Error when sending e-mail from Keycloak with StartTLS option enabled

Question

Keycloak run in Kubernetes via helm chart. With disabled SSL and enables StartTLS (it's our mail server requests) there is error:

14:26:54,545 ERROR [stderr] (default task-8)    ... 84 more
14:26:54,545 ERROR [stderr] (default task-8) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
14:26:54,545 ERROR [stderr] (default task-8)    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
14:26:54,545 ERROR [stderr] (default task-8)    at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
14:26:54,545 ERROR [stderr] (default task-8)    at java.base/sun.security.validator.Validator.validate(Validator.java:264)
14:26:54,545 ERROR [stderr] (default task-8)    at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
14:26:54,545 ERROR [stderr] (default task-8)    at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
14:26:54,545 ERROR [stderr] (default task-8)    at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
14:26:54,545 ERROR [stderr] (default task-8)    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:629)
14:26:54,545 ERROR [stderr] (default task-8)    ... 98 more
14:26:54,545 ERROR [stderr] (default task-8) Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
14:26:54,546 ERROR [stderr] (default task-8)    at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
14:26:54,546 ERROR [stderr] (default task-8)    at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
14:26:54,546 ERROR [stderr] (default task-8)    at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
14:26:54,546 ERROR [stderr] (default task-8)    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
14:26:54,546 ERROR [stderr] (default task-8)    ... 104 more
14:26:54,547 ERROR [org.keycloak.services.resources.admin.RealmAdminResource] (default task-8) Failed to send email
 javax.mail.MessagingException: Could not convert socket to TLS;
  nested exception is:
        javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

score 0 · Answer 1 · answered Dec 11 '20 at 20:02

Most probably the reason is, that the Java Virtual Machine (JVM) is not trusting your Mailservers Certificate (maybe self-signed?)

A solution can be to manually create a truststore containing this certificate

see multiple answers about creating a filling a truststore e.g. How to import a .cer certificate into a java keystore?

This keystore now need to mounted into keycloak container and passed to the JVM as JAVA_OPTS parameter.

-Djavax.net.ssl.trustStore=/loc/in/container/truststore.jks 
-Djavax.net.ssl.trustStorePassword=changeit

Depending on the helm chart you are using the solution varies. E.g. with Codecentric-Keycloak Chart you set the JVM settings here https://github.com/codecentric/helm-charts/tree/master/charts/keycloak#jvm-settings and mount the keystore with help of extraVolumeMounts/extraVolumes

Error when sending e-mail from Keycloak with StartTLS option enabled

1 Answers1