Home » Support » Appian Knowledge Base » KB-2242 "PKIX path building failed" error seen when sending emails in a self-managed Kubernetes install

KB-2242 "PKIX path building failed" error seen when sending emails in a self-managed Kubernetes install

Symptoms

Sending emails over HTTPS fails with the following error in the webapp pod log:

jakarta.mail.MessagingException: Could not convert socket to TLS;
...
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

This is because the certificate being presented by the SMTP server is not trusted by the webapp pod for one of the following reasons:

  1. The certificate is self-signed.
  2. The certificate is signed by a Certificate Authority, but the server is not presenting the full certificate chain with all intermediate certs up to the CA root cert.

Action

The external certificate needs to be added to the default Java trust store. This can be done by following the instructions below:

  1. Extract the default Java trust store from the Appian webapp deployment:
    1. kubectl -n *namespace* cp <APPIAN_SITE_NAME>-webapp-0:/usr/local/appian/ae/java/jre/lib/security/cacerts ./cacerts
  2. Import the target server’s certificate and CA root certificate into the cacerts trust store:
    1. keytool -import -alias targetServerCert -file ./<TARGET_SERVER_CERT>.PEM -keystore ./cacerts -storepass changeit
    2. keytool -import -alias myRootCA -file ./<ROOT_CA>.pem -keystore ./cacerts -storepass changeit
  3. Confirm that the certificates were added to the cacerts trust store:
    1. keytool -list -keystore ./cacerts -storepass changeit
  4. Convert the cacerts file to base64. We will refer to this file as <cacerts_base64>:
    1. base64 -w0 ./cacerts > cacerts_base64
  5. Create a secret based on the above cacerts file:
    1. kubectl create secret generic cacerts-secret --from-file=keystore.jks=./cacerts_base64 -n <APPIAN_SITE_NAMESPACE>
  6. Configure the Appian Custom Resource to mount the customized trust store by adding the following in the Appian site yaml, under .spec.webapp 
    additionalVolumes:
  - name: keystore-secret
    secret:
      secretName: "cacerts-secret"
      items:
        - key: keystore.jks
          path: cacerts

additionalVolumeMounts:
  - name: keystore-secret
    mountPath: /usr/local/appian/ae/java/jre/lib/security/cacerts
    subPath: cacerts
    readOnly: true
     
  7. Start the Appian site. You will find your customized cacerts trust store at /usr/local/appian/ae/java/jre/lib/security/cacerts alongside other original files in the ~/security directory

Affected Versions

This article applies to all versions of self-managed Appian on Kubernetes.

Last Reviewed: March 2023

Related
Recommended

© 2024 Appian. All rights reserved.