Java Does Not Trust Me - Quill and Gear

Do you have an application that uses Java, or comes with a JRE included, and do you use self-signed certificates, or even certificates from Let’s Encrypt? You might have issues, and the cause may not be all that obvious.

At work have a systems management application that uses a built-in copy of the JRE (Java Runtime Environment). This application during the course of normal operations (or, especially during abnormal operations) send emails to administrators, keeping them informed of overall system health, etc. When you first set this application up, it will not accept setting for an email server unless it is able to successfully send a test message. I understand this is so you cannot “set it and forget about it”, only to later realize that it never worked properly. It is mildly annoying that you end up retyping the login details a hundred times in the course setup when something doesn’t work right off the bat though, but I digress…

Our mail server is Microsoft Exchange 2016. The default SMTP connector for clients runs on TCP port 587, and requires TLS before you can authenticate using the LOGIN method (username and password send in base-64 encoding). The application in question allows you to configure all this stuff: host name, port, use TLS, authentication required, etc. Seemingly, everything checked out okay, but every time you hit save and the test runs, immediate failure. In fact, it failed so fast you would swear it wasn’t even checking anything. The exchange connector logs were not even showing anything.

The first issue was that the default “Client Frontend [Server name]” receive connector didn’t have logging turned on. Thus the no logs situation. Thanks Microsoft.

set-ReceiveConnector -Identity '[Server name]\Client Frontend MX1' -ProtocolLoggingLevel Verbose

1	set-ReceiveConnector -Identity '[Server name]\Client Frontend MX1' -ProtocolLoggingLevel Verbose

After this, I have logs. Here is what Exchange shows in the log:

[Removed for clarity],+,,
[Removed for clarity],>,"220 [Exchange Hostname] Microsoft ESMTP MAIL Service ready at Wed, 5 Apr 2017 11:01:42 -0700",
[Removed for clarity],<,EHLO [Application Hostname],
[Removed for clarity],>,250  [Exchange Hostname] Hello [10.1.4.58] SIZE 37748736 PIPELINING DSN ENHANCEDSTATUSCODES STARTTLS AUTH GSSAPI NTLM 8BITMIME BINARYMIME CHUNKING,
[Removed for clarity],<,STARTTLS,
[Removed for clarity],>,220 2.0.0 SMTP server ready,
[Removed for clarity],*," CN=[External Exchange Hostname] CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US [Certificate Serial Number] [External Exchange Hostname];[Exchange Hostname]",Sending certificate Certificate subject Certificate issuer name Certificate serial number Certificate thumbprint Certificate subject alternate names
[Removed for clarity],*,,TLS negotiation failed with error CertUnknown
[Removed for clarity],-,,Local

[Removed for clarity],+,,

[Removed for clarity],>,"220 [Exchange Hostname] Microsoft ESMTP MAIL Service ready at Wed, 5 Apr 2017 11:01:42 -0700",

[Removed for clarity],<,EHLO [Application Hostname],

[Removed for clarity],>,250 [Exchange Hostname] Hello [10.1.4.58] SIZE 37748736 PIPELINING DSN ENHANCEDSTATUSCODES STARTTLS AUTH GSSAPI NTLM 8BITMIME BINARYMIME CHUNKING,

[Removed for clarity],<,STARTTLS,

[Removed for clarity],>,220 2.0.0 SMTP server ready,

[Removed for clarity],*," CN=[External Exchange Hostname] CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US [Certificate Serial Number] [External Exchange Hostname];[Exchange Hostname]",Sending certificate Certificate subject Certificate issuer name Certificate serial number Certificate thumbprint Certificate subject alternate names

[Removed for clarity],*,,TLS negotiation failed with error CertUnknown

[Removed for clarity],-,,Local

Line 8 is the first clue (“TLS negotiation failed with error CertUnknown”). The certificate is issued for Let’s Encrypt and has the external hostname as the certificate subject, and both the external and internal hostnames as subject alternative names. Exchange is passing the correct cert, so time to check the other side of the connection. The logs from the application follow:

