KB-2242 "PKIX path building failed" error seen when sending emails in a self-managed Kubernetes install

Kaushal Patel — Wed, 18 Mar 2026 19:10:15 GMT

Current Revision posted to Appian Knowledge Base by Kaushal Patel on 3/18/2026 7:10:15 PM

Symptoms

Sending emails over HTTPS fails with the following error in the webapp pod log:

jakarta.mail.MessagingException: Could not convert socket to TLS;
...
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

This is because the certificate being presented by the SMTP server is not trusted by the webapp pod for one of the following reasons:

The certificate is self-signed.
The certificate is signed by a Certificate Authority, but the server is not presenting the full certificate chain with all intermediate certs up to the CA root cert.

Action

The external certificate needs to be added to the default Java trust store. This can be done by following the instructions below:

Extract the default Java trust store from the Appian webapp deployment:
1. kubectl -n *namespace* cp <APPIAN_SITE_NAME>-webapp-0:/usr/local/appian/ae/java/lib/security/cacerts ./cacerts
Import the target server’s certificate and CA root certificate into the cacerts trust store:
1. keytool -import -alias targetServerCert -file ./<TARGET_SERVER_CERT>.PEM -keystore ./cacerts -storepass changeit
2. keytool -import -alias myRootCA -file ./<ROOT_CA>.pem -keystore ./cacerts -storepass changeit
Confirm that the certificates were added to the cacerts trust store:
1. keytool -list -keystore ./cacerts -storepass changeit
Create a secret based on the above cacerts file:
1. kubectl create secret generic cacerts-secret --from-file=keystore.jks=./cacerts -n <APPIAN_SITE_NAMESPACE>

Configure the Appian Custom Resource to mount the customized trust store by adding the following in the Appian site yaml, under .spec.webapp

additionalVolumes:
  - name: keystore-secret
    secret:
      secretName: "cacerts-secret"
      items:
        - key: keystore.jks
          path: cacerts

additionalVolumeMounts:
  - name: keystore-secret
    mountPath: /usr/local/appian/ae/java/lib/security/cacerts
    subPath: cacerts
    readOnly: true

Start the Appian site. You will find your customized cacerts trust store at /usr/local/appian/ae/java/lib/security/cacerts alongside other original files in the ~/security directory

Affected Versions

This article applies to all versions of self-managed Appian on Kubernetes.

Last Reviewed: July 2025

Tags: email, appianOnKubernetes, infrastructure

KB-2242 "PKIX path building failed" error seen when sending emails in a self-managed Kubernetes install

pauline.delacruz — Tue, 29 Jul 2025 21:25:02 GMT

Revision 11 posted to Appian Knowledge Base by pauline.delacruz on 7/29/2025 9:25:02 PM

Symptoms

Sending emails over HTTPS fails with the following error in the webapp pod log:

jakarta.mail.MessagingException: Could not convert socket to TLS;
...
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

This is because the certificate being presented by the SMTP server is not trusted by the webapp pod for one of the following reasons:

The certificate is self-signed.
The certificate is signed by a Certificate Authority, but the server is not presenting the full certificate chain with all intermediate certs up to the CA root cert.

Action

The external certificate needs to be added to the default Java trust store. This can be done by following the instructions below:

Extract the default Java trust store from the Appian webapp deployment:
1. kubectl -n *namespace* cp <APPIAN_SITE_NAME>-webapp-0:/usr/local/appian/ae/java/jre/lib/security/cacerts ./cacerts
Import the target server’s certificate and CA root certificate into the cacerts trust store:
1. keytool -import -alias targetServerCert -file ./<TARGET_SERVER_CERT>.PEM -keystore ./cacerts -storepass changeit
2. keytool -import -alias myRootCA -file ./<ROOT_CA>.pem -keystore ./cacerts -storepass changeit
Confirm that the certificates were added to the cacerts trust store:
1. keytool -list -keystore ./cacerts -storepass changeit
Create a secret based on the above cacerts file:
1. kubectl create secret generic cacerts-secret --from-file=keystore.jks=./cacerts -n <APPIAN_SITE_NAMESPACE>

Configure the Appian Custom Resource to mount the customized trust store by adding the following in the Appian site yaml, under .spec.webapp

additionalVolumes:
  - name: keystore-secret
    secret:
      secretName: "cacerts-secret"
      items:
        - key: keystore.jks
          path: cacerts

additionalVolumeMounts:
  - name: keystore-secret
    mountPath: /usr/local/appian/ae/java/jre/lib/security/cacerts
    subPath: cacerts
    readOnly: true

Start the Appian site. You will find your customized cacerts trust store at /usr/local/appian/ae/java/jre/lib/security/cacerts alongside other original files in the ~/security directory

Affected Versions

This article applies to all versions of self-managed Appian on Kubernetes.

