KB87080
Published: March 30, 2018
Revision: 3.0

SendEmail and SendEmail With Attachments commands may result in -2104 status code


Applies To:

PAC Firmware for:
SNAP-PAC-S1
SNAP-PAC-S1-FM
SNAP-PAC-S1-W
SNAP-PAC-S2
SNAP-PAC-S2-W
SNAP-PAC-R1
SNAP-PAC-R1-FM
SNAP-PAC-R1-W
SNAP-PAC-R1-B
SNAP-PAC-R2
SNAP-PAC-R2-FM
SNAP-PAC-R2-W

Versions Affected:

All versions


Symptoms:

When using either the SendEmail or SendEmail With Attachments command, the result of the command may be a -2104 status code (SSL: Handshake failed due to invalid or unverifiable certificate).

Cause:


Applicable to Gmail users: In February 2017, Google announced that it will change the security certificates used by Gmail (without notice). Google recently changed the required security certificate used with Gmail. As a result, the certificate in PAC firmware no longer works with Gmail.

Workaround:

This workaround is valid only for Gmail users, and only until the next time Google changes the security certificate used with Gmail.

Follow these steps to download and install a certificate that works (as of March 30, 2018) with Gmail.

  1. Go to the Opto 22 FTP website (ftp://ftp.opto22.com). 
    Note: Some browsers automatically put the characters "http://" in front of some URLS. If this happens, you'll need to delete the http:// characters (or type ftp://ftp.opto22.com in your browser's URL address field) and then press Enter.
     
  2. Browse to this folder: /Public_Folders_(Unsecured)/Archives_(Software_and_Firmware)/Firmware_Archives/SNAP-PAC_Firmware_Archives/Gmail_CA_Root_Certificate/
     
  3. Download the GSR2.crt file.

    Note: In March 2018, some customers reported that the GlobalSignRootCA-R2.crt file no longer worked for this workaround. We recommend you try GSR2.crt in the following steps. If you continue to have issues, try GlobalSignRootCA-R2.crt.
     
  4. Open PAC Manager, and go to the I/O Unit Maintenance window (Tools > Maintenance).
    Note: As part of the process of installing the certificate on the controller, the controller will be restarted in order for it to take effect. You may need to schedule a system shutdown to coordinate putting the certificate on the controller and rebooting the controller.
     
  5. In the Command section, select "Upload File to I/O Unit". 
  6. Use the Browse button [...] to find and select the downloaded certificate. 
  7. In the Destination field, type /pki/root-certs/ and the name you want the certificate to have on the controller; for example:
    /pki/root-certs/GSR2.crt
  8. Select the IP address of the SNAP PAC device that you want to install the certificate on.
  9. Click Execute.
  10. Select the Save Files To Flash command, and then click Execute.
  11. Restart the SNAP PAC device to activate the certificates.
Note: This workaround is temporary because Google may change the certificate again at any time.

Resolution:

Because email service providers can change security certificates without notice, Opto 22 can no longer guarantee that the certificates included with PAC firmware will work with the SendEmail and SendEmailWithAttachments command. 

Consequently, Opto 22 recommends you (or your IT department) identify and install the certificate(s) required by your email service provider.

For instructions to install CA Root certificates, see “Installing CA Root Certificates” in the PAC Control User’s Guide (form 1700).

Questions?

Contact: Opto 22 Product Support.
Phone: 800-835-6786 or 951-695-3080
Email: support@opto22.com


DISCLAIMER

This Opto 22 Knowledge Base ('OptoKB') article is intended to provide general technical information on a particular subject or subjects and is not an exhaustive treatment of such subjects. Accordingly, the information in this OptoKB article is not intended to constitute application, design, software, or other professional engineering advice or services. Opto 22 may modify the OptoKB articles at any time. Before making any decision or taking any action which might affect your equipment, you should consult a qualified professional.

OPTO 22 DOES NOT WARRANT THE COMPLETENESS, TIMELINESS, OR ACCURACY OF THE DATA CONTAINED IN THIS OPTOKB ARTICLE AND MAY MAKE CHANGES THERETO AT ANY TIME AT ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS 'AS IS.' IN NO EVENT SHALL OPTO 22 BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT, OR DAMAGE, EVEN IF OPTO 22 HAS BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES.

OPTO 22 DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED WITH RESPECT TO THE INFORMATION (INCLUDING HARDWARE, SOFTWARE, AND/OR FIRMWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTIBILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not sanction the exclusion of implied warranties: thus, this disclaimer may not apply to you.

Copyright © 2019 Opto 22. All rights reserved.