Mail action certificate issue

Hi

I’m trying to get the mail action binding working with an on-site MS Exchange 2013 server. The Exchange server is configured with a LetsEncrypt certificate. I have other systems that are able to connect using SMTP on port 587 and I can telnet to port 587 from my OpenHAB server without issue.

However, when I have the sendMail command configured in a rule and the rule triggers I get the following output logged…

2017-10-04 21:57:27.590 [ERROR] [rg.openhab.action.mail.internal.Mail] - Could not send e-mail to 'xxx.yyy@zzz.org.uk'.
org.apache.commons.mail.EmailException: Sending the email to the following server failed : smtp.zzz.org.uk:587
	at org.apache.commons.mail.Email.sendMimeMessage(Email.java:1421)
	at org.apache.commons.mail.Email.send(Email.java:1448)
	at org.openhab.action.mail.internal.Mail.sendMail(Mail.java:157)
	at org.openhab.action.mail.internal.Mail.sendMail(Mail.java:89)
	at org.openhab.action.mail.internal.Mail.sendMail(Mail.java:67)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)[:1.8.0_121]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)[:1.8.0_121]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)[:1.8.0_121]
	at java.lang.reflect.Method.invoke(Method.java:498)[:1.8.0_121]
	at org.eclipse.xtext.xbase.interpreter.impl.XbaseInterpreter.invokeOperation(XbaseInterpreter.java:1085)[145:org.eclipse.xtext.xbase:2.9.2.v20160428-1452]
	at org.eclipse.xtext.xbase.interpreter.impl.XbaseInterpreter.invokeOperation(XbaseInterpreter.java:1060)[145:org.eclipse.xtext.xbase:2.9.2.v20160428-1452]
	at org.eclipse.xtext.xbase.interpreter.impl.XbaseInterpreter._invokeFeature(XbaseInterpreter.java:1046)[145:org.eclipse.xtext.xbase:2.9.2.v20160428-1452]
	at org.eclipse.xtext.xbase.interpreter.impl.XbaseInterpreter.invokeFeature(XbaseInterpreter.java:991)[145:org.eclipse.xtext.xbase:2.9.2.v20160428-1452]
	at org.eclipse.smarthome.model.script.interpreter.ScriptInterpreter.invokeFeature(ScriptInterpreter.java:114)[129:org.eclipse.smarthome.model.script:0.9.0.b5]
	at org.eclipse.xtext.xbase.interpreter.impl.XbaseInterpreter._doEvaluate(XbaseInterpreter.java:901)[145:org.eclipse.xtext.xbase:2.9.2.v20160428-1452]
	at org.eclipse.xtext.xbase.interpreter.impl.XbaseInterpreter._doEvaluate(XbaseInterpreter.java:864)[145:org.eclipse.xtext.xbase:2.9.2.v20160428-1452]
	at org.eclipse.xtext.xbase.interpreter.impl.XbaseInterpreter.doEvaluate(XbaseInterpreter.java:223)[145:org.eclipse.xtext.xbase:2.9.2.v20160428-1452]
	at org.eclipse.xtext.xbase.interpreter.impl.XbaseInterpreter.internalEvaluate(XbaseInterpreter.java:203)[145:org.eclipse.xtext.xbase:2.9.2.v20160428-1452]
	at org.eclipse.xtext.xbase.interpreter.impl.XbaseInterpreter._doEvaluate(XbaseInterpreter.java:446)[145:org.eclipse.xtext.xbase:2.9.2.v20160428-1452]
	at org.eclipse.xtext.xbase.interpreter.impl.XbaseInterpreter.doEvaluate(XbaseInterpreter.java:227)[145:org.eclipse.xtext.xbase:2.9.2.v20160428-1452]
	at org.eclipse.xtext.xbase.interpreter.impl.XbaseInterpreter.internalEvaluate(XbaseInterpreter.java:203)[145:org.eclipse.xtext.xbase:2.9.2.v20160428-1452]
	at org.eclipse.xtext.xbase.interpreter.impl.XbaseInterpreter.evaluate(XbaseInterpreter.java:189)[145:org.eclipse.xtext.xbase:2.9.2.v20160428-1452]
	at org.eclipse.smarthome.model.script.runtime.internal.engine.ScriptImpl.execute(ScriptImpl.java:77)[130:org.eclipse.smarthome.model.script.runtime:0.9.0.b5]
	at org.eclipse.smarthome.model.script.engine.ScriptExecutionThread.run(ScriptExecutionThread.java:42)[129:org.eclipse.smarthome.model.script:0.9.0.b5]
Caused by: javax.mail.MessagingException: Could not convert socket to TLS;
  nested exception is:
	javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:1880)
	at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:648)
	at javax.mail.Service.connect(Service.java:317)[17:javax.mail:1.4.4]
	at javax.mail.Service.connect(Service.java:176)[17:javax.mail:1.4.4]
	at javax.mail.Service.connect(Service.java:125)[17:javax.mail:1.4.4]
	at javax.mail.Transport.send0(Transport.java:194)[17:javax.mail:1.4.4]
	at javax.mail.Transport.send(Transport.java:124)[17:javax.mail:1.4.4]
	at org.apache.commons.mail.Email.sendMimeMessage(Email.java:1411)
	... 23 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)[:1.8.0_121]
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)[:1.8.0_121]
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)[:1.8.0_121]
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)[:1.8.0_121]
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1529)[:1.8.0_121]
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:226)[:1.8.0_121]
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)[:1.8.0_121]
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)[:1.8.0_121]
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)[:1.8.0_121]
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)[:1.8.0_121]
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)[:1.8.0_121]
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)[:1.8.0_121]
	at com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:507)
	at com.sun.mail.util.SocketFetcher.startTLS(SocketFetcher.java:447)
	at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:1875)
	... 30 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)[:1.8.0_121]
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)[:1.8.0_121]
	at sun.security.validator.Validator.validate(Validator.java:260)[:1.8.0_121]
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)[:1.8.0_121]
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)[:1.8.0_121]
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)[:1.8.0_121]
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1506)[:1.8.0_121]
	... 40 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)[:1.8.0_121]
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)[:1.8.0_121]
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)[:1.8.0_121]
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)[:1.8.0_121]
	... 46 more

Any help in solving this issue would be greatly appreciated!!

Most likely you are running with a version of Java that is too old and hasn’t included the LetsEncrypt CA as a trusted CA. I don’t know about the other JREs, but if you are using Oracle you need at least 1.8.0_101.

The openHAB server was built just last week using the latest build of openhabian… I’ve looked into installing the LetsEncrypt root CA into the java keystore, but it says it’s already there…

$JAVA_HOME/bin/keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts -alias LetsEncrypt-Root-CA -file isrgrootx1.pem 
Enter keystore password:  
Certificate already exists in keystore under alias <cert_152_isrg_root_x1152>
Do you still want to add it? [no]:  
Certificate was not added to keystore