OpenHAB environment: x86_64 Docker currently on OH v3.2 Milestone 4 but looking into my old logs the error started with OH 3.2 Milestone 3. Everything worked well with Milestone 2 and I am using the mail-binding since I started with OH v2.4 and I always used the official OpenHAB docker image.
your code goes here19:40:21.706 [WARN ] [hab.binding.mail.internal.SMTPHandler] - Sending the email to the following server failed : mail.arcor.de:587
19:40:21.707 [WARN ] [hab.binding.mail.internal.SMTPHandler] - javax.mail.MessagingException: Could not convert socket to TLS;
nested exception is:
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I checked the logs of my OH v3.2 Milestone 2 environment. The error did not occur there. It started with Milestone 3.
I found some topics with similar error messages but all referred to changed environments. I did not change anything in my environment except updating the docker container.
Hence I am lost where to look to find the culprit ⊠Any idea or hint is kindly appreciated.
Cheers
Justus
EDIT: I tested with a different mail account and this works??? Hence the issue is not in OpenHAB but in my mail provider ⊠Maybe this is helpful for others as well ⊠I will investigate further and update this topic for documentation purposes.
What ever certificate is used by the SMTP service you are interacting with is either expired or signed by an authority that is not trusted.
Either you configured Java to trust that certificate in 2.4 and have forgotten, or Java 11 no longer automatically trusts the certificate used by mail.arcor.de.
thank you for the description. I would like to try it but unfortunately they keytool is not available in the OpenHAB docker image ⊠I will have to figure out how to extend the cacerts file when keytool is not available
Pull it out of the container, use keytool on the host, add the cert and then link it back into the container as a volume. Or install keytool into the container and install the cert using a script that runs before openHAB (see the Docker container docs).
You can find the keytool at $JAVA_HOME/bin/keytool in the official docker image.
However since 3.2.0 I have to change the crypto.policy to âunlimitedâ in $JAVA_HOME/conf/security/java.security to import my root CA Certificate. I think in versions prior to 3.2.0 the crypto.policy was also set to âlimitedâ so I guess the limited policy changed in the Java version used in the 3.2.0 container. This may or may not be related to your problem, I just thought it might be helpful to let you know that I also discovered that the were some changes introduced with 3.2.0 with regard to certificates.
THANK YOU!!!
I assumed that this could work but I was not sure. I will try at the weekend as I am on business travel right now and day is over (9PM) ⊠As a workaround I use currently the alternative email address from another provider that I have tested before!
I think you can do this through an environment variable for the container. From the docs
Due to local laws and export restrictions the containers use Java with a limited cryptographic strength policy. Some openHAB functionality may depend on unlimited strength which can be enabled by configuring the environment variable CRYPTO_POLICY =unlimited
Itâs important to know that the Docker image is maintained and managed independently from the openHAB software and it has its own release cycles (they donât really use version numbers). Whatever change happened, if there was a change, was likely completely independent of the openHAB version and it likely applies to all openHAB versions currently supported to run in Docker.
Iâm aware that this change is not related to the OH software itself, I wasnât precise enough in my previous posting: I guess I should have said: the docker base image for the official OH 3.2.0 milestone release. So of course this may also have changed for docker images of other OH versions but I donât know that.
So far I never had any issues with these separate release cycles (and I wasnât aware of this fact). However itâs good to know for anyone using the docker images that there is a potential for breaking charges (at least in customised setups) that may be introduced through the docker image releases.
@DrRSatzteil
It took a while until we got this environment variable with OH v2.4 it was not there and I needed to mount an external ...jre/lib/security directory with extented jar files:
It was a great achievement that the CRYPTO_POLICY env variable was introduced. But I donât remember when that was
So might this be a general problem with the java version when the certificate is in the keystore?
Can I debug this somehow? Or will this be considered an âindividual issueâ and I have to switch to an alternative mail provider?
If youâve updated from 3.2.0.M3 to 3.2.0.M4, one of the changes in the Docker image is that Java was updated from 11.0.12 to 11.0.13 which has some cipher suite and root certificate changes, see:
Nowadays the OH Docker build no longer rebuilds all openHAB images everytime. So changes in the Docker image propagate similar to changes in openHAB itself: snapshots first, followed by milestones and then releases.
Thanks Wouter
But the problem started with the move from 3.2.0.M2 to 3.2.0.M3 ⊠I thought it might disappear when going to the latest level (sometimes it helps )
So it should be hidden in the step from M2 to M3. I will check the documentation links to see if I find a hint. As said, I have a workaround. So this is not urgent. It might just be interesting for other if I am not the only one.
You can try to set -Djavax.net.debug=all or -Djavax.net.debug=ssl
The first one should provide lots of debug information. The second one is related to ssl âonlyâ. It should give some more details about the root cause.
Hi @openhabgs,
this explains everything. I have read through the topic in the Vodafone forum and the funny thing is that this correlates with my upgrade from OH 3.2.0.M2 to 3.2.0.M3 âŠ
So any further investigation makes no sense. I will wait and see if/when my Arcor/Vodafone address will work again.
Thanks a lot for your âheads-upâ - I searched the web but did not find this topic
Thanks for this information but the certificate isssue is not tied to the hostname because it fails with either the arcor or the vodafoneemail domain name âŠ
But to be honest I have to check if they have solved it in the meantime because I switched to an alternative email provider and did not follow up on their issue.
No worries. I also had huge problems with Arcor/Vodafone and Iâm still not able to access my Mail from all my devices. However the Arcor server configuration was the only thing that actually worked the last time I tried