-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SunCertPathBuilderException: unable to find valid certification path to requested target in binary container with Mailer #18329
Comments
As a sidenote relative path doesn't work with dev, returning java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty It only works with the absolute path. That suggests you get this different error when it can find the parameters, but can't find the truststore. Ditto if you put a file name that doesn't exist. I'm pointing this out cuz in dev, you only get the SunCertPathBuilderException error that the native container is giving if it cannot find the JVM parameters. I understand from your documentation and issues that Quarkus somehow packs this into the build, so this suggests this packing part is failing and that java is either supposed to be satisfied and thus not need these parameters, or that Quarkus is somehow supposed to set the properties for the JVM. |
I would need a reproducer. |
How? It has to try an SSL handshake with an SMTP. Just take one you have working and add those 3 parameters, changing path to an absolute path with a truststore with 1 cert in it for w/e SMTP you are talking to. As for the Mailer part, it's just a basic REST test...
You still have to supply your own SMTP server and create your own truststore, as you'll be trusting a different SMTP server than me. Then do a container build
and hit the REST with a browser. Use these modules
You have my application.yml config in the OP. You can get rid of the first parameter
Just discovered it doesn't blow up my boot as long as my DB is bootstrapped. So, I was able to reproduce the error with just those two parameters. |
Here is a starter with the same version properties in the pom.xml. This just works in dev with mock. https://github.com/NinjaTycoon/quarkus-mailer-reproducer Hit http://localhost:9090/test/emailer/simple and you get OK, with the mock output to log. |
/cc @cescoffier |
Completed the reproducer so that I was able to reproduce the same issue with it. https://github.com/NinjaTycoon/quarkus-mailer-reproducer Had to add |
Further diagnosing it
Looking at Quarkus code. Noticed this config magic of trustStore happens in the handleAdditionalProperties method in NativeImageBuildStep.java. Here is my build output from that file in case it helps:
If it logged the path of outputDir I'd look for "trustStore" there. Can't see how to verify it called handleAdditionalProperties. Unfortunately, I'm not setup to build quarkus. |
Unfortunately, I don't have an SMTP server where I need to customize the Keystore. My corporate one, SendGrid and Gmail are all working. Just to verify, did you try setting |
That resolved it! Perhaps you can update this documentation to suggest that. Thanks for the help! :) Does this just bypass the trustStore? |
Yes, I will open a PR for the doc (don't close the issue, so I don't forget) |
Well, if it bypasses the trustStore, then it technically doesn't resolve the core issue which does appear to be a possible bug. If you need to hit my SMTP server to test I can give it to you privately. I just don't want a reference to it here. You can ping me at e_ninjatycoon-2021@servicecraze.com |
The mailer config must be extended to allow trust store configuration. Thanks for the offer, I will ping you by email. |
Describe the bug
Getting this error when I try to access my test REST for the Mailer.
I got the same error in dev (with mock set to false) and in a binary container. I was able to resolve it in dev by launching with this:
./mvnw compile quarkus:dev
-Djavax.net.ssl.trustStore=/home/ninja/dev2/svn/sc-trunk/microservices/sc-cloud-collector/conf/cacerts
-Djavax.net.ssl.trustStorePassword=changeit
I received the email and the REST completed without error in dev. So, I know supplying these JVM parameters to the truststore resolves it when the JVM can find them.
Following this documentation, I've been unable to get it to work. I'm using yml for application config, which includes:
under quarkus.native. Note that additional-build-args continues to work for the first parameter I've been setting for some time for resources-config.json. It wouldn't boot if that didn't load property. I checked with a text editor that barring the syntax differences, the -D parameters match what I have working for dev.
Expected behavior
The REST to complete w/o error and the email to be sent and received, as happens in dev currently.
Actual behavior
The container binary produces the above error.
To Reproduce
The challenge here is this is talking to a real SMTP server with a real SSL certificate in the truststore. Can't realistically mock it.
Configuration
Here is my mailer config obfuscated for privacy since I'm using a real SMTP server.
The text was updated successfully, but these errors were encountered: