jira tickets not being created via email

Description

Looks like emails sent to infra-support are not creating new JIRA tickets. could you please check if they reach the mail server and there are attempts to log in by the Jira software?

Activity

Show:
Evgheni Dereveanchin
March 25, 2020, 10:32 AM

Looking at the settings in https://ovirt-jira.atlassian.net/secure/admin/IncomingMailServers.jspa everything seems fine on Jira side however I wasn’t able to find a “test“ button or any IMAP connection logs.

Anton Marchukov
March 25, 2020, 11:01 AM

You need to click “edit” on connection, then “next” and there will be test button:

javax.mail.MessagingException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed while connecting to host 'lists.ovirt.org' as user 'jira' via protocol 'imaps, caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed

Marc Dequènes (Duck)
March 26, 2020, 4:47 AM

Indeed:

$ gnutls-cli --starttls-proto=imap mail.ovirt.org
Processed 132 CA certificate(s).
Resolving 'mail.ovirt.org:imap2'...
Connecting to '8.43.85.194:143'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
- subject `CN=lists.ovirt.org', issuer `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', serial 0x048fa0444d7981814c34fdb1939ea0f86bad, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-10-10 09:02:24 UTC', expires `2020-01-08 09:02:24 UTC', pin-sha256="jEhkkzsG3kvqu02tiyQv0fDBMvje3aiKAe+LqU/YFwY="
Public Key ID:
sha1:3bb6224add040833b5b71e8df5db1f62e7c1ce3d
sha256:8c4864933b06de4beabb4dad8b242fd1f0c132f8dedda88a01ef8ba94fd81706
Public Key PIN:
pin-sha256:jEhkkzsG3kvqu02tiyQv0fDBMvje3aiKAe+LqU/YFwY=

- Certificate[1] info:
- subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="
- Status: The certificate is NOT trusted. The certificate chain uses expired certificate. The name in the certificate does not match the expected.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.

So the problem is due to the fact Dovecot shares the certificate with Apache. When the certificate is renewed Dovecot does not reload the certificate in memory automagically.

It’s possible to use a renewal hook in Let’s Encrypt, so I’ll prepare a change in Ansible for that soon.

In the meanwhile I reloaded Dovecot to test my theory and it works fine again now.

 

Marc Dequènes (Duck)
April 2, 2020, 4:23 PM

https://gerrit.ovirt.org/c/108172/

Marc Dequènes (Duck)
September 25, 2020, 3:01 AM

It is a duplicate of which contains more info about the recent problem in the hook script.

Assignee

Marc Dequènes (Duck)

Reporter

Evgheni Dereveanchin

Blocked By

None

Priority

Medium
Configure