Last Reviewed: July 2025

Tags: email, appianOnKubernetes, infrastructure

KB-2242 "PKIX path building failed" error seen when sending emails in a self-managed Kubernetes install

Maggie Deppe-Walker — Wed, 24 May 2023 04:50:02 GMT

Revision 10 posted to Appian Knowledge Base by Maggie Deppe-Walker on 5/24/2023 4:50:02 AM

Symptoms

Sending emails over HTTPS fails with the following error in the webapp pod log:

jakarta.mail.MessagingException: Could not convert socket to TLS;
...
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

This is because the certificate being presented by the SMTP server is not trusted by the webapp pod for one of the following reasons:

The certificate is self-signed.
The certificate is signed by a Certificate Authority, but the server is not presenting the full certificate chain with all intermediate certs up to the CA root cert.

Action

The external certificate needs to be added to the default Java trust store. This can be done by following the instructions below:

Extract the default Java trust store from the Appian webapp deployment:
1. kubectl -n *namespace* cp <APPIAN_SITE_NAME>-webapp-0:/usr/local/appian/ae/java/jre/lib/security/cacerts ./cacerts
Import the target server’s certificate and CA root certificate into the cacerts trust store:
1. keytool -import -alias targetServerCert -file ./<TARGET_SERVER_CERT>.PEM -keystore ./cacerts -storepass changeit
2. keytool -import -alias myRootCA -file ./<ROOT_CA>.pem -keystore ./cacerts -storepass changeit
Confirm that the certificates were added to the cacerts trust store:
1. keytool -list -keystore ./cacerts -storepass changeit
Convert the cacerts file to base64. We will refer to this file as <cacerts_base64>:
1. base64 -w0 ./cacerts > cacerts_base64
Create a secret based on the above cacerts file:
1. kubectl create secret generic cacerts-secret --from-file=keystore.jks=./cacerts_base64 -n <APPIAN_SITE_NAMESPACE>

Configure the Appian Custom Resource to mount the customized trust store by adding the following in the Appian site yaml, under .spec.webapp

additionalVolumes:
  - name: keystore-secret
    secret:
      secretName: "cacerts-secret"
      items:
        - key: keystore.jks
          path: cacerts

additionalVolumeMounts:
  - name: keystore-secret
    mountPath: /usr/local/appian/ae/java/jre/lib/security/cacerts
    subPath: cacerts
    readOnly: true

Start the Appian site. You will find your customized cacerts trust store at /usr/local/appian/ae/java/jre/lib/security/cacerts alongside other original files in the ~/security directory

Affected Versions

This article applies to all versions of self-managed Appian on Kubernetes.

Last Reviewed: March 2023

Tags: email, appianOnKubernetes, infrastructure

[DRAFT SP-8161] KB-XXXXX "PKIX path building failed" error seen when sending emails in a self-managed Kubernetes install

Maggie Deppe-Walker — Wed, 24 May 2023 04:48:17 GMT

Revision 8 posted to Appian Knowledge Base by Maggie Deppe-Walker on 5/24/2023 4:48:17 AM

Symptoms

Sending emails over HTTPS fails with the following error in the webapp pod log:

jakarta.mail.MessagingException: Could not convert socket to TLS;
...
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

This is because the certificate being presented by the SMTP server is not trusted by the webapp pod for one of the following reasons:

The certificate is self-signed.
The certificate is signed by a Certificate Authority, but the server is not presenting the full certificate chain with all intermediate certs up to the CA root cert.

