Regression - ssl.trust no longer working - "unable to find valid certification path to requested target" #52153

AndyHunt66 · 2020-02-10T15:58:54Z

Elasticsearch version (bin/elasticsearch --version): 7.5.0
(also affects 7.4.0+)

Description of the problem including expected versus actual behavior:
This pr and it's backport have caused xpack.notification.email.account.<name>.smtp.ssl.trust to not be recognised any more.

The following config works for versions 6.8.4, 7.0.0,7.1.0,7.2.0,7.3.2, but fails for versions 7.4.0+, 7.5.0 with the message:
unable to find valid certification path to requested target

xpack.notification.email.account:
   smtp1:
       profile: standard
       email_defaults:
           from: Elasticsearch@example.email.com
       smtp:
           ssl.trust: example.email.com
           auth: false
           starttls.enable: true
           host: example.email.com
           port: 25

It's unclear if this is the new intended behaviour, or if this is an unwanted side-effect of #45272

Steps to reproduce
1 - setup smtp configuration as above, then create a watcher that fires an email via smtp

Provide logs (if relevant):

Watch result:

   "actions": [
      {
        "id": "email_administrator",
        "type": "email",
        "status": "failure",
        "error": {
          "root_cause": [
            {
              "type": "messaging_exception",
              "reason": "failed to send email with subject [lwatch] via account [smtp1]"
            }
          ],
          "type": "messaging_exception",
          "reason": "failed to send email with subject [watch] via account [smtp1]",
          "caused_by": {
            "type": "messaging_exception",
            "reason": "Could not convert socket to TLS",
            "caused_by": {
              "type": "s_s_l_handshake_exception",
              "reason": "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",
              "caused_by": {
                "type": "validator_exception",
                "reason": "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",
                "caused_by": {
                  "type": "sun_cert_path_builder_exception",
                  "reason": "unable to find valid certification path to requested target"
                }
              }
            }
          }
        }
      }
    ]

The text was updated successfully, but these errors were encountered:

elasticmachine · 2020-02-11T01:49:38Z

Pinging @elastic/es-core-features (:Core/Features/Watcher)

The ssl.trust setting for Watcher provides a list of hostnames that should be automatically trusted for SSL hostname verification. It was accidentally broken when we added the full ssl.* settings for email notifications (see elastic#45272) This commit corrects this, so the setting is once again respected, as long as none of the other ssl settings are configured for email notifications. Resolves: elastic#52153

The ssl.trust setting for Watcher provides a list of hostnames that should be automatically trusted for SSL hostname verification. It was accidentally broken when we added the full ssl.* settings for email notifications (see #45272) This commit corrects this, so the setting is once again respected, as long as none of the other ssl settings are configured for email notifications. Resolves: #52153

The ssl.trust setting for Watcher provides a list of hostnames that should be automatically trusted for SSL hostname verification. It was accidentally broken when we added the full ssl.* settings for email notifications (see elastic#45272) This commit corrects this, so the setting is once again respected, as long as none of the other ssl settings are configured for email notifications. Resolves: elastic#52153 Backport of: elastic#56090

The ssl.trust setting for Watcher provides a list of hostnames that should be automatically trusted for SSL hostname verification. It was accidentally broken when we added the full ssl.* settings for email notifications (see #45272) This commit corrects this, so the setting is once again respected, as long as none of the other ssl settings are configured for email notifications. Resolves: #52153 Backport of: #56090

tvernum added the :Data Management/Watcher label Feb 11, 2020

tvernum self-assigned this Feb 11, 2020

tvernum mentioned this issue May 4, 2020

Fix smtp.ssl.trust setting for watcher email #56090

Merged

rjernst added the Team:Data Management Meta label for data/management team label May 4, 2020

tvernum closed this as completed in #56090 May 28, 2020

This was referenced May 28, 2020

[Backport 7.8] Fix smtp.ssl.trust setting for watcher email #57267

Merged

[Backport 7.x] Fix smtp.ssl.trust setting for watcher email #57268

Merged

tvernum mentioned this issue May 28, 2020

[Backport 7.7] Fix smtp.ssl.trust setting for watcher email #57269

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Regression - ssl.trust no longer working - "unable to find valid certification path to requested target" #52153

Regression - ssl.trust no longer working - "unable to find valid certification path to requested target" #52153

AndyHunt66 commented Feb 10, 2020 •

edited

Loading

elasticmachine commented Feb 11, 2020

Regression - ssl.trust no longer working - "unable to find valid certification path to requested target" #52153

Regression - ssl.trust no longer working - "unable to find valid certification path to requested target" #52153

Comments

AndyHunt66 commented Feb 10, 2020 • edited Loading

elasticmachine commented Feb 11, 2020

AndyHunt66 commented Feb 10, 2020 •

edited

Loading