Could not convert socket to TLS [EmailSender] WARNING
Hi,
Could anyone tell what does it mean those errors in Server.log?
"Could not convert socket to TLS WARNING [EmailSender]"
How to avoid it?
2017-09-03 06:41:47 WARNING [StringTable] A string could not be found in server side StringTable. Suppressing this warning for another 60000 ms. 2017-09-03 06:41:57 WARNING [EmailSender] Delaying 1000ms before starting retry 1 of 1, error: org.apache.commons.mail.EmailException: Sending the email to the following server failed : email.domain.net:25 2017-09-03 06:41:58 WARNING [EmailSender] Sending email caused an exception: Sending the email to the following server failed : email.domain.net:25
Could not convert socket to TLS sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target unable to find valid certification path to requested target: com.dynatrace.diagnostics.server.shared.email.EmailSender a:207 org.apache.commons.mail.EmailException: Sending the email to the following server failed : email.domain.net:25 at org.apache.commons.mail.Email.sendMimeMessage(Email.java:1421) at org.apache.commons.mail.Email.send(Email.java:1448) at com.dynatrace.diagnostics.server.shared.email.ImageHtmlEmail.resend(SourceFile:106) at com.dynatrace.diagnostics.server.shared.email.EmailSender.a(SourceFile:322) at com.dynatrace.diagnostics.server.shared.email.EmailSender.sendEmailSub(SourceFile:163) at com.dynatrace.diagnostics.server.shared.email.EmailSender.sendEmailSub(SourceFile:110) at com.dynatrace.diagnostics.server.ServerAccessController.sendEmail(SourceFile:5178) at com.dynatrace.diagnostics.core.incidents.IncidentMailSender.a(SourceFile:489) at com.dynatrace.diagnostics.core.incidents.IncidentMailSender.a(SourceFile:516) at com.dynatrace.diagnostics.core.incidents.IncidentMailSender.a(SourceFile:410) at com.dynatrace.diagnostics.core.incidents.IncidentMailSender.a(SourceFile:65) at com.dynatrace.diagnostics.core.incidents.IncidentMailSender$BulkIncidentMailTask.run(SourceFile:525) at java.util.TimerThread.mainLoop(Timer.java:555) at java.util.TimerThread.run(Timer.java:505) Caused by: javax.mail.MessagingException: Could not convert socket to TLS; nested exception is: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:1907) at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:666) at javax.mail.Service.connect(Service.java:295) at javax.mail.Service.connect(Service.java:176) at javax.mail.Service.connect(Service.java:125) at javax.mail.Transport.send0(Transport.java:194) at javax.mail.Transport.send(Transport.java:124) at org.apache.commons.mail.Email.sendMimeMessage(Email.java:1411) ... 13 more Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) at com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:549) at com.sun.mail.util.SocketFetcher.startTLS(SocketFetcher.java:486) at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:1902) ... 20 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491) ... 30 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ... 36 more
Best Answer
Which minor version of 6.5 are you on? I see that there have been some updates over time that resolved errors that are the same as what you are seeing (>6.5.4) should have the relevant updates but you would install the latest release if it applies here.
Otherwise I see some reports that it was originally caused by your email server supporting StartTLS so when AppMon tries to connect using this it failed because of a certificate issue. Some possible fixes are listed below:
- disable STARTTLS on your email server
- wait until the 6.5.3 update where you can select plaintext SMTP session in the DT GUI (this can be set now in the 'connection type' field of the email services settings)
- fix the certificate issue by importing the root certificate that signed your email server certificate into "DT_HOME/jre/lib/security/cacerts" (Oracle-provided default passphrase is "changeit")
- edit the "<mailserver>" element in server.config.xml and set the attributes as follows: starttls="false" requirestarttls="false"
James
HI James,
It means that the emails were sent all time no tls anyway ?
Version 6.5.16.1011
Now was set: StartTLS
I don't know how you had it set before, but normally this type of error would pop up after a major upgrade. If you started seeing this recently some other change most likely occurred wither in the AppMon settings or on the email server side. I'm not familiar enough to provide any details beyond what I have.
james,
I see that the emails come using tls:
in email headers : (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384)
Could it be problem with some clients
I'm not sure I understand, are you seeing all of the emails now or are only some working? I would expect it would be completely working or completely failing - the communication that setting is for is between the AppMon server and your email server, the clients don't come into play apart from conifguration.
James,
Thanks, that was problem in Cetrificate. If turn off the TLS, and turn on Encripted - the events gone.
Oleksandr
