javax.mail.MessagingException：无法将命令发送到SMTP主机；

Question

I have imported the certificate to cacerts (to where the JAVA_HOME is pointing) but still getting this error. Not able to figure out the issue. There is no firewall issue from client's mail server which is a Microsoft ESMTP server. I am able to telnet this from my server. Tried SSLpoke but it's getting timed out. Tried tcpdump of port 25, can see the communication back and forth. Basically trying to a trigger an outbound email from the mail server.

The detailed error log is:

Caused by: javax.mail.MessagingException: Can't send command to SMTP host; nested exception is: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.sun.mail.smtp.SMTPTransport.sendCommand(SMTPTransport.java:1420) at com.sun.mail.smtp.SMTPTransport.sendCommand(SMTPTransport.java:1408) at com.sun.mail.smtp.SMTPTransport.ehlo(SMTPTransport.java:847) at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:384) at javax.mail.Service.connect(Service.java:297) at javax.mail.Service.connect(Service.java:156) at javax.mail.Service.connect(Service.java:105) at javax.mail.Transport.send0(Transport.java:168) at javax.mail.Transport.send(Transport.java:98) at com.issuetracker.esb.mail.GmailImpl.transportMessage(GmailImpl.java:94) at com.issuetracker.esb.mail.Mail.sendSRMail(Mail.java:188)

Answer 1

Did you use the -trustcacerts parameter when importing the cert with keytool?

Edit: My conversation on this topic has covered specific reasons for the error to occur but did not have the appearance of an 'answer', so here's a rewrite.

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

This error indicates that a valid certificate chain for the purposes of trusting an incoming certificate could not be obtained from the resident keystore file being used by the running JRE (by default, in the JRE's jre/lib/security/cacerts file).

Typical causes of this include:

Neglecting to include the parameter -trustcacerts when importing the certificate with the keytool command.

When the JRE is looking for certificates it knows about to match the incoming one, it will only consider the certificates that have been marked as trusted in this way.

The certificate has been signed by a root CA for whom the JRE does not already have the root certificate installed for.

Typically this is caused by having the certificate signed by an unknown root certificate authority (CA), such as a company's own internal CA that the JRE knows nothing about (yet), or even by some third party root CAs that aren't as popular as some other big-name vendors, and so whilst a browser or OS may have a root certificate already, Java may not have shipped with it.

To rectify this, you will also need to obtain and install the root CA certificate and mark it trusted too.

There are also companies that provide certificate signing that are acting as intermediaries, meaning that they don't have their own root CA themselves, but have been given a certificate by a trusted root CA to allow them to further sign certificate signing requests (CSRs).

In these cases, whilst you may have your own certificate and the underlying root CA already installed and trusted, unless you also obtain and install the intermediate certificate, then the 'certificate chain' is broken and a valid certificate path cannot be made.

So possible solutions in summary include:

1. Perform all certificate installations for other sites with the -trustcacerts parameter.
2. Check that the root CA certificate exists in the keystore file also, if not, obtain and install it using keytool -importcert -trustcacerts as well.
3. Check if there is also an intermediate certificate to complete the full chain, and if so, obtain and install that using keytool -importcert -trustcacerts into the keystore file also.

Note: Examining the .crt file in Windows by double-clicking the file can give you an opportunity to examine the certificate path and see if and which root and intermediary CAs were involved to help show what you will need.

Once a complete and valid certificate chain has been installed and trusted into the keystore file, the error should pass.