I would like to configure ARIS Connect 10 to use authenticated SMTP to talk with our Exchange server. Mailserver and port are OK, as should be the SSL mode (STARTTLS), but there seems to be a certificate problem
2019-08-09 08:00:43,871|ERROR|umcbundle0000000000|||0000000010|pool-27-thread-1|EmailDispatcher$DispatchJob - Failed to send email notification: unable to find valid certification path to requested target 2019-08-09 08:00:43,873|ERROR|umcbundle0000000000|||0000000010|pool-27-thread-1|EmailDispatcher - org.apache.commons.mail.EmailException: Sending the email to the following server failed : [mail server]:587 at org.apache.commons.mail.Email.sendMimeMessage(Email.java:1469) at org.apache.commons.mail.Email.send(Email.java:1496) at com.aris.umc.notification.EmailDispatcher$DispatchJob.run(EmailDispatcher.java:186) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: javax.mail.MessagingException: Could not convert socket to TLS; nested exception is: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:1880) at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:648) at javax.mail.Service.connect(Service.java:317) at javax.mail.Service.connect(Service.java:176) at javax.mail.Service.connect(Service.java:125) at javax.mail.Transport.send0(Transport.java:194) at javax.mail.Transport.send(Transport.java:124) at org.apache.commons.mail.Email.sendMimeMessage(Email.java:1459) ... 5 more Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) at sun.security.ssl.Handshaker.process_record(Handshaker.java:987) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) at com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:507) at com.sun.mail.util.SocketFetcher.startTLS(SocketFetcher.java:447) at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:1875) ... 12 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) at sun.security.validator.Validator.validate(Validator.java:262) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596) ... 22 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) ... 28 more
I added a certificate for our domain to the keystore (assuming it was [ARIS10.0 folder]\server\jre\lib\security\cacerts), using keytool in the jre\bin folder
Now I don't know if I still fail because
- I used the wrong keystore
- The keystore has to be configured somehow
- The certifcate was of the wrong type
I am quite sure that 3 is the case, because I was searching in the dark. The certificate was a valid domain wildcard signed by GlobalSign, but had nothing specifically about the server ARIS Connect is running on nor the Exchange server.
I'd appreciate help.
Hi, "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
This message says, that the certificate of your exchange can not be verified using the cacerts of the ARIS Server which is locate correctly at [ARIS10.0 folder]\server\jre\lib\security\cacerts as you already stated.
First proposal: Restart ARIS runnables (at least the umcadmin runnable) for these changs to take effect.
That is the most common cause..
Remark:
If your Exchange server has a valid domain cert signed by GlobalSign, you should not need to import this wildcard cert at all, because the "GlobalSign" Root cert should be in the cacerts from the start.
If your ARIS version (and therefore the used JRE) is very old and GlobalSign changed their root cert which can happen from time to time, i would recommend to test a cacerts file from an uptodated JRE at [ARIS10.0 folder]\server\jre\lib\security\cacerts for testing purposes (do not forget to restart runnables after that)
Other possibilities are problems with the nameservice but this would cause other error messages.
Regards
Patrik