The Symptom
Suddenly, around June 17, 2026, Nextcloud twofactor-email stopped sending emails through an unauthenticated Microsoft 365 SMTP relay connector (typically on port 25).
In the Nextcloud Web UI under Basic Settings, triggering a test email fails with a generic error:
Failed sending test email: Email could not be sent. Check your mail server log
Checking the nextcloud.log reveals a vague RuntimeException or an underlying OpenSSL failure:
unable to get local issuer certificate
The Cause
On June 16, 2026, an upstream Linux security update (ca-certificates package) modified the active Mozilla root authority bundle, deprecating or purging several aging root certificates.
Microsoft’s regional *.mail.protection.outlook.com endpoints frequently utilize intermediate certificates like DigiCert Cloud Services CA-1, which chain directly back to the classic, older DigiCert Global Root CA (G1). Because this root certificate was dropped by the OS update, Nextcloud’s unauthenticated connection (which relies on opportunistic TLS/STARTTLS via PHPMailer) fails the SSL handshake silently and drops the email.
The Work-Around (Tested on Ubuntu 24.04 LTS)
To resolve this issue without permanently reducing your system security (i.e., avoiding verify_peer => false workarounds in config.php), and without waiting for Microsoft to update the certificate(s) for *.mail.protection.outlook.com you must manually re-introduce the missing root and intermediate certificates to your local OS store in the correct PEM format.
1. Download and Convert the Required Certificates
Ubuntu’s update-ca-certificates script silently ignores binary (DER) certificate files. We must pull them down and force OpenSSL to convert them into standard base64 PEM text files:
Bash
cd /usr/local/share/ca-certificates/
# Download and convert the classic DigiCert Global Root CA (G1)
sudo openssl x509 -inform DER -in <(curl -s https://cacerts.digicert.com/DigiCertGlobalRootCA.crt) -out DigiCert_Global_Root_CA.crt
# Download and convert the DigiCert Cloud Services CA-1 Intermediate
sudo openssl x509 -inform DER -in <(curl -s https://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt) -out DigiCert_Cloud_Services_CA-1.crt
2. Rebuild the Ubuntu Certificate Store
Force the operating system to completely wipe its cached paths and compile the newly added files:
Bash
sudo update-ca-certificates --fresh
(Ensure the output shows that new certificates were actively added to the store).
3. Verify the Handshake Natively
Before testing inside Nextcloud, ensure the underlying operating system now trusts the Microsoft endpoint by running:
Bash
openssl s_client -connect yourdomain-org.mail.protection.outlook.com:25 -starttls smtp -CApath /etc/ssl/certs
Scroll to the very bottom of the response. If you see Verification: OK, your TLS handshake is fixed and Nextcloud email functionality will resume instantly!
4. Cleanup
Manually monitor the certs for mail.protection.outlook.com
# set DOM to the outlook.com hostname for your domain
export DOM=microsoft-com.mail.protection.outlook.com
# Check the last cert in the chain for $DOM
openssl s_client -connect $DOM:25 -starttls smtp -showcerts </dev/null 2>/dev/null |grep "i:" |tail -1
When the last line no longer ends with “CN = DigiCert Global Root CA”, delete the manually installed certificate:
sudo rm -f /usr/local/share/ca-certificates/DigiCert_Global_Root_CA.crt /usr/local/share/ca-certificates/DigiCert_Cloud_Services_CA-1.crt && sudo update-ca-certificates --fresh
Credits & Acknowledgments
Gemini helped with both resolving this issue on my server and writing this post