如何配置java向starttls主机发送电子邮件

mf98qq94  于 2021-07-06  发布在  Java
关注(0)|答案(0)|浏览(289)
FreeBSd-12.1p10
openjdk11-11.0.8+10.1
iDemoiere-7.1

我们运行自己的私有pki ca,并颁发自己的主机和服务密钥和证书。
我正在尝试在idempiere中启用电子邮件。当我发送一封测试邮件时,我得到以下信息:

Process completed successfully

(ME): Could not convert socket to TLS javax.net.ssl.SSLHandshakeException: 
      PKIX path building failed: 
      sun.security.provider.certpath.SunCertPathBuilderException: 
      unable to find valid certification path to requested target

Sistematika Fashion, Ltd.: (ME): Could not convert socket to TLS
  javax.net.ssl.SSLHandshakeException: PKIX path building failed:
  sun.security.provider.certpath.SunCertPathBuilderException:
  unable to find valid certification path to requested target

Found Directory: null

但是,来自同一宿主的swaks可以正常工作:


# swaks --from=idempiere --to=byrnejb@harte-lyne.ca

        --server=mx32.harte-lyne.ca 
        --tls-cert=/usr/local/etc/pki/tls/certs/ca.harte-lyne.accounting.crt 
        --tls-key=/usr/local/etc/pki/tls/private/ca.harte-lyne.accounting.key 
        --tls-ca-path /usr/local/etc/pki/tls/certs/ca-bundle.crt 
        --tls
=== Trying mx32.harte-lyne.ca:25...
=== Connected to mx32.harte-lyne.ca.
<-  220 mx32.harte-lyne.ca ESMTP Postfix
 -> EHLO accounting-2.internal.harte-lyne.ca
<-  250-mx32.harte-lyne.ca
<-  250-PIPELINING
<-  250-SIZE 134217728
<-  250-ETRN
<-  250-STARTTLS
<-  250-ENHANCEDSTATUSCODES
<-  250-8BITMIME
<-  250-DSN
<-  250-SMTPUTF8
<-  250 CHUNKING
 -> STARTTLS
<-  220 2.0.0 Ready to start TLS
=== TLS started with cipher TLSv1.3:TLS_AES_256_GCM_SHA384:256
=== TLS local DN="/CN=accounting.harte-lyne.ca/OU=Networked Data Services/O=Harte & Lyne Limited/L=Hamilton/ST=Ontario/C=CA/DC=harte-lyne/DC=ca"
=== TLS peer DN="/CN=mx32.harte-lyne.ca/OU=Networked Data Systems/O=Harte & Lyne Limited/L=Hamilton/ST=Ontario/C=CA/DC=hamilton/DC=harte-lyne/DC=ca"
 ~> EHLO accounting-2.internal.harte-lyne.ca
<~  250-mx32.harte-lyne.ca
<~  250-PIPELINING
<~  250-SIZE 134217728
<~  250-ETRN
<~  250-AUTH PLAIN LOGIN
<~  250-AUTH=PLAIN LOGIN
<~  250-ENHANCEDSTATUSCODES
<~  250-8BITMIME
<~  250-DSN
<~  250-SMTPUTF8
<~  250 CHUNKING
 ~> MAIL FROM:<idempiere>
<~  250 2.1.0 Ok
 ~> RCPT TO:<byrnejb@harte-lyne.ca>
<~  250 2.1.5 Ok
 ~> DATA
<~  354 End data with <CR><LF>.<CR><LF>
 ~> Date: Thu, 10 Dec 2020 14:20:21 -0500
 ~> To: byrnejb@harte-lyne.ca
 ~> From: idempiere
 ~> Subject: test Thu, 10 Dec 2020 14:20:21 -0500
 ~> Message-Id: <20201210142021.095915@accounting-2.internal.harte-lyne.ca>
 ~> X-Mailer: swaks v20190914.0 jetmore.org/john/code/swaks/
 ~> 
 ~> This is a test mailing
 ~> 
 ~> 
 ~> .
<~  250 2.0.0 from MTA(smtp:[localhost]:10025): 250 2.0.0 Ok: queued as 9B5EF31275
 ~> QUIT
<~  221 2.0.0 Bye
=== Connection closed with remote host.

