Tip: sending emails in Java Agile Platform yields error

Tip: sending emails in Java Agile Platform yields error

  
Edit 2013-03-18: fixed instructions for configuring store for Scheduler service.

Symptom

After you configure a SMTP server to send emails with the Agile Platform, you get the following error message:

Error sending email 13: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
   at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1697)
   at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:258)
   at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:252)
   at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1165)
   at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:154)
   at sun.security.ssl.Handshaker.processLoop(Handshaker.java:610)
   at sun.security.ssl.Handshaker.process_record(Handshaker.java:546)
   at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:945)
   at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1190)
   at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1217)
   at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1201)
   at outsystems.hubedition.http.TcpClient.initializeTLS(Unknown Source)
   at outsystems.hubedition.smtp.SendMail$SMTPMail.sendMail(Unknown Source)
   at outsystems.hubedition.smtp.SendMail.send(Unknown Source)
   at outsystems.hubedition.scheduler.EmailJob.sendEmail(Unknown Source)
   at outsystems.hubedition.scheduler.EmailJob.execute(Unknown Source)
You are using the Agile Platform (5.0+) for Java.


Cause

Your SMTP server supports STARTTLS, but uses a SSL certificate that is not issued by a globally trusted authority - meaning that the default java certificate store does not know your certificate.

If your SMTP server supports STARTTLS, the Agile Platform will, by default, try to use STARTTLS.


Resolution

To solve this, you need to install the proper SSL certificates in the server. For this, please follow the below step-by-step:

1. Obtain the certificates

To obtain the certificates, the easiest way is to get the base certificate from the actual email server. You can use the following command:

      openssl s_client -starttls smtp -crlf -connect mail.example.com:25

You will get a window similar to:



Copy the code between BEGIN CERTIFICATE and END CERTIFICATE (include those lines) and save them as a .crt file. Then open the certificate in a Windows machine (double-click).

Here you will find what additional certificates you may need:



For each entry in the tree, click it, then View Certificate, then Save to File. If you are unable to see the whole certification tree, talk to the SMTP server administrator to obtain all the needed certificates.


2. Create a certificate store

If you already have a certificate store to use with JBoss, you can use that. If you do not, follow the link to HTTPS and the OutSystems Platform (check the Java post) and create one.
You can choose to have one store for JBoss and one for Scheduler, or share the store. It is your call.


3. Import the certificates

Refer to section 3 of the same post. Remember to give each certificate a different friendly name.


4. Configure the store in Scheduler service (NEW)

After you have a store, you need to configure scheduler to use it.
For this, add the needed configurations in file /etc/outsystems/os.scheduler.service.conf. It will not exist by default, so you need to create it. If it already exists, just add the line to the end of it.

You need to set options -Djavax.net.ssl.trustStore and -Djavax.net.ssl.trustStorePassword. In our example, it will look similar to:

JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=$JBOSS_HOME/server/outsystems/conf/jboss.keystore -Djavax.net.ssl.trustStorePassword=easypassword123"

         


After this, confirm that the file we just created is being included in the service shell script, /opt/outsystems/platform/os.scheduler.service.sh:

      

If the above is missing (the CUSTOM_SH line) just add it:

        CUSTOM_SH="/etc/outsystems/os.scheduler.service.conf"

5. Restart Scheduler service

Simply issue the command

     service outsystems restart SCHEDULER


Feel free to share the results of using this, or any requests for additional help.
Cheers,

Acácio


References
This still applies to version 7.0 of the Java Platform? Even though I try to send via custom port 26, which runs without SSL/TLS..

