] : 500 : Failed to connect to mail server: dial tcp: lookup smtp-mail.com: i/o timeout
[2024-10-03 11:49:03.272] [DEBUG] [edge] [jsonerr.go:44 JSONError()] : Exiting
[2024-10-03 11:49:03.272] [DEBUG] [edge] [notifications.go:560 RetrieveEmailCert()] : Exiting
[2024-10-03 11:49:03.272] [INFO] [edge] [restauth.go:111 func1()] : POST /cr/v8/notifications/retrieveEmailCert End RetrieveEmailCert Elapsed=10.005125439sPå notifications.log:
[2024-10-03 11:48:53.270] [INFO] [notifications] [restauth.go:68 func1()] : POST /irapi/v8/notifications/retrieveEmailCert Start RetrieveEmailCert
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [restauth.go:210 validateToken()] : Entering
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [restauth.go:194 DecryptToken()] : Entering
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [encoding.go:48 DecodeString()] : Entering
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [encoding.go:56 DecodeString()] : Exiting
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [crcrypto.go:558 DecryptCFB()] : Entering
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [crcrypto.go:579 DecryptCFB()] : Exiting
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [encoding.go:48 DecodeString()] : Entering
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [encoding.go:56 DecodeString()] : Exiting
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [crcrypto.go:112 GenHash()] : Entering
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [crcrypto.go:118 GenHash()] : Exiting
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [restauth.go:206 DecryptToken()] : Exiting
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [restauth.go:268 ValidateTokenTime()] : Entering
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [restauth.go:281 ValidateTokenTime()] : Exiting
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [restauth.go:255 validateToken()] : Exiting
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [notifications.go:283 RetrieveEmailCert()] : Entering
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [notifications.go:175 ValidateMailServer()] : Entering
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [notifications.go:201 ValidateMailServerURL()] : Entering
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [notifications.go:210 ValidateMailServerURL()] : Exiting
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [notifications.go:215 ValidateMailServerPort()] : Entering
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [notifications.go:222 ValidateMailServerPort()] : Exiting
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [notifications.go:196 ValidateMailServer()] : Exiting
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [email.go:227 RetrieveEmailCert()] : Entering
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [email.go:272 GetTLSConn()] : Entering
[2024-10-03 11:49:03.271] [DEBUG] [notifications] [email.go:283 GetTLSConn()] : Exiting
[2024-10-03 11:49:03.272] [ERROR] [notifications] [email.go:235 RetrieveEmailCert()] : Failed to connect to mail server: dial tcp: lookup smtp-mail.com: i/o timeout
[2024-10-03 11:49:03.272] [DEBUG] [notifications] [email.go:236 RetrieveEmailCert()] : Exiting
[2024-10-03 11:49:03.272] [ERROR] [notifications] [notifications.go:321 RetrieveEmailCert()] : Failed to connect to mail server: dial tcp: lookup smtp-mail.com: i/o timeout
[2024-10-03 11:49:03.272] [DEBUG] [notifications] [jsonerr.go:27 JSONError()] : Entering
[2024-10-03 11:49:03.272] [ERROR] [notifications] [jsonerr.go:40 JSONError()] : 500 : Failed to connect to mail server: dial tcp: lookup smtp-mail.com: i/o timeout
[2024-10-03 11:49:03.272] [DEBUG] [notifications] [jsonerr.go:44 JSONError()] : Exiting
[2024-10-03 11:49:03.272] [DEBUG] [notifications] [notifications.go:323 RetrieveEmailCert()] : ExitingFra version 19.17 begyndte Cyber Recovery at verificere mailservercertifikatet ved brug af TLS.
I miljøer uden DNS-system (Domain Name System) mislykkes indtastning af mailserveren som et DNS-navn, da Cyber Recovery ikke kan fortolke værtsnavnet til en IP-adresse på grund af manglende DNS i miljøet.
Når en IP-adresse bruges som Mail/Relay Server-felt i CR, og certifikatet fra mailserveren ikke har IP-adressen i certifikatet, mislykkes verifikationen, da certifikatet verificeres i forhold til IP'en.
Der er et par løsninger for at få dette til at fungere:
- Føj IP-adressen til certifikatet fra postserveren, så bekræftelsen kan fungere.
- Tilføj posten for mailserver og IP i
/etc/hostsi meddelelsesbeholderen for at tillade, at CR løser mailserveren korrekt, og certifikatbekræftelse kan finde sted.
Resolution
Der er to muligheder for at løse dette problem:
- Mailserveren bruger et fuldt kvalificeret domænenavn (FQDN), og Cyber Recovery kan ikke hente certifikatet.
- Kontroller, at du bruger en DNS-server i boksmiljøet, og om den fungerer korrekt.
- Hvis der ikke er nogen DNS-server i boksen, skal du følge nedenstående trin:
- Indtast SMTP-serveroplysningerne (Simple Mail Transfer Protocol) i værtsfilerne for meddelelsesdockeren.
- Opret forbindelse til Cyber Recovery ved hjælp af SSH.
- Kør denne kommando:
docker exec -it cr_notifications_1 bash - Åbn filen med et tekstredigeringsprogram:
/etc/hosts - Tilføj posterne for SMTP-serveren som IP, FQDN og kort navn.
- Gem filen.
- Kør denne kommando for at afslutte dockerbeholderen:
exit
- For at foretage posten i
/etc/hostsfil vedvarende gennem genstart, gør følgende:- Tilføj en linje i
cr-install-path>/etc/docker-compose-prod-<current-version>.ymlfor den IP, du vil føje til/etc/hostsMeddelelser: - Den nye linje, der er fremhævet med fed skrift, skal have SMTP FQDN og derefter IP:
SMTP.server.com:xxx.xxx.xxx.xxx
build: .image: ${registryName}/cr_notifications:${notificationsVersion}container_name: cr_notifications_1security_opt:- no-new-privileges:truehostname: notificationsexpose:- "9096"depends_on:- postgresqlcap_drop:- ALLenvironment:- LD_LIBRARY_PATH=/cr/lockbox/lib- CRHOSTNAME=${dockerHostFQDN}- ENABLE_TLS=${enableTLS}- ENABLE_POSTFIX=${enablePostfix}- GODEBUG=tlskyber=0extra_hosts:- dockerbridge:${dockerBridge}- ${dockerHostFQDN}:${dockerHost}- SMTP.server.com:xxx.xxx.xxx.xxx - Kør derefter
'crsetup.sh – forcerecreate'NÅR DER IKKE ER NOGEN JOB, DER KØRER.
- Tilføj en linje i
- Indtast SMTP-serveroplysningerne (Simple Mail Transfer Protocol) i værtsfilerne for meddelelsesdockeren.
- Brug af en IP-adresse til SMTP og Cyber Recovery får ikke certifikatet.
-
- I dette tilfælde skal der genereres et nyt certifikat, som indeholder den IP-adresse, der bruges.
Eller
-
- Hvis certifikatet blev oprettet ved hjælp af et FQDN, skal du i stedet for at bruge IP-adressen til at oprette forbindelse til SMTP bruge FQDN i Cyber Recovery-brugergrænsefladen.
Affected Products
PowerProtect Cyber Recovery, Cyber Recovery SeriesArticle Properties
Article Number: 000242079
Article Type: Solution
Last Modified: 07 Jan 2026
Version: 3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.