FAQ - Troubleshooting Alarm Plugins
Quickly resolve common Alarm Plugin issues in Nodinite with this FAQ and troubleshooting guide. Learn how to fix Office365 and SendGrid email problems, configure your environment, and customize alert properties for seamless monitoring and notifications.
✅ Step-by-step solutions for common Alarm Plugin issues
✅ Office365 and SendGrid email troubleshooting and configuration tips
✅ SSL/TLS certificate validation and firewall configuration guidance
✅ Guidance on customizing alert properties with macros
✅ Direct support contact for unresolved problems
If you have any issues that you cannot solve, contact our Support or send us an email at support@nodinite.com
There is a problem sending e-mail to office365.com
- You must have an account with the right to send e-mails
- Outbound TCP Port 587 must be allowed
- DNS Port 53 (TCP and UDP) must be open
- Make sure the password never expires, OR, make sure you have a routine to change it accordingly
- Multi-factor authentication must be disabled for the account sending the e-mail
- You must check the 'Use SSL' checkbox on the e-mail plugin
- The account must have the SMTP Authentication option checked in the office365 portal
Please use this guide
The SMTP Authentication must be checked.
There is a problem sending e-mail to SendGrid
When using SendGrid as your SMTP provider with Nodinite email alarm plugins, you may encounter SSL/TLS certificate validation errors. This section helps you diagnose and resolve connectivity issues with SendGrid.
Common Error Symptoms
You may see errors similar to:
Failed to send all e-mail alarms, To:"user@example.com", Subject: "[Alert] Error",
Errors:"An error occurred while attempting to establish an SSL or TLS connection.
The server's SSL certificate could not be validated for the following reasons:
• The server certificate has the following errors:
• The revocation function was unable to check revocation for the certificate.
• The revocation function was unable to check revocation because the revocation server was offline.
• An intermediate certificate has the following errors:
• The revocation function was unable to check revocation for the certificate.
• The revocation function was unable to check revocation because the revocation server was offline.
Inner Exception: The remote certificate was rejected by the provided RemoteCertificateValidationCallback."
Root Cause
Your Nodinite server cannot verify SendGrid's SSL/TLS certificate due to firewall restrictions, missing CA certificates, or proxy configuration issues preventing access to certificate revocation lists (CRL) and OCSP responders.
Required Network Access
Your Nodinite Application Server must have outbound access to the following:
| Service | URL/Endpoint | Protocol | Purpose |
|---|---|---|---|
| SendGrid SMTP | smtp.sendgrid.net:587 |
TCP/TLS | Email delivery via SMTP with STARTTLS |
| GoDaddy CRL | http://crl.godaddy.com/ |
HTTP (TCP 80) | Certificate Revocation List validation (primary) |
| GoDaddy OCSP | http://ocsp.godaddy.com/ |
HTTP (TCP 80) | Online Certificate Status Protocol validation (primary) |
| GoDaddy Certs | http://certificates.godaddy.com/ |
HTTP (TCP 80) | GoDaddy certificate repository |
| DigiCert CRL #1 | http://crl3.digicert.com/ |
HTTP (TCP 80) | Certificate Revocation List validation (legacy/regional) |
| DigiCert CRL #2 | http://crl4.digicert.com/ |
HTTP (TCP 80) | Certificate Revocation List validation (legacy/regional) |
| DigiCert OCSP | http://ocsp.digicert.com/ |
HTTP (TCP 80) | Online Certificate Status Protocol validation (legacy/regional) |
| DNS Resolution | DNS Server | UDP/TCP 53 | Name resolution for all above endpoints |
Important
SendGrid currently uses GoDaddy-signed SSL/TLS certificates in most regions (as of December 2025). Some configurations or regions may still use DigiCert certificates. Windows validates these certificates by checking Certificate Revocation Lists (CRL) and OCSP endpoints. If your firewall blocks access to
crl.godaddy.com,ocsp.godaddy.com, or the DigiCert equivalents, certificate validation will fail and Nodinite cannot send emails through SendGrid.
Note
SendGrid has transitioned from DigiCert to GoDaddy certificates. If your connection was previously working with DigiCert endpoints but now fails, ensure your firewall allows access to the GoDaddy CRL/OCSP endpoints listed above.
Step 1: Verify Required CA Certificates
SendGrid currently uses the GoDaddy certificate chain in most regions (as of December 2025). Some configurations may still use DigiCert. Verify that your server has the required intermediate CA certificates installed:
# Check for GoDaddy certificates (current primary CA)
Write-Host "Checking for GoDaddy certificates..." -ForegroundColor Cyan
Get-ChildItem Cert:\LocalMachine\CA | Where-Object {$_.Subject -like "*Go Daddy*"} | Format-Table Subject, Thumbprint, NotAfter
# Check for DigiCert certificates (legacy/regional)
Write-Host "`nChecking for DigiCert certificates..." -ForegroundColor Cyan
Get-ChildItem Cert:\LocalMachine\CA | Where-Object {$_.Subject -like "*DigiCert*"} | Format-Table Subject, Thumbprint, NotAfter
Expected Certificates
GoDaddy certificates (primary - most common):
Go Daddy Root Certificate Authority - G2Go Daddy Secure Certificate Authority - G2Go Daddy Class 2 Certification Authority
DigiCert certificates (legacy/regional - some configurations):
DigiCert Global Root G2DigiCert TLS RSA SHA256 2020 CA1- Other DigiCert intermediate or root certificates
Note
Windows Update typically installs GoDaddy and DigiCert certificates automatically. These are trusted root certificates included in the Windows certificate store. If certificates are missing, run Windows Update or download them manually from the respective CA websites.
Install Missing GoDaddy Certificates (If Required)
# GoDaddy certificates are typically pre-installed by Windows
# If missing, download from GoDaddy's repository
$goDaddyUrl = "https://certs.godaddy.com/repository"
Write-Host "GoDaddy certificates: $goDaddyUrl" -ForegroundColor Cyan
Write-Host "Download and import manually if required, or run Windows Update" -ForegroundColor Yellow
Install Missing DigiCert Certificates (If Required)
# Download and import DigiCert Global Root G2 (example for legacy configurations)
$url = "https://cacerts.digicert.com/DigiCertGlobalRootG2.crt"
$certPath = "$env:TEMP\DigiCertGlobalRootG2.crt"
Invoke-WebRequest -Uri $url -OutFile $certPath -UseBasicParsing
Import-Certificate -FilePath $certPath -CertStoreLocation Cert:\LocalMachine\CA
Remove-Item $certPath -Force
Write-Host "DigiCert Global Root G2 imported successfully" -ForegroundColor Green
Step 2: Verify Firewall and Network Connectivity
Test connectivity to SendGrid and DigiCert endpoints:
Test SendGrid SMTP Port
# Test SMTP connectivity to SendGrid
Test-NetConnection -ComputerName smtp.sendgrid.net -Port 587
Expected Output
ComputerName : smtp.sendgrid.net
RemoteAddress : <IP Address>
RemotePort : 587
InterfaceAlias : Ethernet
SourceAddress : <Your Server IP>
TcpTestSucceeded : True
If TcpTestSucceeded is False, check:
- Firewall rules - Ensure outbound TCP 587 is allowed
- Proxy configuration - SMTP traffic may need proxy bypass
- Network Security Groups (NSG) - For Azure-hosted servers
Test CRL/OCSP Accessibility
# Test GoDaddy CRL/OCSP endpoints (primary)
Write-Host "Testing GoDaddy CRL/OCSP endpoints (primary CA)..." -ForegroundColor Cyan
try {
Invoke-WebRequest -Uri http://crl.godaddy.com -UseBasicParsing -TimeoutSec 5
Write-Host "✓ crl.godaddy.com is accessible" -ForegroundColor Green
} catch {
Write-Warning "✗ crl.godaddy.com is NOT accessible: $_"
}
try {
Invoke-WebRequest -Uri http://ocsp.godaddy.com -UseBasicParsing -TimeoutSec 5
Write-Host "✓ ocsp.godaddy.com is accessible" -ForegroundColor Green
} catch {
Write-Warning "✗ ocsp.godaddy.com is NOT accessible: $_"
}
try {
Invoke-WebRequest -Uri http://certificates.godaddy.com -UseBasicParsing -TimeoutSec 5
Write-Host "✓ certificates.godaddy.com is accessible" -ForegroundColor Green
} catch {
Write-Warning "✗ certificates.godaddy.com is NOT accessible: $_"
}
# Test DigiCert CRL/OCSP endpoints (legacy/regional)
Write-Host "`nTesting DigiCert CRL/OCSP endpoints (legacy/regional)..." -ForegroundColor Cyan
try {
Invoke-WebRequest -Uri http://crl3.digicert.com -UseBasicParsing -TimeoutSec 5
Write-Host "✓ crl3.digicert.com is accessible" -ForegroundColor Green
} catch {
Write-Warning "✗ crl3.digicert.com is NOT accessible: $_"
}
try {
Invoke-WebRequest -Uri http://crl4.digicert.com -UseBasicParsing -TimeoutSec 5
Write-Host "✓ crl4.digicert.com is accessible" -ForegroundColor Green
} catch {
Write-Warning "✗ crl4.digicert.com is NOT accessible: $_"
}
try {
Invoke-WebRequest -Uri http://ocsp.digicert.com -UseBasicParsing -TimeoutSec 5
Write-Host "✓ ocsp.digicert.com is accessible" -ForegroundColor Green
} catch {
Write-Warning "✗ ocsp.digicert.com is NOT accessible: $_"
}
If Endpoints Are Not Accessible
Check Windows Firewall:
# Allow outbound HTTP (port 80) for CRL/OCSP New-NetFirewallRule -DisplayName "Allow HTTP for CRL/OCSP" -Direction Outbound -Protocol TCP -RemotePort 80 -Action AllowCheck corporate firewall/proxy - Contact your network team to allow:
*.godaddy.com(HTTP/HTTPS) - Primary CA*.digicert.com(HTTP/HTTPS) - Legacy/regional CAsmtp.sendgrid.net:587(TCP/TLS)
Proxy bypass configuration - If using a proxy, add CRL/OCSP endpoints to bypass list:
# Check current proxy settings netsh winhttp show proxy # Set proxy with bypass list (example - includes both GoDaddy and DigiCert) netsh winhttp set proxy proxy-server="http://proxy.example.com:8080" bypass-list="*.godaddy.com;*.digicert.com;smtp.sendgrid.net"
Step 3: Verify DNS Resolution
Ensure DNS is resolving SendGrid, GoDaddy, and DigiCert endpoints correctly:
# Test DNS resolution
$endpoints = @(
"smtp.sendgrid.net",
"crl.godaddy.com",
"ocsp.godaddy.com",
"certificates.godaddy.com",
"crl3.digicert.com",
"crl4.digicert.com",
"ocsp.digicert.com"
)
foreach ($endpoint in $endpoints) {
try {
$result = Resolve-DnsName $endpoint -ErrorAction Stop
Write-Host "✓ $endpoint resolves to: $($result.IPAddress -join ', ')" -ForegroundColor Green
} catch {
Write-Warning "✗ $endpoint DNS resolution failed: $_"
}
}
If DNS Resolution Fails
- Verify DNS server configuration
- Check firewall allows UDP/TCP port 53 outbound
- Test with alternate DNS (e.g., 8.8.8.8 or 1.1.1.1)
Step 4: Test SendGrid SMTP Authentication
Verify your SendGrid API key is configured correctly:
# Test SMTP authentication (replace with your actual API key)
$smtpServer = "smtp.sendgrid.net"
$smtpPort = 587
$apiKey = "YOUR_SENDGRID_API_KEY" # Use your actual API key
$smtp = New-Object Net.Mail.SmtpClient($smtpServer, $smtpPort)
$smtp.EnableSsl = $true
$smtp.Credentials = New-Object System.Net.NetworkCredential("apikey", $apiKey)
try {
$mail = New-Object System.Net.Mail.MailMessage
$mail.From = "noreply@yourdomain.com"
$mail.To.Add("test@yourdomain.com")
$mail.Subject = "Test Email from Nodinite"
$mail.Body = "This is a test email to verify SendGrid connectivity."
