SSL/TLS Certificate Revocation Validation Errors

Note

Quick Navigation: Overview | DNS Resolution Errors | Office365 Email Issues

This FAQ addresses SSL/TLS certificate validation errors when Nodinite attempts to send emails through SMTP providers like SendGrid, Mailgun, Amazon SES, or Microsoft 365. These errors typically occur when your server cannot verify the SMTP provider's SSL/TLS certificate due to firewall restrictions, missing CA certificates, or offline revocation servers.

Problem

When testing or executing Email Alarm Plugins, you see errors similar to:

"MailKit.Security.SslHandshakeException: An error occurred while attempting to establish an SSL or TLS connection.
  • The revocation function was unable to check revocation for the certificate.
  • The revocation function was unable to check revocation because the revocation server was offline.
Inner Exception: The remote certificate was rejected by the provided RemoteCertificateValidationCallback."

Root Cause

Your Nodinite server cannot verify the SMTP provider's SSL/TLS certificate due to:

• Firewall restrictions blocking access to certificate revocation lists (CRL) and OCSP responders
• Missing CA certificates required for the certificate chain validation
• Proxy configuration issues preventing access to validation endpoints
• Offline or slow revocation servers causing timeout errors

Common SMTP providers affected include SendGrid (GoDaddy/DigiCert certificates), Amazon SES (Amazon Root CA), Mailgun (DigiCert), Microsoft 365 (DigiCert/Microsoft), and others.

Required Network Access

Your Nodinite Application Server must have outbound access to the following:

Service	URL/Endpoint	Protocol	Purpose
SendGrid SMTP	smtp.sendgrid.net:587	TCP/TLS	Email delivery via SMTP with STARTTLS
GoDaddy CRL	http://crl.godaddy.com/	HTTP (TCP 80)	Certificate Revocation List validation (primary)
GoDaddy OCSP	http://ocsp.godaddy.com/	HTTP (TCP 80)	Online Certificate Status Protocol validation (primary)
GoDaddy Certs	http://certificates.godaddy.com/	HTTP (TCP 80)	GoDaddy certificate repository
DigiCert CRL #1	http://crl3.digicert.com/	HTTP (TCP 80)	Certificate Revocation List validation (legacy/regional)
DigiCert CRL #2	http://crl4.digicert.com/	HTTP (TCP 80)	Certificate Revocation List validation (legacy/regional)
DigiCert OCSP	http://ocsp.digicert.com/	HTTP (TCP 80)	Online Certificate Status Protocol validation (legacy/regional)
DNS Resolution	DNS Server	UDP/TCP 53	Name resolution for all above endpoints

Important

SendGrid currently uses GoDaddy-signed SSL/TLS certificates in most regions (as of December 2025). Some configurations or regions may still use DigiCert certificates. Windows validates these certificates by checking Certificate Revocation Lists (CRL) and OCSP endpoints. If your firewall blocks access to crl.godaddy.com, ocsp.godaddy.com, or the DigiCert equivalents, certificate validation will fail and Nodinite cannot send emails through SendGrid.

Note

SendGrid has transitioned from DigiCert to GoDaddy certificates. If your connection was previously working with DigiCert endpoints but now fails, ensure your firewall allows access to the GoDaddy CRL/OCSP endpoints listed above.

Step 1: Verify Required CA Certificates

SendGrid currently uses the GoDaddy certificate chain in most regions (as of December 2025). Some configurations may still use DigiCert. Verify that your server has the required intermediate CA certificates installed:

# Check for GoDaddy certificates (current primary CA)
Write-Host "Checking for GoDaddy certificates..." -ForegroundColor Cyan
Get-ChildItem Cert:\LocalMachine\CA | Where-Object {$_.Subject -like "*Go Daddy*"} | Format-Table Subject, Thumbprint, NotAfter

# Check for DigiCert certificates (legacy/regional)
Write-Host "`nChecking for DigiCert certificates..." -ForegroundColor Cyan
Get-ChildItem Cert:\LocalMachine\CA | Where-Object {$_.Subject -like "*DigiCert*"} | Format-Table Subject, Thumbprint, NotAfter

Expected Certificates

GoDaddy certificates (primary - most common):

• Go Daddy Root Certificate Authority - G2
• Go Daddy Secure Certificate Authority - G2
• Go Daddy Class 2 Certification Authority

DigiCert certificates (legacy/regional - some configurations):

• DigiCert Global Root G2
• DigiCert TLS RSA SHA256 2020 CA1
• Other DigiCert intermediate or root certificates

Note

Windows Update typically installs GoDaddy and DigiCert certificates automatically. These are trusted root certificates included in the Windows certificate store. If certificates are missing, run Windows Update or download them manually from the respective CA websites.

Install Missing GoDaddy Certificates (If Required)

# GoDaddy certificates are typically pre-installed by Windows
# If missing, download from GoDaddy's repository
$goDaddyUrl = "https://certs.godaddy.com/repository"
Write-Host "GoDaddy certificates: $goDaddyUrl" -ForegroundColor Cyan
Write-Host "Download and import manually if required, or run Windows Update" -ForegroundColor Yellow

Install Missing DigiCert Certificates (If Required)

# Download and import DigiCert Global Root G2 (example for legacy configurations)
$url = "https://cacerts.digicert.com/DigiCertGlobalRootG2.crt"
$certPath = "$env:TEMP\DigiCertGlobalRootG2.crt"
Invoke-WebRequest -Uri $url -OutFile $certPath -UseBasicParsing
Import-Certificate -FilePath $certPath -CertStoreLocation Cert:\LocalMachine\CA
Remove-Item $certPath -Force
Write-Host "DigiCert Global Root G2 imported successfully" -ForegroundColor Green

Step 2: Verify Firewall and Network Connectivity

Test connectivity to SendGrid and certificate validation endpoints:

Test SendGrid SMTP Port

# Test SMTP connectivity to SendGrid
Test-NetConnection -ComputerName smtp.sendgrid.net -Port 587

Expected Output

ComputerName     : smtp.sendgrid.net
RemoteAddress    : <IP Address>
RemotePort       : 587
InterfaceAlias   : Ethernet
SourceAddress    : <Your Server IP>
TcpTestSucceeded : True

If TcpTestSucceeded is False, check:

• Firewall rules - Ensure outbound TCP 587 is allowed
• Proxy configuration - SMTP traffic may need proxy bypass
• Network Security Groups (NSG) - For Azure-hosted servers

Test CRL/OCSP Accessibility

# Test GoDaddy CRL/OCSP endpoints (primary)
Write-Host "Testing GoDaddy CRL/OCSP endpoints (primary CA)..." -ForegroundColor Cyan

try {
    Invoke-WebRequest -Uri http://crl.godaddy.com -UseBasicParsing -TimeoutSec 5
    Write-Host "✓ crl.godaddy.com is accessible" -ForegroundColor Green
} catch {
    Write-Warning "✗ crl.godaddy.com is NOT accessible: $_"
}

try {
    Invoke-WebRequest -Uri http://ocsp.godaddy.com -UseBasicParsing -TimeoutSec 5
    Write-Host "✓ ocsp.godaddy.com is accessible" -ForegroundColor Green
} catch {
    Write-Warning "✗ ocsp.godaddy.com is NOT accessible: $_"
}

try {
    Invoke-WebRequest -Uri http://certificates.godaddy.com -UseBasicParsing -TimeoutSec 5
    Write-Host "✓ certificates.godaddy.com is accessible" -ForegroundColor Green
} catch {
    Write-Warning "✗ certificates.godaddy.com is NOT accessible: $_"
}

# Test DigiCert CRL/OCSP endpoints (legacy/regional)
Write-Host "`nTesting DigiCert CRL/OCSP endpoints (legacy/regional)..." -ForegroundColor Cyan

try {
    Invoke-WebRequest -Uri http://crl3.digicert.com -UseBasicParsing -TimeoutSec 5
    Write-Host "✓ crl3.digicert.com is accessible" -ForegroundColor Green
} catch {
    Write-Warning "✗ crl3.digicert.com is NOT accessible: $_"
}

try {
    Invoke-WebRequest -Uri http://crl4.digicert.com -UseBasicParsing -TimeoutSec 5
    Write-Host "✓ crl4.digicert.com is accessible" -ForegroundColor Green
} catch {
    Write-Warning "✗ crl4.digicert.com is NOT accessible: $_"
}

try {
    Invoke-WebRequest -Uri http://ocsp.digicert.com -UseBasicParsing -TimeoutSec 5
    Write-Host "✓ ocsp.digicert.com is accessible" -ForegroundColor Green
} catch {
    Write-Warning "✗ ocsp.digicert.com is NOT accessible: $_"
}

If Endpoints Are Not Accessible

1. Check Windows Firewall:

   # Allow outbound HTTP (port 80) for CRL/OCSP
   New-NetFirewallRule -DisplayName "Allow HTTP for CRL/OCSP" -Direction Outbound -Protocol TCP -RemotePort 80 -Action Allow
   

2. Check corporate firewall/proxy - Contact your network team to allow:

   • *.godaddy.com (HTTP/HTTPS) - Primary CA
   • *.digicert.com (HTTP/HTTPS) - Legacy/regional CA
   • smtp.sendgrid.net:587 (TCP/TLS)

3. Proxy bypass configuration - If using a proxy, add CRL/OCSP endpoints to bypass list:

   # Check current proxy settings
   netsh winhttp show proxy
   
   # Set proxy with bypass list (example - includes both GoDaddy and DigiCert)
   netsh winhttp set proxy proxy-server="http://proxy.example.com:8080" bypass-list="*.godaddy.com;*.digicert.com;smtp.sendgrid.net"
   

Step 3: Verify DNS Resolution

Ensure DNS is resolving SendGrid, GoDaddy, and DigiCert endpoints correctly:

# Test DNS resolution
$endpoints = @(
    "smtp.sendgrid.net",
    "crl.godaddy.com",
    "ocsp.godaddy.com",
    "certificates.godaddy.com",
    "crl3.digicert.com",
    "crl4.digicert.com",
    "ocsp.digicert.com"
)

foreach ($endpoint in $endpoints) {
    try {
        $result = Resolve-DnsName $endpoint -ErrorAction Stop
        Write-Host "✓ $endpoint resolves to: $($result.IPAddress -join ', ')" -ForegroundColor Green
    } catch {
        Write-Warning "✗ $endpoint DNS resolution failed: $_"
    }
}

If DNS Resolution Fails

• Verify DNS server configuration
• Check firewall allows UDP/TCP port 53 outbound
• Test with alternate DNS (e.g., 8.8.8.8 or 1.1.1.1)
• See the DNS Resolution FAQ for detailed troubleshooting →

Step 4: Test SendGrid SMTP Authentication

Verify your SendGrid API key is configured correctly:

# Test SMTP authentication (replace with your actual API key)
$smtpServer = "smtp.sendgrid.net"
$smtpPort = 587
$apiKey = "YOUR_SENDGRID_API_KEY"  # Use your actual API key

$smtp = New-Object Net.Mail.SmtpClient($smtpServer, $smtpPort)
$smtp.EnableSsl = $true
$smtp.Credentials = New-Object System.Net.NetworkCredential("apikey", $apiKey)

try {
    $mail = New-Object System.Net.Mail.MailMessage
    $mail.From = "noreply@yourdomain.com"
    $mail.To.Add("test@yourdomain.com")
    $mail.Subject = "Test Email from Nodinite"
    $mail.Body = "This is a test email to verify SendGrid connectivity."
    
    $smtp.Send($mail)
    Write-Host "✓ Email sent successfully via SendGrid!" -ForegroundColor Green
} catch {
    Write-Error "✗ Failed to send email: $_"
} finally {
    $mail.Dispose()
}

Test SendGrid SSL/TLS Certificate Chain

To verify the SSL/TLS certificate chain for SendGrid:

# Test SendGrid certificate chain
$smtpServer = "smtp.sendgrid.net"
$smtpPort = 587

try {
    $tcpClient = New-Object System.Net.Sockets.TcpClient
    $tcpClient.Connect($smtpServer, $smtpPort)
    
    # Read SMTP banner
    $stream = $tcpClient.GetStream()
    $reader = New-Object System.IO.StreamReader($stream)
    $writer = New-Object System.IO.StreamWriter($stream)
    $writer.AutoFlush = $true
    
    $banner = $reader.ReadLine()
    Write-Host "SMTP Banner: $banner" -ForegroundColor Cyan
    
    # Send EHLO command
    $writer.WriteLine("EHLO testclient")
    do {
        $response = $reader.ReadLine()
        Write-Host "EHLO Response: $response" -ForegroundColor Gray
    } while ($response -and $response.StartsWith("250-"))
    
    # Send STARTTLS command
    $writer.WriteLine("STARTTLS")
    $response = $reader.ReadLine()
    Write-Host "STARTTLS Response: $response" -ForegroundColor Cyan
    
    if ($response -match "^220") {
        # Upgrade to SSL/TLS
        $sslStream = New-Object System.Net.Security.SslStream($stream, $false)
        $sslStream.AuthenticateAsClient($smtpServer)
        
