Cyber Recovery:使用 TLS 通訊協定擷取憑證失敗
摘要: 升級到 Cyber Recovery 19.17 後,有一個在啟用傳輸層安全性 (TLS) 通訊協定時驗證憑證的新選項。本文涵蓋使用 TLS 通訊協定擷取憑證失敗的情況。
本文章適用於
本文章不適用於
本文無關於任何特定產品。
本文未識別所有產品版本。
症狀
升級至 Cyber Recovery 19.17 後,有一個可在啟用傳輸層安全性 (TLS) 通訊協定時 驗證 憑證的新選項。驗證憑證時,Cyber Recovery UI 中會顯示下列錯誤:
Mail server certificate is required when enabling TLS.
原因
系統會從 Cyber Recovery 記錄列印下列項目。
在 crcli.log:
[2024-10-03 11:49:03.273] [DEBUG] [crcli] [restapi_client.go:384 HandleRESTAPIResponse()] : Entering
[2024-10-03 11:49:03.273] [DEBUG] [crcli] [restapi_client.go:392 HandleRESTAPIResponse()] : REST status code :500
[2024-10-03 11:49:03.273] [ERROR] [crcli] [restapi_client.go:401 HandleRESTAPIResponse()] : Failed to retrieve mail server certificate : Failed to connect to mail server: dial tcp: lookup smtp-mail.com: i/o timeout
[2024-10-03 11:49:03.273] [DEBUG] [crcli] [restapi_client.go:402 HandleRESTAPIResponse()] : Exiting
[2024-10-03 11:49:03.273] [ERROR] [crcli] [libcli.go:150 CliErrorExit()] : Failed to retrieve mail server certificate : Failed to connect to mail server: dial tcp: lookup smtp-mail.com: i/o timeout在 edge.log:
[2024-10-03 11:48:53.268] [DEBUG] [edge] [restapi_client.go:200 callRestApi()] : Perform request.Post path=https://notifications:9096/irapi/v8/notifications/retrieveEmailCert
[2024-10-03 11:49:03.272] [DEBUG] [edge] [restapi_client.go:209 callRestApi()] : status = 500 Internal Server Error
[2024-10-03 11:49:03.272] [DEBUG] [edge] [restapi_client.go:410 GetCRResponse()] : Entering
[2024-10-03 11:49:03.272] [DEBUG] [edge] [restapi_client.go:417 GetCRResponse()] : Exiting
[2024-10-03 11:49:03.272] [DEBUG] [edge] [restapi_client.go:210 callRestApi()] : Exiting
[2024-10-03 11:49:03.272] [DEBUG] [edge] [restapi_client.go:116 CallCRRESTAPI()] : Exiting
[2024-10-03 11:49:03.272] [DEBUG] [edge] [restapi_client.go:57 CallRESTAPIHeader()] : Exiting
[2024-10-03 11:49:03.272] [DEBUG] [edge] [restapi_client.go:384 HandleRESTAPIResponse()] : Entering
[2024-10-03 11:49:03.272] [DEBUG] [edge] [restapi_client.go:392 HandleRESTAPIResponse()] : REST status code :500
[2024-10-03 11:49:03.272] [ERROR] [edge] [restapi_client.go:401 HandleRESTAPIResponse()] : Failed to connect to mail server: dial tcp: lookup smtp-mail.com: i/o timeout
[2024-10-03 11:49:03.272] [DEBUG] [edge] [restapi_client.go:402 HandleRESTAPIResponse()] : Exiting
[2024-10-03 11:49:03.272] [DEBUG] [edge] [jsonerr.go:27 JSONError()] : Entering
[2024-10-03 11:49:03.272] [ERROR] [edge] [jsonerr.go:40 JSONError()] : 500 : Failed to connect to mail server: dial tcp: lookup smtp-mail.com: i/o timeout
[2024-10-03 11:49:03.272] [DEBUG] [edge] [jsonerr.go:44 JSONError()] : Exiting
[2024-10-03 11:49:03.272] [DEBUG] [edge] [notifications.go:560 RetrieveEmailCert()] : Exiting
[2024-10-03 11:49:03.272] [INFO] [edge] [restauth.go:111 func1()] : POST /cr/v8/notifications/retrieveEmailCert End RetrieveEmailCert Elapsed=10.005125439s在 notifications.log:
[2024-10-03 11:48:53.270] [INFO] [notifications] [restauth.go:68 func1()] : POST /irapi/v8/notifications/retrieveEmailCert Start RetrieveEmailCert
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [restauth.go:210 validateToken()] : Entering
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [restauth.go:194 DecryptToken()] : Entering
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [encoding.go:48 DecodeString()] : Entering
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [encoding.go:56 DecodeString()] : Exiting
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [crcrypto.go:558 DecryptCFB()] : Entering
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [crcrypto.go:579 DecryptCFB()] : Exiting
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [encoding.go:48 DecodeString()] : Entering
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [encoding.go:56 DecodeString()] : Exiting
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [crcrypto.go:112 GenHash()] : Entering
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [crcrypto.go:118 GenHash()] : Exiting
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [restauth.go:206 DecryptToken()] : Exiting
