java starttls connection error

heroic-tortoise · January 5, 2025, 8:56am

Hi, I’m having issues with SSL certificate configuration in KumoMTA when connecting via Java client.

Steps performed:

Generated DKIM and SSL certificates:

# DKIM setup
export DOMAIN="<my-domain>"
export SELECTOR="s1"
openssl genrsa -f4 -out /opt/kumomta/etc/dkim/$DOMAIN/$SELECTOR.key 1024
openssl rsa -in /opt/kumomta/etc/dkim/$DOMAIN/$SELECTOR.key -outform PEM -pubout -out /opt/kumomta/etc/dkim/$DOMAIN/$SELECTOR.pub

# SSL cert generation
openssl req -x509 -newkey rsa:2048 -keyout smtp.key -out smtp.crt -days 365 -nodes \
   -subj "/CN=$DOMAIN" \
   -addext "subjectAltName=DNS:$DOMAIN"
openssl x509 -in smtp.crt -out smtp_cert.pem

2. Configured certificates:
sudo mv smtp.key smtp_cert.pem /opt/kumomta/etc/dkim/$DOMAIN/
sudo chown kumod:kumod /opt/kumomta/etc/dkim/$DOMAIN/smtp*
sudo chmod 600 /opt/kumomta/etc/dkim/$DOMAIN/smtp.key

Issue: When connecting to SMTP server using Java client with STARTTLS, getting error:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Context:

Using Java 8
Other SMTP servers connect successfully to same Java app. 
Certificate was generated with the proper domain name and SAN

What configuration changes are needed to resolve this SSL validation error?

yummy-warthog · January 5, 2025, 9:47am

It doesn’t look like you’re having the TLS certificate signed by a certificate authority

yummy-warthog · January 5, 2025, 9:47am

But please provide the full information as requested by the bot if you want more help

tom · January 5, 2025, 4:25pm

Without seeing your config it is difficult to help.
You can test with seals and use the trace facility to expose the problem

tom · January 5, 2025, 4:26pm

tom · January 5, 2025, 4:26pm

You can also “prefer OpenSSL”

tom · January 5, 2025, 4:28pm

Also you may need to specifically declare the file locations.

tom · January 5, 2025, 4:30pm

See point 4 here:

heroic-tortoise · January 6, 2025, 4:14am

I used openssl to sign the certificate. is there any doc to use let’s Encrypt as signing authority for tls certificate? Also, I am confused about the DKIM and tls certificates used here.

tom · January 6, 2025, 4:30am

tom · January 6, 2025, 5:14pm

Can you elaborate more on your confusion here?
Also, I am confused about the DKIM and tls certificates used here.
Do you just not understand how DKIM works, or do you need explanation about how it specifically works in KumoMTA?

poised-goat · January 10, 2025, 10:58am

LetsEncrypt is used to sign your TLS certificate, which you need in order for inbound/outbound connections that require TLS

DKIM is a way to essentially sign your SMTP cryptographically. You generate the DKIM keys on the server, then you have to paste the key (in the correct format) into a TXT record on your domain.

tom · January 15, 2025, 6:54pm

@heroic-tortoise is this issue resolved now?