$smtp.Send($mail)
Write-Host "✓ Email sent successfully via SendGrid!" -ForegroundColor Green
} catch {
Write-Error "✗ Failed to send email: $_"
} finally {
$mail.Dispose()
}
Test SendGrid SSL/TLS Certificate Chain
To verify the SSL/TLS certificate chain for SendGrid:
# Test SendGrid certificate chain
$smtpServer = "smtp.sendgrid.net"
$smtpPort = 587
try {
$tcpClient = New-Object System.Net.Sockets.TcpClient
$tcpClient.Connect($smtpServer, $smtpPort)
# Read SMTP banner
$stream = $tcpClient.GetStream()
$reader = New-Object System.IO.StreamReader($stream)
$writer = New-Object System.IO.StreamWriter($stream)
$writer.AutoFlush = $true
$banner = $reader.ReadLine()
Write-Host "SMTP Banner: $banner" -ForegroundColor Cyan
# Send EHLO command
$writer.WriteLine("EHLO testclient")
do {
$response = $reader.ReadLine()
Write-Host "EHLO Response: $response" -ForegroundColor Gray
} while ($response -and $response.StartsWith("250-"))
# Send STARTTLS command
$writer.WriteLine("STARTTLS")
$response = $reader.ReadLine()
Write-Host "STARTTLS Response: $response" -ForegroundColor Cyan
if ($response -match "^220") {
# Upgrade to SSL/TLS
$sslStream = New-Object System.Net.Security.SslStream($stream, $false)
$sslStream.AuthenticateAsClient($smtpServer)
# Get certificate
$cert = $sslStream.RemoteCertificate
$cert2 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($cert)
Write-Host "`nCertificate Information:" -ForegroundColor Green
Write-Host " Subject: $($cert2.Subject)" -ForegroundColor White
Write-Host " Issuer: $($cert2.Issuer)" -ForegroundColor White
Write-Host " Expires: $($cert2.NotAfter)" -ForegroundColor White
Write-Host " Thumbprint: $($cert2.Thumbprint)" -ForegroundColor White
# Check certificate chain
$chain = New-Object System.Security.Cryptography.X509Certificates.X509Chain
$chain.ChainPolicy.RevocationMode = [System.Security.Cryptography.X509Certificates.X509RevocationMode]::Online
$chain.ChainPolicy.RevocationFlag = [System.Security.Cryptography.X509Certificates.X509RevocationFlag]::EntireChain
$isValid = $chain.Build($cert2)
Write-Host "`nCertificate Chain Status: " -NoNewline
if ($isValid) {
Write-Host "Valid" -ForegroundColor Green
} else {
Write-Host "Invalid or Incomplete" -ForegroundColor Yellow
}
Write-Host "`nCertificate Chain:" -ForegroundColor Cyan
foreach ($element in $chain.ChainElements) {
Write-Host " - $($element.Certificate.Subject)" -ForegroundColor White
foreach ($status in $element.ChainElementStatus) {
Write-Host " Status: $($status.Status) - $($status.StatusInformation)" -ForegroundColor $(if ($status.Status -eq 'NoError') { 'Green' } else { 'Yellow' })
}
}
$sslStream.Close()
}
$tcpClient.Close()
Write-Host "`n✓ Certificate chain inspection complete" -ForegroundColor Green
} catch {
Write-Error "✗ Failed to inspect certificate: $_"
} finally {
if ($tcpClient) { $tcpClient.Dispose() }
}
Tip
If you see revocation check errors in the certificate chain output, verify that your server can access the GoDaddy endpoints (
crl.godaddy.com,ocsp.godaddy.com) and/or DigiCert endpoints (crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com) depending on which CA issued your certificate (Step 2).
Warning
Common Mistake: Do NOT try to establish SSL/TLS directly on port 587. SendGrid uses STARTTLS (explicit TLS), which means the connection starts as plain text SMTP and then upgrades to TLS after the STARTTLS command. Attempting immediate SSL/TLS handshake will fail with "corrupted frame" errors. The script above demonstrates the correct STARTTLS sequence: connect → EHLO → STARTTLS → upgrade to SSL/TLS → authenticate.
