[Solved] Mail-Binding: Since OH 3.2.0 Milestone 3 - certificate issue: javax.mail.MessagingException: Could not convert socket to TLS

Hi all,

OpenHAB environment: x86_64 Docker currently on OH v3.2 Milestone 4 but looking into my old logs the error started with OH 3.2 Milestone 3. Everything worked well with Milestone 2 and I am using the mail-binding since I started with OH v2.4 and I always used the official OpenHAB docker image.

your code goes here19:40:21.706 [WARN ] [hab.binding.mail.internal.SMTPHandler] - Sending the email to the following server failed : mail.arcor.de:587
19:40:21.707 [WARN ] [hab.binding.mail.internal.SMTPHandler] - javax.mail.MessagingException: Could not convert socket to TLS;
  nested exception is:
	javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I checked the logs of my OH v3.2 Milestone 2 environment. The error did not occur there. It started with Milestone 3.

I found some topics with similar error messages but all referred to changed environments. I did not change anything in my environment except updating the docker container.

Hence I am lost where to look to find the culprit … Any idea or hint is kindly appreciated.

Cheers
Justus

EDIT: I tested with a different mail account and this works??? Hence the issue is not in OpenHAB but in my mail provider … Maybe this is helpful for others as well … I will investigate further and update this topic for documentation purposes.

What ever certificate is used by the SMTP service you are interacting with is either expired or signed by an authority that is not trusted.

Either you configured Java to trust that certificate in 2.4 and have forgotten, or Java 11 no longer automatically trusts the certificate used by mail.arcor.de.

How to Import Public Certificates into Java’s Truststore from a Browser | by Avinash Reddy Penugonda | Expedia Group Technology | Medium might be helpful.

@rlkoshak Hi Rich,

thank you for the description. I would like to try it but unfortunately they keytool is not available in the OpenHAB docker image :frowning: … I will have to figure out how to extend the cacerts file when keytool is not available :+1:

Pull it out of the container, use keytool on the host, add the cert and then link it back into the container as a volume. Or install keytool into the container and install the cert using a script that runs before openHAB (see the Docker container docs).

You can find the keytool at $JAVA_HOME/bin/keytool in the official docker image.

However since 3.2.0 I have to change the crypto.policy to „unlimited“ in $JAVA_HOME/conf/security/java.security to import my root CA Certificate. I think in versions prior to 3.2.0 the crypto.policy was also set to „limited“ so I guess the limited policy changed in the Java version used in the 3.2.0 container. This may or may not be related to your problem, I just thought it might be helpful to let you know that I also discovered that the were some changes introduced with 3.2.0 with regard to certificates.

THANK YOU!!! :clap: :clap: :clap:
I assumed that this could work but I was not sure. I will try at the weekend as I am on business travel right now and day is over (9PM) :wink: … As a workaround I use currently the alternative email address from another provider that I have tested before!

Thank you @DrRSatzteil but I have this already set to unlimited as otherwise my Buderus (km200) Binding does not work.

I think you can do this through an environment variable for the container. From the docs

Due to local laws and export restrictions the containers use Java with a limited cryptographic strength policy. Some openHAB functionality may depend on unlimited strength which can be enabled by configuring the environment variable CRYPTO_POLICY =unlimited

It’s important to know that the Docker image is maintained and managed independently from the openHAB software and it has its own release cycles (they don’t really use version numbers). Whatever change happened, if there was a change, was likely completely independent of the openHAB version and it likely applies to all openHAB versions currently supported to run in Docker.

So the certificate is already in the cacerts file:

==_-+- keytool --keystore ./cacerts -list | grep E7:93:C9:B0:2F:D8:AA:13:E2:1C:31:22:8A:CC:B0:81:19:64:3B:74:9C:89:89:64:B1:74:6D:46:C3:D4:CB:D2
Keystore-Kennwort eingeben:  changeit
usertrustrsaca [jdk], 01.02.2010, trustedCertEntry,
Zertifikat-Fingerprint (SHA-256): E7:93:C9:B0:2F:D8:AA:13:E2:1C:31:22:8A:CC:B0:81:19:64:3B:74:9C:89:89:64:B1:74:6D:46:C3:D4:CB:D2

CRYPTO_POLICY = unlimited is set :slight_smile:

Thanks I did not know about the Env variable.

I’m aware that this change is not related to the OH software itself, I wasn’t precise enough in my previous posting: I guess I should have said: the docker base image for the official OH 3.2.0 milestone release. So of course this may also have changed for docker images of other OH versions but I don’t know that.

So far I never had any issues with these separate release cycles (and I wasn’t aware of this fact). However it’s good to know for anyone using the docker images that there is a potential for breaking charges (at least in customised setups) that may be introduced through the docker image releases.

@DrRSatzteil
It took a while until we got this environment variable with OH v2.4 it was not there and I needed to mount an external ...jre/lib/security directory with extented jar files:

It was a great achievement that the CRYPTO_POLICY env variable was introduced. But I don’t remember when that was :slight_smile:

So might this be a general problem with the java version when the certificate is in the keystore?
Can I debug this somehow? Or will this be considered an “individual issue” and I have to switch to an alternative mail provider?

If you’ve updated from 3.2.0.M3 to 3.2.0.M4, one of the changes in the Docker image is that Java was updated from 11.0.12 to 11.0.13 which has some cipher suite and root certificate changes, see:

Nowadays the OH Docker build no longer rebuilds all openHAB images everytime. So changes in the Docker image propagate similar to changes in openHAB itself: snapshots first, followed by milestones and then releases.

Besides the Java upgrade, the Debian base image was updated from 10.10 to 10.11, for those changes see: Debian -- News -- Updated Debian 10: 10.11 released

1 Like

Thanks Wouter :+1:t2:
But the problem started with the move from 3.2.0.M2 to 3.2.0.M3 … I thought it might disappear when going to the latest level (sometimes it helps :stuck_out_tongue_winking_eye: )

So it should be hidden in the step from M2 to M3. I will check the documentation links to see if I find a hint. As said, I have a workaround. So this is not urgent. It might just be interesting for other if I am not the only one.

You can try to set -Djavax.net.debug=all or -Djavax.net.debug=ssl
The first one should provide lots of debug information. The second one is related to ssl ‘only’. It should give some more details about the root cause.

See also: Debugging SSL/TLS connections

All,
the certificate issue with arcor/Vodafone seems to be fundamental one - I found this ongoing discussion here:

1 Like

Hi @openhabgs,
this explains everything. I have read through the topic in the Vodafone forum and the funny thing is that this correlates with my upgrade from OH 3.2.0.M2 to 3.2.0.M3 …
So any further investigation makes no sense. I will wait and see if/when my Arcor/Vodafone address will work again.
Thanks a lot for your “heads-up” - I searched the web but did not find this topic :+1:t2: :+1:t2: :+1:t2:

It is not officially documented by Vodafone but the old Arcor servers are still there and more or less reliably working:

SMTP Configuration:
mail.arcor.de:587
User: xxxxxxxxx@arcor.de

@DrRSatzteil

Thanks for this information but the certificate isssue is not tied to the hostname because it fails with either the arcor or the vodafoneemail domain name …

But to be honest I have to check if they have solved it in the meantime because I switched to an alternative email provider and did not follow up on their issue.

No worries. I also had huge problems with Arcor/Vodafone and I’m still not able to access my Mail from all my devices. However the Arcor server configuration was the only thing that actually worked the last time I tried