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [restauth.go:268 ValidateTokenTime()] : Entering
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [restauth.go:281 ValidateTokenTime()] : Exiting
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [restauth.go:255 validateToken()] : Exiting
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [notifications.go:283 RetrieveEmailCert()] : Entering
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [notifications.go:175 ValidateMailServer()] : Entering
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [notifications.go:201 ValidateMailServerURL()] : Entering
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [notifications.go:210 ValidateMailServerURL()] : Exiting
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [notifications.go:215 ValidateMailServerPort()] : Entering
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [notifications.go:222 ValidateMailServerPort()] : Exiting
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [notifications.go:196 ValidateMailServer()] : Exiting
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [email.go:227 RetrieveEmailCert()] : Entering
[2024-10-03 11:48:53.270] [DEBUG] [notifications] [email.go:272 GetTLSConn()] : Entering
[2024-10-03 11:49:03.271] [DEBUG] [notifications] [email.go:283 GetTLSConn()] : Exiting
[2024-10-03 11:49:03.272] [ERROR] [notifications] [email.go:235 RetrieveEmailCert()] : Failed to connect to mail server: dial tcp: lookup smtp-mail.com: i/o timeout
[2024-10-03 11:49:03.272] [DEBUG] [notifications] [email.go:236 RetrieveEmailCert()] : Exiting
[2024-10-03 11:49:03.272] [ERROR] [notifications] [notifications.go:321 RetrieveEmailCert()] : Failed to connect to mail server: dial tcp: lookup smtp-mail.com: i/o timeout
[2024-10-03 11:49:03.272] [DEBUG] [notifications] [jsonerr.go:27 JSONError()] : Entering
[2024-10-03 11:49:03.272] [ERROR] [notifications] [jsonerr.go:40 JSONError()] : 500 : Failed to connect to mail server: dial tcp: lookup smtp-mail.com: i/o timeout
[2024-10-03 11:49:03.272] [DEBUG] [notifications] [jsonerr.go:44 JSONError()] : Exiting
[2024-10-03 11:49:03.272] [DEBUG] [notifications] [notifications.go:323 RetrieveEmailCert()] : Exiting從版本 19.17 開始,Cyber Recovery 開始在使用 TLS 時驗證郵件伺服器憑證。
在非網域名稱系統 (DNS) 環境中,以 DNS 名稱輸入郵件伺服器失敗,因為由於環境中缺少 DNS,Cyber Recovery 無法將主機名稱解析為 IP 位址。
當 IP 位址作為 CR 中的郵件/中繼伺服器欄位,而郵件伺服器提供的憑證中沒有憑證中的 IP 時,驗證會失敗,因為憑證是針對 IP 進行驗證。
有幾種解決方法可以使其正常工作:
- 將IP位址添加到郵件伺服器提供的證書中,以便驗證可以工作。
- 在以下位置新增郵件伺服器和 IP 項目:
/etc/hosts在通知容器中,允許CR成功解決郵件伺服器和證書驗證。
解析度
有兩種選項可解決此問題:
- 郵件伺服器使用完整網域名稱 (FQDN),Cyber Recovery 無法取得憑證。
- 驗證是否在保管庫環境中使用 DNS 伺服器,以及它是否正常工作。
- 如果保管庫中沒有 DNS 伺服器,請按照以下步驟操作:
- 在通知 docker 的主機檔案中輸入 Simple Mail Transfer Protocol (SMTP) 伺服器詳細資料。
- 使用 SSH 連線至 Cyber Recovery。
- 執行此命令:
docker exec -it cr_notifications_1 bash - 使用文字編輯器開啟檔案:
/etc/hosts - 將 SMTP 伺服器的項目新增為 IP、FQDN 和短名稱。
- 儲存檔案。
- 執行此命令以離開 docker 容器:
exit
- 若要在
/etc/hosts檔案在重新開機後仍持續存在,請執行下列步驟:- 在中新增一行
cr-install-path>/etc/docker-compose-prod-<current-version>.yml對於要新增到的 IP/etc/hosts通知: - 以粗體反白顯示的新行應具有 SMTP FQDN,然後是 IP:
SMTP.server.com:xxx.xxx.xxx.xxx
build: .image: ${registryName}/cr_notifications:${notificationsVersion}container_name: cr_notifications_1security_opt:- no-new-privileges:truehostname: notificationsexpose:- "9096"depends_on:- postgresqlcap_drop:- ALLenvironment:- LD_LIBRARY_PATH=/cr/lockbox/lib- CRHOSTNAME=${dockerHostFQDN}- ENABLE_TLS=${enableTLS}- ENABLE_POSTFIX=${enablePostfix}- GODEBUG=tlskyber=0extra_hosts:- dockerbridge:${dockerBridge}- ${dockerHostFQDN}:${dockerHost}- SMTP.server.com:xxx.xxx.xxx.xxx - 然後執行
'crsetup.sh – forcerecreate'無工作執行時。
- 在中新增一行
- 在通知 docker 的主機檔案中輸入 Simple Mail Transfer Protocol (SMTP) 伺服器詳細資料。
- 使用 IP 位址做為 SMTP 和 Cyber Recovery 時,無法取得憑證。
-
- 在這種情況下,必須生成一個新證書以包含正在使用的IP位址。
或
-
- 如果憑證是使用 FQDN 建立的,請使用 Cyber Recovery UI 中的 FQDN,而不是使用 IP 連線至 SMTP。
受影響的產品
PowerProtect Cyber Recovery, Cyber Recovery Series文章屬性
文章編號: 000242079
文章類型: Solution
上次修改時間: 07 1月 2026
版本: 3
向其他 Dell 使用者尋求您問題的答案
支援服務
檢查您的裝置是否在支援服務的涵蓋範圍內。