AC

I would like to configure ARIS Connect 10 to use authenticated SMTP to talk with our Exchange server. Mailserver and port are OK, as should be the SSL mode (STARTTLS), but there seems to be a certificate problem

2019-08-09 08:00:43,871|ERROR|umcbundle0000000000|||0000000010|pool-27-thread-1|EmailDispatcher$DispatchJob - Failed to send email notification: unable to find valid certification path to requested target
2019-08-09 08:00:43,873|ERROR|umcbundle0000000000|||0000000010|pool-27-thread-1|EmailDispatcher - org.apache.commons.mail.EmailException: Sending the email to the following server failed : [mail server]:587
    at org.apache.commons.mail.Email.sendMimeMessage(Email.java:1469)
    at org.apache.commons.mail.Email.send(Email.java:1496)
    at com.aris.umc.notification.EmailDispatcher$DispatchJob.run(EmailDispatcher.java:186)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)
Caused by: javax.mail.MessagingException: Could not convert socket to TLS;
  nested exception is:
    javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:1880)
    at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:648)
    at javax.mail.Service.connect(Service.java:317)
    at javax.mail.Service.connect(Service.java:176)
    at javax.mail.Service.connect(Service.java:125)
    at javax.mail.Transport.send0(Transport.java:194)
    at javax.mail.Transport.send(Transport.java:124)
    at org.apache.commons.mail.Email.sendMimeMessage(Email.java:1459)
    ... 5 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
    at com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:507)
    at com.sun.mail.util.SocketFetcher.startTLS(SocketFetcher.java:447)
    at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:1875)
    ... 12 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
    at sun.security.validator.Validator.validate(Validator.java:262)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
    ... 22 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
    ... 28 more



I added a certificate for our domain to the keystore (assuming it was [ARIS10.0 folder]\server\jre\lib\security\cacerts), using keytool in the jre\bin folder

Now I don't know if I still fail because

  1. I used the wrong keystore
  2. The keystore has to be configured somehow
  3. The certifcate was of the wrong type 

I am quite sure that 3 is the case, because I was searching in the dark. The certificate was a valid domain wildcard signed by GlobalSign, but had nothing specifically about the server ARIS Connect is running on nor the Exchange server.

I'd appreciate help.

by Patrik Siffrin
Posted on Fri, 08/09/2019 - 13:58
Hi,

"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

This message says, that the certificate of your exchange can not be verified using the cacerts of the ARIS Server which is locate correctly at [ARIS10.0 folder]\server\jre\lib\security\cacerts  as you already stated.

First proposal: Restart ARIS runnables (at least the umcadmin runnable) for these changs to take effect.

That is the most common cause..

Remark:

If your Exchange server has a valid domain cert signed by GlobalSign, you should not need to import this wildcard cert at all, because the "GlobalSign" Root cert should be in the cacerts from the start.

If your ARIS version (and therefore the used JRE) is very old and GlobalSign changed their root cert which can happen from time to time, i would recommend to test a cacerts file from an uptodated JRE at [ARIS10.0 folder]\server\jre\lib\security\cacerts  for testing purposes (do not forget to restart runnables after that)

Other possibilities are problems with the nameservice but this would cause other error messages.

Regards

Patrik

 

 

 

 

 

 

0

Featured achievement

Rookie
Say hello to the ARIS Community! Personalize your community experience by following forums or tags, liking a post or uploading a profile picture.
Recent Unlocks

Leaderboard

|
icon-arrow-down icon-arrow-cerulean-left icon-arrow-cerulean-right icon-arrow-down icon-arrow-left icon-arrow-right icon-arrow icon-back icon-close icon-comments icon-correct-answer icon-tick icon-download icon-facebook icon-flag icon-google-plus icon-hamburger icon-in icon-info icon-instagram icon-login-true icon-login icon-mail-notification icon-mail icon-mortarboard icon-newsletter icon-notification icon-pinterest icon-plus icon-rss icon-search icon-share icon-shield icon-snapchat icon-star icon-tutorials icon-twitter icon-universities icon-videos icon-views icon-whatsapp icon-xing icon-youtube icon-jobs icon-heart icon-heart2 aris-express bpm-glossary help-intro help-design Process_Mining_Icon help-publishing help-administration help-dashboarding help-archive help-risk icon-knowledge icon-question icon-events icon-message icon-more icon-pencil forum-icon icon-lock