        # Get certificate
        $cert = $sslStream.RemoteCertificate
        $cert2 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($cert)
        
        Write-Host "`nCertificate Information:" -ForegroundColor Green
        Write-Host "  Subject: $($cert2.Subject)" -ForegroundColor White
        Write-Host "  Issuer: $($cert2.Issuer)" -ForegroundColor White
        Write-Host "  Expires: $($cert2.NotAfter)" -ForegroundColor White
        Write-Host "  Thumbprint: $($cert2.Thumbprint)" -ForegroundColor White
        
        # Check certificate chain
        $chain = New-Object System.Security.Cryptography.X509Certificates.X509Chain
        $chain.ChainPolicy.RevocationMode = [System.Security.Cryptography.X509Certificates.X509RevocationMode]::Online
        $chain.ChainPolicy.RevocationFlag = [System.Security.Cryptography.X509Certificates.X509RevocationFlag]::EntireChain
        
        $isValid = $chain.Build($cert2)
        
        Write-Host "`nCertificate Chain Status: " -NoNewline
        if ($isValid) {
            Write-Host "Valid" -ForegroundColor Green
        } else {
            Write-Host "Invalid or Incomplete" -ForegroundColor Yellow
        }
        
        Write-Host "`nCertificate Chain:" -ForegroundColor Cyan
        foreach ($element in $chain.ChainElements) {
            Write-Host "  - $($element.Certificate.Subject)" -ForegroundColor White
            foreach ($status in $element.ChainElementStatus) {
                Write-Host "    Status: $($status.Status) - $($status.StatusInformation)" -ForegroundColor $(if ($status.Status -eq 'NoError') { 'Green' } else { 'Yellow' })
            }
        }
        
        $sslStream.Close()
    }
    
    $tcpClient.Close()
    Write-Host "`n✓ Certificate chain inspection complete" -ForegroundColor Green
    
} catch {
    Write-Error "✗ Failed to inspect certificate: $_"
} finally {
    if ($tcpClient) { $tcpClient.Dispose() }
}

Tip

If you see revocation check errors in the certificate chain output, verify that your server can access the GoDaddy endpoints (crl.godaddy.com, ocsp.godaddy.com) and/or DigiCert endpoints (crl3.digicert.com, crl4.digicert.com, ocsp.digicert.com) depending on which CA issued your certificate (Step 2).

Warning

Common Mistake: Do NOT try to establish SSL/TLS directly on port 587. SendGrid uses STARTTLS (explicit TLS), which means the connection starts as plain text SMTP and then upgrades to TLS after the STARTTLS command. Attempting immediate SSL/TLS handshake will fail with "corrupted frame" errors. The script above demonstrates the correct STARTTLS sequence: connect → EHLO → STARTTLS → upgrade to SSL/TLS → authenticate.

Step 5: Configure Nodinite Email Alarm Plugin

In Nodinite Web Client, configure the Email Alarm Plugin with these settings:

Setting	Value
SMTP Server	smtp.sendgrid.net
Port	587
Use SSL/TLS	✅ Checked (required)
Username	apikey (literally "apikey", not your actual key)
Password	<Your SendGrid API Key> (starts with SG.)
From Address	Verified sender address in SendGrid

Tip

SendGrid requires the username to be exactly apikey (not your email address). The password is your actual SendGrid API key.

Troubleshooting Common Issues

Issue: "The revocation function was unable to check revocation"

Cause: CRL/OCSP endpoints blocked by firewall or proxy.

Solution: Allow CRL/OCSP Access

1. Allow outbound HTTP (port 80) to *.godaddy.com (primary CA) and *.digicert.com (legacy/regional CA)

2. Configure proxy bypass for *.godaddy.com and *.digicert.com if using a proxy

3. As a temporary workaround (not recommended for production), disable certificate revocation checking:

   # Disable CRL checking (TEMPORARY - not recommended for production)
   # This should only be used for testing/troubleshooting
   [System.Net.ServicePointManager]::CheckCertificateRevocationList = $false
   

Issue: "The remote certificate was rejected"

Cause: Missing GoDaddy or DigiCert intermediate certificates or corrupted certificate store.

