7.6.4 2 Way Email Problems

Duffanator · November 25, 2013, 3:53pm

Hey all,

After upgrading to Ignition 7.5.4 over the weekend the 2-way e-mail alert profile I have set up works for a little while and then I start getting this message in the console. After that it won’t work anymore until a server reset.

[code]10:11:32 AM Alarming.Notification.EmailNotificationProfile[Email 2 Way] [hostname=cfcexchange.hqm.com,port=25] Error sending message to user ‘usr-prov:AD-Internal Hybrid:/usr:USERREDACTED’.

javax.mail.MessagingException: Could not convert socket to TLS;
nested exception is:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:1918)
at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:652)
at javax.mail.Service.connect(Service.java:295)
at javax.mail.Service.connect(Service.java:176)
at javax.mail.Service.connect(Service.java:125)
at javax.mail.Transport.send0(Transport.java:194)
at javax.mail.Transport.send(Transport.java:124)
at com.inductiveautomation.ignition.alarming.notification.email.EmailNotificationProfile$EmailTask.run(EmailNotificationProfile.java:344)
at com.inductiveautomation.ignition.alarming.notification.email.EmailNotificationProfile$3.run(EmailNotificationProfile.java:197)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1649)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:893)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1165)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1149)
at com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:548)
at com.sun.mail.util.SocketFetcher.startTLS(SocketFetcher.java:485)
at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:1913)
… 11 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:323)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:217)
at sun.security.validator.Validator.validate(Validator.java:218)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)
… 21 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:318)
… 27 more[/code]

Kevin.Herron · November 25, 2013, 4:23pm

sigh

For 7.6.4 we enabled STARTTLS for the SMTP connections… I knew I should have made it optional though

Your server is probably using a test certificate or self-signed certificate instead of a certificate signed by a commercial Certificate Authority. You’ll need to install the server’s certificate into your trust store. See java.net/projects/javamail/pages/InstallCert (hopefully that still works)

Alternatively, you can set the “mail.protocol.ssl.trust” property to the host name of your mail server. This can be done in the ignition.conf by adding an additional JVM startup parameter (the wrapper.java.additional lines). The line would look like:

wrapper.java.additional.8=-Dmail.protocol.ssl.trust=mailservergoeshere

It may or may not be 8, depending if you have other parameters in there.

Duffanator · November 25, 2013, 7:28pm

Thanks for the tip Kevin.

I tried using the additional Java parameters but that didn’t work. I went over the problem with our MIS guys in an attempt to try to get the certificate installed in Java and we found that the Ignition servers were never added to the trusted list of servers that can send e-mail.

I guess it didn’t matter before but apparently it does now

It’s now working after they added the Ignition servers to the trusted list. Thanks for the help!