TLDR; For some reason despite importing the certificate into the CACERTS file I can't pull mail from a mail server.
I have an instance of service desk locally hosted. It was working fine receiving mails without a problem and then suddenly stopped.
Now when I try to connect I get one of the following depending on the method I have selected.
1. Using secure IMAP on port 993 I get "unable to find valid certification path to requested target"
2. Using IMAP on port 143 I get "No login methods supported!"
3. Using POP on port 119 I get "Connection refused (Connection refused)"
4. Using secure POP on port 995 I get "Connection refused (Connection refused)"
I have received the certificate provided for the mail server and imported it in to the CACERTS file that the instance of java that Jira uses has (and just in case I've also added it to every cacerts file I can find on the server) and restarted Jira but with no luck.
Hosting server is Oracle Linux 6, Java version is 1.8.0_181 (I know, it needs patching)
Error in the logs is
2019-09-25 10:59:04,678 ERROR [] Caesium-1-1 ServiceRunner Messaging Error when MailPullerWorker pulls emails from <redacted_user>@<redacted domain>: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Good news, it looks like the issue was at the mail server end. The IMAP services were stopped and started again and then it all started working again.
Thanks for the help everyone, looks like it was an upstream issue.
This means one of two things.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks for getting back to me.
I think you're right on the first part (the certificate is installed on all the cacerts, but the one I believe jira is using is the <jira-bin-home>/jre/lib/cacerts file).
The second I'm trying to work on.
I've installed MUTT on the jira server and with that I can connect to the mail server with IMAP without any issue. It does come up with a note about the certificate at the start (it says "This certificate belongs to <servername>" and "This certificate was issued by <servername>" and finally "This certificate is valid" and a date range that the certificate is valid for.
I'm not sure what else to check.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I've also tried using both the fqdn for the mail server and the server name itself.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I've also used SSLPoke to test the connection.
If I SSLPoke to port 993 I get the error:-
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
If I SSLPoke to port 443 I get "Successfully connected"
Not sure if that proves anything though.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You need to import the signing certs for your CA. I suspect your cert is signed by an internal CA, (or maybe even self signed)
So your cacerts file needs to have the certs for your CA (hence the name, ca certs)
Thats what is it complaining about. It cant validate that whoever signed your imap cert it itself valid. That is the certification path.
And the file should be in the "security" subdirectory,
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Good news, it looks like the issue was at the mail server end. The IMAP services were stopped and started again and then it all started working again.
Thanks for the help everyone, looks like it was an upstream issue.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.