Error sending email 1: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
   at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1731)
   at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
   at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
   at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
   at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
   at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
   at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
   at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:925)
   at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1170)
   at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1197)
   at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1181)
   at outsystems.hubedition.http.TcpClient.initializeTLS(Unknown Source)
   at outsystems.hubedition.a.p.$dib(Unknown Source)
   at outsystems.hubedition.a.g.$keb(Unknown Source)
   at outsystems.hubedition.scheduler.EmailJob.$gub(Unknown Source)
   at outsystems.hubedition.scheduler.EmailJob.execute(Unknown Source)
   at outsystems.hubedition.scheduler.i.$ntb(Unknown Source)
   at outsystems.hubedition.scheduler.i.$gsb(Unknown Source)
   at outsystems.hubedition.scheduler.z.executeImpl(Unknown Source)
   at outsystems.hubedition.util.delegates.Action$Action1.execute(Unknown Source)
   at outsystems.hubedition.util.ParameterizedThread.run(Unknown Source)
Hi Harry

Yes, it does. This is a server side certificate issue and it's not dependent on the Agile Platform version.

As long as the STARTTLS is supported by the SMTP, the Agile Platform will use it. This is not the same as the SSL protocol on SMTP connections, so it's not server side port dependent either. You either activate the STARTTLS on the SMTP server for all ports or not (well, it depends on smtp server configurations).

Eitherway, the problem is that the certificate used by the SMTP server is not a trusted certificate. That's the root cause of the issue here, and that's what should be addressed. The alternative is to configure the certificate on the JBoss store as documented on this post.

Cheers
Miguel Simões João
Hi

Just a small remark in the previous post: as the stack shows, the emails are sent by the Scheduler service, not JBoss. That means that the certificate needs to be installed there.
To avoid having multiple stores, you can and should have the same store for both JBoss and Scheduler service.

Cheers,
Acácio
Thanks Miguel and Acácio! I followed your steps and choose the Base 64-encode X.509 format during the 'Certificate Export Wizard' . So ended up with three different .cer files which I succesfully imported inside the JBoss keystore...And SMTP mail integration from Java Agile platform started working like a charm!

I did not have to go through this setup (with same Mail configuration settings) on the .Net Agile platform. So apparently STARTTLS SMTP integration works out of the box on IIS. But nevertheless, thank you for these clear instructions!
Harry Marrenga wrote:
Thanks Miguel and Acácio! I followed your steps and choose the Base 64-encode X.509 format during the 'Certificate Export Wizard' . So ended up with three different .cer files which I succesfully imported inside the JBoss keystore...And SMTP mail integration from Java Agile platform started working like a charm!

I did not have to go through this setup (with same Mail configuration settings) on the .Net Agile platform. So apparently STARTTLS SMTP integration works out of the box on IIS. But nevertheless, thank you for these clear instructions!
 
Hi Harry

In Windows / .NET certificates work out-of-box using the local computer store because .NET will use it by default; for Java, there is no concept of the "default store" - one must be explicitly provided to every process running.

Cheers,
Acácio
I was upleasantly surpised to find out that Mail sending started to fail again after I upgraded to version 7.0.0.10 --> the /opt/outsystems/platform/os.scheduler.service.sh, got overwritten...so had to add in javax.net.ssl options again. Of course mail sending  started to work again perfectly, after I did so :-).
Hi, quick note on this... this post should be revised and changed, since altering directly in the .sh is not the way to go.
The sh is not costumizable and will be smashed everytime a patch to the file occurs. 
The correct place to change this setting (or any other option for that matter) is in the configuration files that are included in /etc/outsystems.

For this case in particular please edit the /etc/outsystems/os.scheduler.service.conf instead. 

Add a JAVA_OPTS="$JAVA_OPTS -mynewoption" rule to ensure you don't override all previous options
Other note: since some of you may been changing the original .sh , please validate the .sh includes

CUSTOM_SH="/etc/outsystems/os.scheduler.service.conf"
runService "SCHEDULER"

this will ensure the configuration file is read.

Thanks and regards
Ok! Has been a while ago since I posted this issue, but thanks for the tip!
Hi all

I edited the original post with the tips from Luís Lopes. Thank you man!

Acácio