我下载了sslpoke并运行了导致此错误的程序:

JAVA_VERSION="11" java -Djavax.net.ssl.keyStore=/opt/idempiere/idempiere-server/jettyhome/etc/keystore -Djavax.net.ssl.keyStorePassword=$PASSWD -Djavax.net.ssl.trustStore=/opt/idempiere/idempiere-server/jettyhome/etc/keystore -Djavax.net.ssl.trustStorePassword=$PASSWD SSLPoke mx32.harte-lyne.ca 465
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
    at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
    at java.base/sun.security.validator.Validator.validate(Validator.java:264)
    at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)

密钥库是使用以下方法创建的(请注意,cert 20160054.pem是从密钥20160053.key生成的):

cat /usr/local/etc/pki/tls/certs/20160054.pem /usr/local/etc/pki/tls/certs/CA_HLL_PKI_2016_ca-bundle.crt > /usr/local/etc/pki/tls/certs/ca.harte-lyne.accounting.crt.chain.txt

grep 'Subject: CN' /usr/local/etc/pki/tls/certs/ca.harte-lyne.accounting.crt.chain.txt
        Subject: CN=accounting.harte-lyne.ca, OU=Networked Data Services, O=Harte & Lyne Limited, L=Hamilton, ST=Ontario, C=CA/domainComponent=harte-lyne/domainComponent=ca
        Subject: CN=CA_ISSUER_2016, OU=Networked Data Services, O=Harte & Lyne Limited, L=Hamilton, ST=Ontario, C=CA/domainComponent=harte-lyne/domainComponent=ca
        Subject: CN=CA_HLL_ROOT_2016, ST=Ontario, O=Harte & Lyne Limited, OU=Networked Data Services, C=CA/domainComponent=harte-lyne/domainComponent=ca, L=Hamilton

openssl pkcs12 -export   -inkey /usr/local/etc/pki/tls/private/20160053.key   -in /usr/local/etc/pki/tls/certs/ca.harte-lyne.accounting.crt.chain.txt   -out /opt/idempiere/idempiere-server/jettyhome/etc/hll_accounting.pkcs12

JAVA_VERSION="11" keytool -importkeystore     -srckeystore /opt/idempiere/idempiere-server/jettyhome/etc/hll_accounting.pkcs12     -srcstoretype PKCS12     -destkeystore /opt/idempiere/idempiere-server/jettyhome/etc/hll_idempiere_keystore

cp -p /opt/idempiere/idempiere-server/jettyhome/etc/hll_idempiere_keystore/opt/idempiere/idempiere-server/jettyhome/etc/keystore

密钥库包含以下内容:

JAVA_VERSION="11" keytool -list -v -keystore /opt/idempiere/idempiere-server/jettyhome/etc/keystore
Enter keystore password:  
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: 1
Creation date: Dec 10, 2020
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: DC=ca, DC=harte-lyne, C=CA, ST=Ontario, L=Hamilton, O=Harte & Lyne Limited, OU=Networked Data Services, CN=accounting.harte-lyne.ca
Issuer: DC=ca, DC=harte-lyne, C=CA, ST=Ontario, L=Hamilton, O=Harte & Lyne Limited, OU=Networked Data Services, CN=CA_HLL_ISSUER_2016
Serial number: 20160054
Valid from: Fri Jul 31 20:00:00 EDT 2020 until: Sun Aug 31 19:59:59 EDT 2025
Certificate fingerprints:
     SHA1: 20:C4:82:9B:55:08:6C:6B:6D:C3:85:7C:52:5A:87:27:11:48:E9:B6
     SHA256: 98:26:68:02:9D:80:BD:34:B6:FD:93:A1:77:90:C1:5F:1D:75:1C:A7:1D:1B:BF:17:D6:B0:D7:83:78:2E:4E:23
Signature algorithm name: SHA512withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3

Extensions: 

# 1: ObjectId: 2.16.840.1.113730.1.4 Criticality=false

0000: 16 35 68 74 74 70 3A 2F   2F 63 61 2E 68 61 72 74  .5http://ca.hart
0010: 65 2D 6C 79 6E 65 2E 63   61 2F 43 41 5F 48 4C 4C  e-lyne.ca/CA_HLL
0020: 5F 49 53 53 55 45 52 5F   32 30 31 36 2F 63 72 6C  _ISSUER_2016/crl
0030: 2D 76 31 2E 63 72 6C                               -v1.crl