Solution: Install or Rebuild Certificates

1. Install GoDaddy or DigiCert intermediate certificates (see Step 1)

2. Run Windows Update to refresh certificate store

3. Rebuild certificate store:

   # Rebuild certificate store (requires restart)
   certutil -generateSSTFromWU roots.sst
   

Issue: Connection timeout on port 587

Cause: Firewall blocking outbound SMTP traffic.

Solution: Allow SMTP Port 587

1. Allow outbound TCP 587 in Windows Firewall
2. Check corporate firewall rules for smtp.sendgrid.net:587
3. Verify no antivirus/security software blocking SMTP

Issue: Proxy blocking traffic

Cause: Corporate proxy intercepting SMTP or CRL/OCSP traffic.

Solution: Configure Proxy Bypass

1. Configure proxy bypass for SendGrid, GoDaddy, and DigiCert endpoints
2. Use authenticated proxy if required
3. Contact network team to whitelist endpoints

Advanced Diagnostics

Capture Network Traffic

Use Test-NetConnection with verbose output:

Test-NetConnection smtp.sendgrid.net -Port 587 -InformationLevel Detailed

Note

For detailed certificate chain inspection, use the complete STARTTLS script provided in Step 4 above. The script properly handles the SMTP STARTTLS handshake sequence required for port 587.

Using the Ignore Certificate Revocation Errors Option (v7.2+)

^{New 7.2}
Nodinite version 7.2 and later includes an "Ignore certificate revocation errors" checkbox in the Email with Options Alarm Plugin SMTP Options configuration. This option allows you to bypass certificate revocation validation when CRL/OCSP servers are unreachable.

Screenshot showing the "Ignore certificate revocation errors" checkbox in SMTP Options.

Warning

Security Implications: Disabling certificate revocation checks reduces security by preventing Nodinite from detecting revoked certificates. Use this option only in the following scenarios:

• Non-production environments (development, test, staging) where security requirements are relaxed
• Temporary workaround while your network team configures firewall rules to allow CRL/OCSP access
• Air-gapped or highly restricted networks where external validation servers are intentionally blocked

DO NOT use this option in production unless you have documented security approval and compensating controls.

When to Use This Option

Scenario	Recommended?	Notes
Development/Test environments	✅ Yes	Acceptable for non-production use
Temporary production workaround	⚠️ Conditional	Only while network team implements proper CRL/OCSP access
Air-gapped networks	⚠️ Conditional	Requires security team approval and risk assessment
Long-term production solution	❌ No	Implement proper firewall rules instead

How to Enable

1. Navigate to Administration → Settings → Alarm Plugins → E-mail with options
2. Select the SMTP Options tab
3. Check the "Ignore certificate revocation errors" checkbox
4. Click Save
5. Test email delivery using the Execute Alarm test button

Learn more about SMTP Options configuration →

Important

Even with this option enabled, you should work with your network team to implement the proper solution (allowing CRL/OCSP access). This checkbox is a temporary mitigation, not a permanent fix.

---

Summary Checklist

Before contacting support or using the "Ignore certificate revocation errors" workaround, verify:

• ✅ GoDaddy intermediate certificates installed in Cert:\LocalMachine\CA (primary CA - check first)
• ✅ DigiCert intermediate certificates installed in Cert:\LocalMachine\CA (legacy/regional CA - if applicable)
• ✅ Outbound TCP 587 allowed to smtp.sendgrid.net
• ✅ Outbound HTTP (port 80) allowed to crl.godaddy.com, ocsp.godaddy.com, certificates.godaddy.com
• ✅ Outbound HTTP (port 80) allowed to crl3.digicert.com, crl4.digicert.com, ocsp.digicert.com (if using DigiCert certificates)
• ✅ DNS resolution working for all SendGrid, GoDaddy, and DigiCert endpoints
• ✅ Proxy bypass configured for *.godaddy.com, *.digicert.com, and smtp.sendgrid.net (if applicable)
• ✅ SendGrid API key valid and correctly configured in Nodinite
• ✅ "Use SSL/TLS" checkbox enabled in Email Alarm Plugin configuration

Next Steps

Back to Troubleshooting Overview
Email with Options Alarm Plugin Configuration
Variables and JSON Path examples for Alerts

Related Topics

Related FAQs:
DNS Resolution Errors
Office365 Email Issues

Alarm Plugin Configuration:
Add or manage Alarm Plugin
Alarm Plugins - Overview

Support:
Support