ARIS Connect 10 - auth SMTP to Exchange

Andrea Classen on August 9, 2019

I would like to configure ARIS Connect 10 to use authenticated SMTP to talk with our Exchange server. Mailserver and port are OK, as should be the SSL mode (STARTTLS), but there seems to be a certificate problem

2019-08-09 08:00:43,871|ERROR|umcbundle0000000000|||0000000010|pool-27-thread-1|EmailDispatcher$DispatchJob - Failed to send email notification: unable to find valid certification path to requested target
2019-08-09 08:00:43,873|ERROR|umcbundle0000000000|||0000000010|pool-27-thread-1|EmailDispatcher - org.apache.commons.mail.EmailException: Sending the email to the following server failed : [mail server]:587
    at org.apache.commons.mail.Email.sendMimeMessage(Email.java:1469)
    at org.apache.commons.mail.Email.send(Email.java:1496)
    at com.aris.umc.notification.EmailDispatcher$DispatchJob.run(EmailDispatcher.java:186)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)
Caused by: javax.mail.MessagingException: Could not convert socket to TLS;
  nested exception is:
    javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:1880)
    at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:648)
    at javax.mail.Service.connect(Service.java:317)
    at javax.mail.Service.connect(Service.java:176)
    at javax.mail.Service.connect(Service.java:125)
    at javax.mail.Transport.send0(Transport.java:194)
    at javax.mail.Transport.send(Transport.java:124)
    at org.apache.commons.mail.Email.sendMimeMessage(Email.java:1459)
    ... 5 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
    at com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:507)
    at com.sun.mail.util.SocketFetcher.startTLS(SocketFetcher.java:447)
    at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:1875)
    ... 12 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
    at sun.security.validator.Validator.validate(Validator.java:262)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
    ... 22 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
    ... 28 more

I added a certificate for our domain to the keystore (assuming it was [ARIS10.0 folder]\server\jre\lib\security\cacerts), using keytool in the jre\bin folder

Now I don't know if I still fail because

I used the wrong keystore
The keystore has to be configured somehow
The certifcate was of the wrong type

I am quite sure that 3 is the case, because I was searching in the dark. The certificate was a valid domain wildcard signed by GlobalSign, but had nothing specifically about the server ARIS Connect is running on nor the Exchange server.

I'd appreciate help.

Tags: #aris10; #arisconnect; #configuration

Notify Moderator

Patrik Siffrin on August 9, 2019

Hi,

"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

This message says, that the certificate of your exchange can not be verified using the cacerts of the ARIS Server which is locate correctly at [ARIS10.0 folder]\server\jre\lib\security\cacerts as you already stated.

First proposal: Restart ARIS runnables (at least the umcadmin runnable) for these changs to take effect.

That is the most common cause..

Remark:

If your Exchange server has a valid domain cert signed by GlobalSign, you should not need to import this wildcard cert at all, because the "GlobalSign" Root cert should be in the cacerts from the start.

If your ARIS version (and therefore the used JRE) is very old and GlobalSign changed their root cert which can happen from time to time, i would recommend to test a cacerts file from an uptodated JRE at [ARIS10.0 folder]\server\jre\lib\security\cacerts for testing purposes (do not forget to restart runnables after that)

Other possibilities are problems with the nameservice but this would cause other error messages.

Regards

Patrik

or register to reply.

Show in context Notify Moderator

ARIS Connect 10 - auth SMTP to Exchange

Best Reply

1 Reply

ARIS User Group DACH meeting

ARIS Summit 2025 | Kuala Lumpur

ARIS Super User Group Meeting