# 2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false

AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://ca.harte-lyne.ca/CA_HLL_ISSUER_2016/ca.crt
]
]

# 3: ObjectId: 2.5.29.35 Criticality=false

AuthorityKeyIdentifier [
KeyIdentifier [
0000: FD C6 20 77 C5 AA E8 34   43 99 C4 3D 5B 65 9A 3C  .. w...4C..=[e.<
0010: 2D 14 8E AF                                        -...
]
[L=Hamilton, DC=ca, DC=harte-lyne, C=CA, OU=Networked Data Services, O=Harte & Lyne Limited, ST=Ontario, CN=CA_HLL_ROOT_2016]
SerialNumber: [    02]
]

# 4: ObjectId: 2.5.29.31 Criticality=false

CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://ca.harte-lyne.ca/CA_HLL_ISSUER_2016/crl-v2.crl]
]]

# 5: ObjectId: 2.5.29.32 Criticality=false

CertificatePolicies [
  [CertificatePolicyId: [1.3.6.1.4.1.44880.100.10.10.3.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 1B 68 74 74 70 3A 2F   2F 63 61 2E 68 61 72 74  ..http://ca.hart
0010: 65 2D 6C 79 6E 65 2E 63   61 2F 43 50 53           e-lyne.ca/CPS

], PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.2
  qualifier: 0000: 30 34 1A 32 4C 69 6D 69   74 65 64 20 4C 69 61 62  04.2Limited Liab
0010: 69 6C 69 74 79 2C 20 73   65 65 20 68 74 74 70 3A  ility, see http:
0020: 2F 2F 63 61 2E 68 61 72   74 65 2D 6C 79 6E 65 2E  //ca.harte-lyne.
0030: 63 61 2F 43 50 53                                  ca/CPS

]]  ]
]

# 6: ObjectId: 2.5.29.37 Criticality=false

ExtendedKeyUsages [
  serverAuth
  clientAuth
  emailProtection
]

# 7: ObjectId: 2.5.29.18 Criticality=false

IssuerAlternativeName [
  RFC822Name: certificates@harte-lyne.ca
  URIName: http://ca.harte-lyne.ca
]

# 8: ObjectId: 2.5.29.15 Criticality=false

KeyUsage [
  DigitalSignature
  Non_repudiation
  Key_Encipherment
]

# 9: ObjectId: 2.16.840.1.113730.1.1 Criticality=false

NetscapeCertType [
   SSL client
   SSL server
   S/MIME
]

# 10: ObjectId: 2.5.29.17 Criticality=false

SubjectAlternativeName [
  RFC822Name: certificates@example.com
  DNSName: accounting.harte-lyne.ca
  DNSName: accounting
  DNSName: accounting.internal
  DNSName: accounting.harte-lyne.ca
  DNSName: accounting.internal.harte-lyne.ca
  DNSName: accounting-1
  DNSName: accounting-1.internal
  DNSName: accounting-1.harte-lyne.ca
  DNSName: accounting-1.internal.harte-lyne.ca
  DNSName: accounting-2
  DNSName: accounting-2.internal
  DNSName: accounting-2.harte-lyne.ca
  DNSName: accounting-2.internal.harte-lyne.ca
  DNSName: ledgersmb
  DNSName: ledgersmb.internal
  DNSName: ledgersmb.harte-lyne.ca
  DNSName: ledgersmb.internal.harte-lyne.ca
  DNSName: localhost
  DNSName: localhost.harte-lyne.ca
  IPAddress: 216.185.71.87
  IPAddress: 192.168.216.87
  IPAddress: 192.168.216.88
  IPAddress: 216.185.71.87
  IPAddress: 216.185.71.88
  IPAddress: 127.0.87.1
  IPAddress: 127.0.88.1
  IPAddress: 127.0.0.1
]

# 11: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [
KeyIdentifier [
0000: 23 12 19 8F 6E CB 1D 21   C2 7F 59 03 C6 69 B6 FB  #...n..!..Y..i..
0010: 41 99 B5 89                                        A...
]
]

******************************************

如果java/idempiere正在使用密钥库中的证书,那么是什么导致了问题?

暂无答案!

目前还没有任何答案,快来回答吧!

相关问题