In openshift we have hosted Spring boot based microservices. One of the microservice sends an email by connecting to a smtp server. There smtp server is part of the organization and it is not an external server. When the service tries to send an email I get the below error: This error occurs only in the higher environment and not in lower level DEV environment. What could be the reason?
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Failed messages: javax.mail.MessagingException: Could not convert socket to TLS;
From the pods terminal when I try the below command
curl --ssl-reqd --url 'smtp://mailhost.myorg.com:587' --user 'usrname:pwd' --mail-from 'fromaddress@myorg.com' --mail-rcpt 'toaddr@myorg.com' --upload-file mail.txt -vv
and I get the below error EVEN in DEV.
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* About to connect() to mailhost.myorg.com port 587 (#0)
* Trying 10.46.113.103...
* Connected to mailhost.myorg.com (10.46.113.103) port 587 (#0)
< 220-SVR.MYORG.corp ESMTP
< 220 Welcome to the Myorg Secure SMTP Relay
> EHLO mail.txt
< 250-myserv.myorg.corp
< 250-8BITMIME
< 250-SIZE 26214400
< 250 STARTTLS
> STARTTLS
< 220 Go ahead with TLS
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Server certificate:
* subject: CN=myserv.myorg.corp,OU=SSL Servers,O=MyORG Inc,C=US
* start date: Sep 21 13:41:03 2020 GMT
* expire date: Sep 21 14:11:03 2022 GMT
* common name: myserv.myorg.corp
* issuer: CN=MyORG Inc Issuing CA,OU=Certification Authorities,O=MyORG Inc,C=US
* NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)
* Peer's certificate issuer has been marked as not trusted by the user.
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
* Closing connection 0
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
So my question is
You need to add the mail server certificate to the jre cacert inside your docker container with commands like this:
COPY mailServ.crt $JAVA_HOME/jre/lib/security
RUN \
cd $JAVA_HOME/jre/lib/security \
&& keytool -keystore cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias config -file mailServ.crt
The 587 port il the default non-secure and secure port for SMTP (some legacy ISP still using 465 for ssl). May be in your DEV environment SSL is not enabled on port 587, whereas in production SSL is mandatory.
As for curl, may be you need the option --cacert mailServ.crt. Moreover in DEV environment you probably have your self-signed certificate mailServ.crt in your JDK cacerts, but curl does not use it unless you put --cacert mailServ.crt. You might use the --insecure option as suggested for self-signed certificates as well.