SSL Handshake error connecting using TLS to email server
SummaryTLS was recently enabled on port 25 of the email server.
The application failed to send email after this change.
Test connectivity on the Email Account also subsequently failed.
Error MessagesOn the screen
A secure connection could not be established with the outgoing (SMTP) email server.
Check Application Server configuration.
In the log
(your_host/your_ip:8080-1) your_host/your_ip:8080-1, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
(Dispatcher-Thread-92) 2017-05-01 13:01:00,982 [your_ip:8080-1] [TABTHREAD1] [ ] [ your_app:01.01.01] (pega_integrationengine_default) ERROR your_client|your_client_ip your_id - Exception caught while testing connection to your_email_server as user your_email_login@your_email_server.com
(Dispatcher-Thread-92) javax.mail.MessagingException: Could not convert socket to TLS;
(Dispatcher-Thread-92) nested exception is:
(Dispatcher-Thread-92) javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
(Dispatcher-Thread-92) at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:1999)
(Dispatcher-Thread-92) at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:709)
(Dispatcher-Thread-92) at javax.mail.Service.connect(Service.java:364)
(Dispatcher-Thread-92) at javax.mail.Service.connect(Service.java:245)
(Dispatcher-Thread-92) at com.pegarules.generated.SendEmailMessage_071019_N64HnJyGpowZnb6lXAmEwA.SendEmailMessage07_10_19(SendEmailMessage_071019_N64HnJyGpowZnb6lXAmEwA.java:309)
Steps to ReproduceMake port 25 on the email server expect TLS communication.
Root CauseA third-party product issue
TLS is a Secure Socket Layer cipher. This implies that SSL is in use. In that case the certificates for the server need to be installed in the application server trust store.
The certificate chain back to the issuer needs to be completely in the trust store of the application server including all intermediaries.
ResolutionMake the following change to the operating environment:
The complete certificate chain including the issuer, intermediaries, and the root were added in the trust store for the application server.
This resolved the issue.
Note that this needs to be done even for self signed certificates.
Published May 3, 2017 - Updated May 5, 2017