OpenHAB environment: x86_64 Docker currently on OH v3.2 Milestone 4 but looking into my old logs the error started with OH 3.2 Milestone 3. Everything worked well with Milestone 2 and I am using the mail-binding since I started with OH v2.4 and I always used the official OpenHAB docker image.
your code goes here19:40:21.706 [WARN ] [hab.binding.mail.internal.SMTPHandler] - Sending the email to the following server failed : mail.arcor.de:587
19:40:21.707 [WARN ] [hab.binding.mail.internal.SMTPHandler] - javax.mail.MessagingException: Could not convert socket to TLS;
nested exception is:
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I checked the logs of my OH v3.2 Milestone 2 environment. The error did not occur there. It started with Milestone 3.
I found some topics with similar error messages but all referred to changed environments. I did not change anything in my environment except updating the docker container.
Hence I am lost where to look to find the culprit … Any idea or hint is kindly appreciated.
EDIT: I tested with a different mail account and this works??? Hence the issue is not in OpenHAB but in my mail provider … Maybe this is helpful for others as well … I will investigate further and update this topic for documentation purposes.
thank you for the description. I would like to try it but unfortunately they keytool is not available in the OpenHAB docker image … I will have to figure out how to extend the cacerts file when keytool is not available
Pull it out of the container, use keytool on the host, add the cert and then link it back into the container as a volume. Or install keytool into the container and install the cert using a script that runs before openHAB (see the Docker container docs).
You can find the keytool at $JAVA_HOME/bin/keytool in the official docker image.
However since 3.2.0 I have to change the crypto.policy to „unlimited“ in $JAVA_HOME/conf/security/java.security to import my root CA Certificate. I think in versions prior to 3.2.0 the crypto.policy was also set to „limited“ so I guess the limited policy changed in the Java version used in the 3.2.0 container. This may or may not be related to your problem, I just thought it might be helpful to let you know that I also discovered that the were some changes introduced with 3.2.0 with regard to certificates.
I assumed that this could work but I was not sure. I will try at the weekend as I am on business travel right now and day is over (9PM) … As a workaround I use currently the alternative email address from another provider that I have tested before!
I think you can do this through an environment variable for the container. From the docs
Due to local laws and export restrictions the containers use Java with a limited cryptographic strength policy. Some openHAB functionality may depend on unlimited strength which can be enabled by configuring the environment variable CRYPTO_POLICY =unlimited
It’s important to know that the Docker image is maintained and managed independently from the openHAB software and it has its own release cycles (they don’t really use version numbers). Whatever change happened, if there was a change, was likely completely independent of the openHAB version and it likely applies to all openHAB versions currently supported to run in Docker.
I’m aware that this change is not related to the OH software itself, I wasn’t precise enough in my previous posting: I guess I should have said: the docker base image for the official OH 3.2.0 milestone release. So of course this may also have changed for docker images of other OH versions but I don’t know that.
So far I never had any issues with these separate release cycles (and I wasn’t aware of this fact). However it’s good to know for anyone using the docker images that there is a potential for breaking charges (at least in customised setups) that may be introduced through the docker image releases.
So might this be a general problem with the java version when the certificate is in the keystore?
Can I debug this somehow? Or will this be considered an “individual issue” and I have to switch to an alternative mail provider?
Nowadays the OH Docker build no longer rebuilds all openHAB images everytime. So changes in the Docker image propagate similar to changes in openHAB itself: snapshots first, followed by milestones and then releases.
But the problem started with the move from 3.2.0.M2 to 3.2.0.M3 … I thought it might disappear when going to the latest level (sometimes it helps )
So it should be hidden in the step from M2 to M3. I will check the documentation links to see if I find a hint. As said, I have a workaround. So this is not urgent. It might just be interesting for other if I am not the only one.
You can try to set -Djavax.net.debug=all or -Djavax.net.debug=ssl
The first one should provide lots of debug information. The second one is related to ssl ‘only’. It should give some more details about the root cause.
this explains everything. I have read through the topic in the Vodafone forum and the funny thing is that this correlates with my upgrade from OH 3.2.0.M2 to 3.2.0.M3 …
So any further investigation makes no sense. I will wait and see if/when my Arcor/Vodafone address will work again.
Thanks a lot for your “heads-up” - I searched the web but did not find this topic
No worries. I also had huge problems with Arcor/Vodafone and I’m still not able to access my Mail from all my devices. However the Arcor server configuration was the only thing that actually worked the last time I tried