Looks like emails sent to infra-support are not creating new JIRA tickets. could you please check if they reach the mail server and there are attempts to log in by the Jira software?
Looking at the settings in https://ovirt-jira.atlassian.net/secure/admin/IncomingMailServers.jspa everything seems fine on Jira side however I wasn’t able to find a “test“ button or any IMAP connection logs.
You need to click “edit” on connection, then “next” and there will be test button:
javax.mail.MessagingException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed while connecting to host 'lists.ovirt.org' as user 'jira' via protocol 'imaps, caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
$ gnutls-cli --starttls-proto=imap mail.ovirt.org
Processed 132 CA certificate(s).
Connecting to '126.96.36.199:143'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate info:
- subject `CN=lists.ovirt.org', issuer `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', serial 0x048fa0444d7981814c34fdb1939ea0f86bad, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-10-10 09:02:24 UTC', expires `2020-01-08 09:02:24 UTC', pin-sha256="jEhkkzsG3kvqu02tiyQv0fDBMvje3aiKAe+LqU/YFwY="
Public Key ID:
Public Key PIN:
- Certificate info:
- subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="
- Status: The certificate is NOT trusted. The certificate chain uses expired certificate. The name in the certificate does not match the expected.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
So the problem is due to the fact Dovecot shares the certificate with Apache. When the certificate is renewed Dovecot does not reload the certificate in memory automagically.
It’s possible to use a renewal hook in Let’s Encrypt, so I’ll prepare a change in Ansible for that soon.
In the meanwhile I reloaded Dovecot to test my theory and it works fine again now.
It is a duplicate of which contains more info about the recent problem in the hook script.