[12:20:58:181]|[04-05-2017]|[com.me.devicemanagement.onpremise.webclient.settings.SmtpConfiguration]|[INFO]|[114]|[a1e65a77-36d0-4b37-8f2e-24440c2f6cfe]: Password has been modified. Retrieving password from wizard form|
[12:20:58:181]|[04-05-2017]|[com.me.devicemanagement.framework.server.mailmanager.MailerUtils]|[INFO]|[114]|[a1e65a77-36d0-4b37-8f2e-24440c2f6cfe]: Mail Server Authentication is enabled. UserName : [Redacted]|
[12:20:58:181]|[04-05-2017]|[com.me.devicemanagement.framework.webclient.settings.SettingsUtil]|[INFO]|[114]|[a1e65a77-36d0-4b37-8f2e-24440c2f6cfe]: Checking the mail server configuration...|
[12:20:58:181]|[04-05-2017]|[com.me.devicemanagement.framework.server.mailmanager.MailProcessor]|[INFO]|[114]|[a1e65a77-36d0-4b37-8f2e-24440c2f6cfe]: Entering into sendMail Method .... |
[12:20:58:197]|[04-05-2017]|[com.me.devicemanagement.framework.server.mailmanager.MailProcessor]|[INFO]|[114]|[a1e65a77-36d0-4b37-8f2e-24440c2f6cfe]: Body content is added successfully|
[12:20:58:197]|[04-05-2017]|[com.me.devicemanagement.framework.server.mailmanager.MailProcessor]|[INFO]|[114]|[a1e65a77-36d0-4b37-8f2e-24440c2f6cfe]: Starting to send mail to the corresponding address ... |
[12:20:58:244]|[04-05-2017]|[com.me.devicemanagement.framework.server.mailmanager.MailProcessor]|[SEVERE]|[114]|[a1e65a77-36d0-4b37-8f2e-24440c2f6cfe]: Unable to Send Mail to the Address [Redacted] by Sender [Redacted]|
[12:20:58:244]|[04-05-2017]|[com.me.devicemanagement.framework.server.mailmanager.MailProcessor]|[INFO]|[114]|[a1e65a77-36d0-4b37-8f2e-24440c2f6cfe]: Caught exception in setting mail | 
javax.mail.MessagingException: Could not convert socket to TLS;
  nested exception is:
	javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:1907)
	at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:666)
	at javax.mail.Service.connect(Service.java:317)
	at javax.mail.Service.connect(Service.java:176)
	at javax.mail.Service.connect(Service.java:125)
	at javax.mail.Transport.send0(Transport.java:194)
	at javax.mail.Transport.send(Transport.java:146)
	at com.me.devicemanagement.framework.server.mailmanager.MailProcessor.sendMail(MailProcessor.java:249)
	at com.me.devicemanagement.framework.webclient.settings.SettingsUtil.checkMailServer(SettingsUtil.java:286)
	at com.me.devicemanagement.onpremise.webclient.settings.SmtpConfiguration.checkMailServer(SmtpConfiguration.java:255)
	at com.me.devicemanagement.onpremise.webclient.settings.SmtpConfiguration.validateAndAddSmtpConfig(SmtpConfiguration.java:111)
	at com.me.devicemanagement.onpremise.webclient.settings.SmtpConfiguration.addSmtpConfig(SmtpConfiguration.java:95)
	at sun.reflect.GeneratedMethodAccessor97.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:497)
	at org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:269)
	at org.apache.struts.actions.DispatchAction.execute(DispatchAction.java:170)
	at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:425)
	at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:228)
	at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913)
	at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:462)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:644)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at com.me.devicemanagement.onpremise.webclient.filter.ClickJackFilter.doFilter(ClickJackFilter.java:63)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at com.me.devicemanagement.onpremise.webclient.filter.CommonFilter.doFilter(CommonFilter.java:49)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at com.me.devicemanagement.onpremise.webclient.filter.AuthorizationFilter.doFilter(AuthorizationFilter.java:103)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at com.me.devicemanagement.onpremise.webclient.filter.CommonActionsFilter.doFilter(CommonActionsFilter.java:165)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at com.me.devicemanagement.onpremise.webclient.filter.UIRestrictionFilter.doFilter(UIRestrictionFilter.java:29)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at com.me.devicemanagement.framework.webclient.filter.MSPCustomerFilter.doFilter(MSPCustomerFilter.java:166)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at com.me.devicemanagement.onpremise.webclient.xss.XSSFilter.doFilter(XSSFilter.java:124)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at com.adventnet.cp.ClientFilter.doFilter(ClientFilter.java:32)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at com.adventnet.filters.ParamWrapperFilter.doFilter(ParamWrapperFilter.java:80)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at com.adventnet.authentication.filter.AssociateCredential.doFilter(AssociateCredential.java:100)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:613)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
	at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:291)
	at com.me.devicemanagement.onpremise.webclient.sdp.DCAuthenticateRemote.invoke(DCAuthenticateRemote.java:269)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516)
	at org.apache.coyote.ajp.AbstractAjpProcessor.process(AbstractAjpProcessor.java:831)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:659)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1497)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
	at com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:549)
	at com.sun.mail.util.SocketFetcher.startTLS(SocketFetcher.java:486)
	at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:1902)
	... 74 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
	at sun.security.validator.Validator.validate(Validator.java:260)
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1479)
	... 84 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
	... 90 more

[12:20:58:244]|[04-05-2017]|[com.me.devicemanagement.framework.server.mailmanager.MailProcessor]|[INFO]|[114]|[a1e65a77-36d0-4b37-8f2e-24440c2f6cfe]: Caught exception in setting mail |

javax.mail.MessagingException: Could not convert socket to TLS;

nested exception is:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:1907)

at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:666)

The magic words here are “unable to find valid certification path to requested target”. As it turns out, the keystore that java uses for what root certificates are trusted included with the app does not include the root CA certificate that is used by Let’s Encrypt. To fix this you need to export the root CA certificate and import it.

[Path to app folder]\jre\lib\security>..\..\bin\keytool -keystore cacerts -importcert -alias letsencryptroot -file e:\temp\letsencrypt_root.cer

1	[Path to app folder]\jre\lib\security>..\..\bin\keytool -keystore cacerts -importcert -alias letsencryptroot -file e:\temp\letsencrypt_root.cer

You also need the password to the keystore, but in my case is was the default of changeme.

After importing the cert, connection worked and the mail flowed.

TL;DR – JRE may not have the CA root of your cert. Import it to make it connect.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.