In an environment with a web server with SSL enabled without making other configuration changes, the following symptoms will occur:
ERROR com.appiancorp.ra.workpoller.WorkItemListener - The following exception occurred while attempting to complete work item [(WorkId: 14, WorkType: [AbstractMailRequest: from=null, firstname.lastname@example.org, subject=Appian account creation], Response: null, ServerName: NotificationsEmail)] - Exception:
javax.resource.spi.work.WorkCompletedException: com.appiancorp.process.engine.EmailBodyException: Email body failed to render
Caused by: javax.ejb.EJBException: com.appiancorp.process.engine.EmailBodyException: Email body failed to render
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
This error will be seen when an Appian environment is configured with a web server to use HTTPS/SSL scheme. All email requests in Appian are routed through the server specified in the conf.suite.SERVER_AND_PORT property unless values are given for conf.suite.MAIL_SCHEME and conf.suite.MAIL_SERVER_AND_PORT, all found in custom.properties located in <APPIAN_HOME>/ear/suite.ear/conf.
The above symptoms are a result of Appian trying to route email requests from the application server to the web server. As the web server has been configured with SSL, the application server needs to use SSL for creating the email body. By default, the application server does not have the necessary certificates to create this connection and thus it fails to create the email body.
The error can be resolved by using the application server to create the email body instead of the web server. Change the following lines in the custom.properties file located on the application server:
Save the file and restart the application server for the changes to take effect.
In a situation where the application server is not accessible, then the certificate needs to be imported into the trusted keystore of the JDK. This is not recommended because the certificate needs to be imported every time JDK is updated. Run the following commands to import the certificates into the Java Keystore:
keytool -import -alias <webserver.example.com> -file <CERT_NAME>.crt -keystore "<JAVA_HOME>/jre/lib/security/cacerts"
Note: The value of webserver.example.com should match conf.suite.SERVER_AND_PORT set in the custom.properties.
This article applies to all versions of Appian.
Last Reviewed: September 2017
© 2020 Appian. All rights reserved.