ssl-certificateopenshiftredhatredhat-openjdk

Certs and Redhat Openshift


In openshift we have hosted Spring boot based microservices. One of the microservice sends an email by connecting to a smtp server. There smtp server is part of the organization and it is not an external server. When the service tries to send an email I get the below error: This error occurs only in the higher environment and not in lower level DEV environment. What could be the reason?

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Failed messages: javax.mail.MessagingException: Could not convert socket to TLS;

From the pods terminal when I try the below command

curl --ssl-reqd --url 'smtp://mailhost.myorg.com:587' --user 'usrname:pwd' --mail-from 'fromaddress@myorg.com' --mail-rcpt 'toaddr@myorg.com' --upload-file mail.txt -vv

and I get the below error EVEN in DEV.

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* About to connect() to mailhost.myorg.com port 587 (#0)
*   Trying 10.46.113.103...
* Connected to mailhost.myorg.com (10.46.113.103) port 587 (#0)
< 220-SVR.MYORG.corp ESMTP
< 220 Welcome to the Myorg Secure SMTP Relay
> EHLO mail.txt
< 250-myserv.myorg.corp
< 250-8BITMIME
< 250-SIZE 26214400
< 250 STARTTLS
> STARTTLS
< 220 Go ahead with TLS
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Server certificate:
*       subject: CN=myserv.myorg.corp,OU=SSL Servers,O=MyORG Inc,C=US
*       start date: Sep 21 13:41:03 2020 GMT
*       expire date: Sep 21 14:11:03 2022 GMT
*       common name: myserv.myorg.corp
*       issuer: CN=MyORG Inc Issuing CA,OU=Certification Authorities,O=MyORG Inc,C=US
* NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)
* Peer's certificate issuer has been marked as not trusted by the user.
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

So my question is

  1. When I do the curl, why it wont work in DEV and in higher environments
  2. When I make my service send the email, why does it work in DEV and not in higher environments

Solution

  • You need to add the mail server certificate to the jre cacert inside your docker container with commands like this:

    COPY mailServ.crt $JAVA_HOME/jre/lib/security
    RUN \
        cd $JAVA_HOME/jre/lib/security \
        && keytool -keystore cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias config -file mailServ.crt
    

    The 587 port il the default non-secure and secure port for SMTP (some legacy ISP still using 465 for ssl). May be in your DEV environment SSL is not enabled on port 587, whereas in production SSL is mandatory.

    As for curl, may be you need the option --cacert mailServ.crt. Moreover in DEV environment you probably have your self-signed certificate mailServ.crt in your JDK cacerts, but curl does not use it unless you put --cacert mailServ.crt. You might use the --insecure option as suggested for self-signed certificates as well.