I am trying to send emails from my application via TLS-SMTP. This works when run locally (Tomcat7, Java7, Windows) but not in production (Tomcat7, Java6, Linux). The trust store containing the public cert of the SMTP server is shipped with the application, set manually via
System.setProperty("javax.net.ssl.trustStore", "pathToJssecacerts")
and is identical in both cases. I verified this using
System.getProperty("javax.net.ssl.trustStore")
just before the mail is sent which returns an absolute path pointing to the store in the respective environment.
Thus, to my knowledge, both application environments use exactly the same trust store. (Is there a way to be definitely sure?)
I'm using
System.setProperty("javax.net.debug", "ssl:handshake:trustmanager");
to get some more insight but the output differs considerably between the two environments, probably due to the differences between Java6 and Java7. The error in production (Java6) reads:
...
SEND TLSv1 ALERT: fatal, description = certificate_unknown
WRITE: TLSv1 Alert, length = 2
called closeSocket()
handling exception: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
So either there is a flaw in my reasoning, a bug, or there is another thing here that I haven't considered so far. Any ideas?
This message means that Java is unable to build a chain of trust using your certificate.
As a test you can try setting the property
This property will override the default behaviour and trust all certificates.
Note: this is not recommended in production.