@rlkoshak Hi Rich,
thank you for the description. I would like to try it but unfortunately they keytool is not available in the OpenHAB docker image 
… I will have to figure out how to extend the cacerts file when keytool is not available 
Pull it out of the container, use keytool on the host, add the cert and then link it back into the container as a volume. Or install keytool into the container and install the cert using a script that runs before openHAB (see the Docker container docs).
You can find the keytool at $JAVA_HOME/bin/keytool in the official docker image.
However since 3.2.0 I have to change the crypto.policy to „unlimited“ in $JAVA_HOME/conf/security/java.security to import my root CA Certificate. I think in versions prior to 3.2.0 the crypto.policy was also set to „limited“ so I guess the limited policy changed in the Java version used in the 3.2.0 container. This may or may not be related to your problem, I just thought it might be helpful to let you know that I also discovered that the were some changes introduced with 3.2.0 with regard to certificates.
THANK YOU!!! 
I assumed that this could work but I was not sure. I will try at the weekend as I am on business travel right now and day is over (9PM) 
… As a workaround I use currently the alternative email address from another provider that I have tested before!
Thank you @DrRSatzteil but I have this already set to unlimited as otherwise my Buderus (km200) Binding does not work.
I think you can do this through an environment variable for the container. From the docs
Due to local laws and export restrictions the containers use Java with a limited cryptographic strength policy. Some openHAB functionality may depend on unlimited strength which can be enabled by configuring the environment variable
CRYPTO_POLICY=unlimited
It’s important to know that the Docker image is maintained and managed independently from the openHAB software and it has its own release cycles (they don’t really use version numbers). Whatever change happened, if there was a change, was likely completely independent of the openHAB version and it likely applies to all openHAB versions currently supported to run in Docker.
So the certificate is already in the cacerts file:
==_-+- keytool --keystore ./cacerts -list | grep E7:93:C9:B0:2F:D8:AA:13:E2:1C:31:22:8A:CC:B0:81:19:64:3B:74:9C:89:89:64:B1:74:6D:46:C3:D4:CB:D2
Keystore-Kennwort eingeben: changeit
usertrustrsaca [jdk], 01.02.2010, trustedCertEntry,
Zertifikat-Fingerprint (SHA-256): E7:93:C9:B0:2F:D8:AA:13:E2:1C:31:22:8A:CC:B0:81:19:64:3B:74:9C:89:89:64:B1:74:6D:46:C3:D4:CB:D2
CRYPTO_POLICY = unlimited is set 
Thanks I did not know about the Env variable.
I’m aware that this change is not related to the OH software itself, I wasn’t precise enough in my previous posting: I guess I should have said: the docker base image for the official OH 3.2.0 milestone release. So of course this may also have changed for docker images of other OH versions but I don’t know that.
So far I never had any issues with these separate release cycles (and I wasn’t aware of this fact). However it’s good to know for anyone using the docker images that there is a potential for breaking charges (at least in customised setups) that may be introduced through the docker image releases.
@DrRSatzteil
It took a while until we got this environment variable with OH v2.4 it was not there and I needed to mount an external ...jre/lib/security directory with extented jar files:
It was a great achievement that the CRYPTO_POLICY env variable was introduced. But I don’t remember when that was 
So might this be a general problem with the java version when the certificate is in the keystore?
Can I debug this somehow? Or will this be considered an “individual issue” and I have to switch to an alternative mail provider?
If you’ve updated from 3.2.0.M3 to 3.2.0.M4, one of the changes in the Docker image is that Java was updated from 11.0.12 to 11.0.13 which has some cipher suite and root certificate changes, see:
- OpenJDK 11.0.13 Released
- https://docs.azul.com/core/zulu-openjdk/release-notes/azul-zulu-ca-release-notes-october-2021-rev1.1.pdf
Nowadays the OH Docker build no longer rebuilds all openHAB images everytime. So changes in the Docker image propagate similar to changes in openHAB itself: snapshots first, followed by milestones and then releases.
Besides the Java upgrade, the Debian base image was updated from 10.10 to 10.11, for those changes see: Debian -- News -- Updated Debian 10: 10.11 released
1 Like
Thanks Wouter 
But the problem started with the move from 3.2.0.M2 to 3.2.0.M3 … I thought it might disappear when going to the latest level (sometimes it helps 
)
So it should be hidden in the step from M2 to M3. I will check the documentation links to see if I find a hint. As said, I have a workaround. So this is not urgent. It might just be interesting for other if I am not the only one.
You can try to set -Djavax.net.debug=all or -Djavax.net.debug=ssl
The first one should provide lots of debug information. The second one is related to ssl ‘only’. It should give some more details about the root cause.
See also: https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html
All,
the certificate issue with arcor/Vodafone seems to be fundamental one - I found this ongoing discussion here:
1 Like
Hi @openhabgs,
this explains everything. I have read through the topic in the Vodafone forum and the funny thing is that this correlates with my upgrade from OH 3.2.0.M2 to 3.2.0.M3 …
So any further investigation makes no sense. I will wait and see if/when my Arcor/Vodafone address will work again.
Thanks a lot for your “heads-up” - I searched the web but did not find this topic 
It is not officially documented by Vodafone but the old Arcor servers are still there and more or less reliably working:
SMTP Configuration:
mail.arcor.de:587
User: xxxxxxxxx@arcor.de
Thanks for this information but the certificate isssue is not tied to the hostname because it fails with either the arcor or the vodafoneemail domain name …
But to be honest I have to check if they have solved it in the meantime because I switched to an alternative email provider and did not follow up on their issue.
No worries. I also had huge problems with Arcor/Vodafone and I’m still not able to access my Mail from all my devices. However the Arcor server configuration was the only thing that actually worked the last time I tried
Hi,
it seems the certificate issue has been solved - at least sending with an @arcor.de adress as SMTB out of openHab works for me again w/o problems as before.
1 Like
Thank you. I will try at the weekend to switch back from my alternative address back to the Arcor domain