Email notification ssl certificate check - how do I ignore it?

So I just setup graylog to send me email alerts to my in house and private home email server that I have been using for years for all my IOT, email alert needs, etc. However Graylog seems to not have an option to ignore the ssl cert check. What is the magic command I need to put in the server.conf to ignore the check? I can not find the command anywhere.

Using the most up to date version of graylog open on:
Linux graylog 5.10.0-24-amd64 #1 SMP Debian 5.10.179-5 (2023-08-08) x86_64 GNU/Linux

Error: Notification has email recipients and is triggered, but sending emails failed. Sending the email to the following server failed

An error occurred while trying to send an email! (triggered a few seconds ago)
The Graylog server encountered an error while trying to send an email.
This is the detailed error message: org.apache.commons.mail.EmailException:
Sending the email to the following server failed : (javax.mail.MessagingException: Could not connect to SMTP host:, port: 1025;
nested exception is: PKIX path building failed: unable to find valid certification path to requested target)

My current setup is:

# Email transport
transport_email_enabled = true
transport_email_hostname =
transport_email_port = 1025
transport_email_use_auth = true
transport_email_auth_username =
transport_email_auth_password = yeah, not posting that here either :-)
transport_email_from_email =

# Encryption settings
#    Using SMTP with STARTTLS *and* SMTPS at the same time is *not* possible.

# Use SMTP with STARTTLS, see
transport_email_use_tls = false

# Use SMTP over SSL (SMTPS), see
# This is deprecated on most SMTP services!
transport_email_use_ssl = true

Hey @grayl0g-is-not-easy

By chance did you set this configuration?

transport_email_web_interface_url = https://graylog_server:9000

NOTE: I missed the error in the logs, Do you have TCP/TLS enable on graylog?

appreciate your time on the attempt. Unfortunately transport_email_web_interface_url has nothing to do with this as that command is used for the below defined right in the config (and yes it’s on/set for me)

# Specify and uncomment this if you want to include links to the stream in your stream alert mails.
# This should define the fully qualified base url to your web interface exactly the same way as it is accessed by your users.
transport_email_web_interface_url = http://blah blah blah

The error is clear. It’s checking for a cert, I need graylog to NOT. There has to be a way, I mean even during lab setups, testing, etc to ignore this when not in production.

ChatGPT told me to do this: however no clue how to really implement it, or even if it will work.

Another option is to add the -k or –insecure flag to the curl command in the script, which will make curl ignore the certificate validation3. 

Ignore CA

I couldn’t find an option to disable the email TLS validation. However, you should be able to resolve by doing the following:

  1. grab the cert from the email server (something like this)
  2. import that cert into a Java Key Store (JKS) (see the Java Key Store and IMPORT CERTS sections of this)
  3. configure graylog nodes to use this JKS (see the CONFIGURE GRAYLOG section of this)
1 Like

I am usually super busy, hence the late reply. Was afraid of that!! Sad that a simple one liner for “ignore cert check” is not an option. I will give your suggestion a try over the next week and report back. Kinda figured it would go this way without that option in the config. Thanks again…

1 Like

Holy good god that’s going to be complicated. I was hoping to simply export my asynchronous key pair on the email server (which was a click of a button) then (this is where the dumpster fire started) import the email servers public key, on the graylog server…BWHAHAHAHAAHA yeah right. There are like a ton of other steps necessary. Not sure this will ever happen for me then. Seems like I need to setup an entire internal ROOT CA server of some kind for this as well and export those chains/certs also to graylog. NOPE NOPE NOPE just tooooo much lol. on a positive side, the articles you provided were really good, thanks!

Just super disappointed again that a simple one liner in the config to “ignore cert validation check” does not exist! I still can’t believe this, that in a lab environment, an entire in house cert root ca system needs to be setup! Just boggles my mind.

I definitely understand the frustration. We know that TLS/cert management is an area of improvement for us. The good news though, or possibly the silver lining, is that once you set up the JKS once, you can just add to it as needed.

I’ve not recently tested self-signed/generated certs but my assumption is that cert can be imported into the JKS and it would work the same (validating the cert as valid as long as all other attribute are valid such as expiry time, subject, and SAN [subject alternative names such as DNS].

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.