Step 5: Configure Nodinite Email Alarm Plugin
In Nodinite Web Client, configure the Email Alarm Plugin with these settings:
| Setting | Value |
|---|---|
| SMTP Server | smtp.sendgrid.net |
| Port | 587 |
| Use SSL/TLS | ✅ Checked (required) |
| Username | apikey (literally "apikey", not your actual key) |
| Password | <Your SendGrid API Key> (starts with SG.) |
| From Address | Verified sender address in SendGrid |
Tip
SendGrid requires the username to be exactly
apikey(not your email address). The password is your actual SendGrid API key.
Troubleshooting Common Issues
Issue: "The revocation function was unable to check revocation"
Cause: CRL/OCSP Endpoints Blocked
CRL/OCSP endpoints blocked by firewall or proxy.
Solution: Allow CRL/OCSP Access
Allow outbound HTTP (port 80) to
*.godaddy.com(primary CA) and*.digicert.com(legacy/regional CA)Configure proxy bypass for
*.godaddy.comand*.digicert.comif using a proxyAs a temporary workaround (not recommended for production), disable certificate revocation checking:
# Disable CRL checking (TEMPORARY - not recommended for production) # This should only be used for testing/troubleshooting [System.Net.ServicePointManager]::CheckCertificateRevocationList = $false
Issue: "The remote certificate was rejected"
Cause: Missing or Corrupted Certificates
Missing GoDaddy or DigiCert intermediate certificates or corrupted certificate store.
Solution: Install or Rebuild Certificates
Install GoDaddy or DigiCert intermediate certificates (see Step 1)
Run Windows Update to refresh certificate store
Rebuild certificate store:
# Rebuild certificate store (requires restart) certutil -generateSSTFromWU roots.sst
Issue: Connection timeout on port 587
Cause: Firewall Blocking SMTP
Firewall blocking outbound SMTP traffic.
Solution: Allow SMTP Port 587
- Allow outbound TCP 587 in Windows Firewall
- Check corporate firewall rules for
smtp.sendgrid.net:587 - Verify no antivirus/security software blocking SMTP
Issue: Proxy blocking traffic
Cause: Proxy Intercepting Traffic
Corporate proxy intercepting SMTP or CRL/OCSP traffic.
Solution: Configure Proxy Bypass
- Configure proxy bypass for SendGrid, GoDaddy, and DigiCert endpoints
- Use authenticated proxy if required
- Contact network team to whitelist endpoints
Advanced Diagnostics
Capture Network Traffic
Use Test-NetConnection with verbose output:
Test-NetConnection smtp.sendgrid.net -Port 587 -InformationLevel Detailed
Note
For detailed certificate chain inspection, use the complete STARTTLS script provided in Step 4 above. The script properly handles the SMTP STARTTLS handshake sequence required for port 587.
Summary Checklist
Before contacting support, verify:
- ✅ GoDaddy intermediate certificates installed in
Cert:\LocalMachine\CA(primary CA - check first) - ✅ DigiCert intermediate certificates installed in
Cert:\LocalMachine\CA(legacy/regional CA - if applicable) - ✅ Outbound TCP 587 allowed to
smtp.sendgrid.net - ✅ Outbound HTTP (port 80) allowed to
crl.godaddy.com,ocsp.godaddy.com,certificates.godaddy.com - ✅ Outbound HTTP (port 80) allowed to
crl3.digicert.com,crl4.digicert.com,ocsp.digicert.com(if using DigiCert certificates) - ✅ DNS resolution working for all SendGrid, GoDaddy, and DigiCert endpoints
- ✅ Proxy bypass configured for
*.godaddy.com,*.digicert.com, andsmtp.sendgrid.net(if applicable) - ✅ SendGrid API key valid and correctly configured in Nodinite
- ✅ "Use SSL/TLS" checkbox enabled in Email Alarm Plugin configuration
How do I customize Alert properties?
You can use Macros in Nodinite. Please review the Variables user guide for more details.