Support Article

SSL Handshake error connecting using TLS to email server



TLS was recently enabled on port 25 of the email server.
The application failed to send email after this change.
Test connectivity on the Email Account also subsequently failed.

Error Messages

On the screen

Overall result
A secure connection could not be established with the outgoing (SMTP) email server.
Check Application Server configuration.

In the log

(your_host/your_ip:8080-1) your_host/your_ip:8080-1, handling exception: PKIX path building failed: unable to find valid certification path to requested target
(Dispatcher-Thread-92) 2017-05-01 13:01:00,982 [your_ip:8080-1] [TABTHREAD1] [ ] [ your_app:01.01.01] (pega_integrationengine_default) ERROR your_client|your_client_ip your_id - Exception caught while testing connection to your_email_server as user
(Dispatcher-Thread-92) javax.mail.MessagingException: Could not convert socket to TLS;
(Dispatcher-Thread-92) nested exception is:
(Dispatcher-Thread-92) PKIX path building failed: unable to find valid certification path to requested target
(Dispatcher-Thread-92) at com.sun.mail.smtp.SMTPTransport.startTLS(
(Dispatcher-Thread-92) at com.sun.mail.smtp.SMTPTransport.protocolConnect(
(Dispatcher-Thread-92) at javax.mail.Service.connect(
(Dispatcher-Thread-92) at javax.mail.Service.connect(
(Dispatcher-Thread-92) at com.pegarules.generated.SendEmailMessage_071019_N64HnJyGpowZnb6lXAmEwA.SendEmailMessage07_10_19(

Steps to Reproduce

Make port 25 on the email server expect TLS communication.

Root Cause

A third-party product issue

TLS is a Secure Socket Layer cipher. This implies that SSL is in use. In that case the certificates for the server need to be installed in the application server trust store.
The certificate chain back to the issuer needs to be completely in the trust store of the application server including all intermediaries.


Make the following change to the operating environment:

The complete certificate chain including the issuer, intermediaries, and the root were added in the trust store for the application server.
This resolved the issue.

Note that this needs to be done even for self signed certificates.

Published May 3, 2017 - Updated May 5, 2017

100% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.