Action

The external certificate needs to be added to the default Java trust store. This can be done by following the instructions below:

Extract the default Java trust store from the Appian webapp deployment:
1. kubectl -n *namespace* cp <APPIAN_SITE_NAME>-webapp-0:/usr/local/appian/ae/java/jre/lib/security/cacerts ./cacerts
Import the target server’s certificate and CA root certificate into the cacerts trust store:
1. keytool -import -alias targetServerCert -file ./<TARGET_SERVER_CERT>.PEM -keystore ./cacerts -storepass changeit
2. keytool -import -alias myRootCA -file ./<ROOT_CA>.pem -keystore ./cacerts -storepass changeit
Confirm that the certificates were added to the cacerts trust store:
1. keytool -list -keystore ./cacerts -storepass changeit
Convert the cacerts file to base64. We will refer to this file as <cacerts_base64>:
1. base64 -w0 ./cacerts > cacerts_base64
Create a secret based on the above cacerts file:
1. kubectl create secret generic cacerts-secret --from-file=keystore.jks=./cacerts_base64 -n <APPIAN_SITE_NAMESPACE>

Configure the Appian Custom Resource to mount the customized trust store by adding the following in the Appian site yaml, under .spec.webapp

additionalVolumes:
  - name: keystore-secret
    secret:
      secretName: "cacerts-secret"
      items:
        - key: keystore.jks
          path: cacerts

additionalVolumeMounts:
  - name: keystore-secret
    mountPath: /usr/local/appian/ae/java/jre/lib/security/cacerts
    subPath: cacerts
    readOnly: true

Start the Appian site. You will find your customized cacerts trust store at /usr/local/appian/ae/java/jre/lib/security/cacerts alongside other original files in the ~/security directory

Affected Versions

This article applies to all versions of self-managed Appian on Kubernetes.

Last Reviewed: March 2023

Tags: email, appianOnKubernetes, infrastructure

[DRAFT SP-8161] KB-XXXXX "PKIX path building failed" error seen when sending emails in a self-managed Kubernetes install

Maggie Deppe-Walker — Wed, 08 Mar 2023 01:09:44 GMT

Revision 7 posted to Appian Knowledge Base by Maggie Deppe-Walker on 3/8/2023 1:09:44 AM

Symptoms

Sending emails over HTTPS fails because the webapp pod does not trust the CA which was used to sign the certificate presented by the SMTP server. The following error will be seen in the webapp pod log:

jakarta.mail.MessagingException: Could not convert socket to TLS;
...
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

This is because the certificate being presented by the SMTP server is not trusted by the webapp pod for one of the following reasons:

The certificate is self-signed.
The certificate is signed by a Certificate Authority, but the server is not presenting the full certificate chain with all intermediate certs up to the CA root cert.

Action

The external certificate needs to be added to the default Java trust store. This can be done by following the instructions below:

Extract the default Java trust store from the Appian webapp deployment:
1. kubectl -n *namespace* cp <APPIAN_SITE_NAME>-webapp-0:/usr/local/appian/ae/java/jre/lib/security/cacerts ./cacerts
Import the target server’s certificate and CA root certificate into the cacerts trust store:
1. keytool -import -alias targetServerCert -file ./<TARGET_SERVER_CERT>.PEM -keystore ./cacerts -storepass changeit
2. keytool -import -alias myRootCA -file ./<ROOT_CA>.pem -keystore ./cacerts -storepass changeit
Confirm that the certificates were added to the cacerts trust store:
1. keytool -list -keystore ./cacerts -storepass changeit
Convert the cacerts file to base64. We will refer to this file as <cacerts_base64>:
1. base64 -w0 ./cacerts > cacerts_base64
Create a secret based on the above cacerts file:
1. kubectl create secret generic cacerts-secret --from-file=keystore.jks=./cacerts_base64 -n <APPIAN_SITE_NAMESPACE>

Configure the Appian Custom Resource to mount the customized trust store by adding the following in the Appian site yaml, under .spec.webapp

additionalVolumes:
  - name: keystore-secret
    secret:
      secretName: "cacerts-secret"
      items:
        - key: keystore.jks
          path: cacerts

additionalVolumeMounts:
  - name: keystore-secret
    mountPath: /usr/local/appian/ae/java/jre/lib/security/cacerts
    subPath: cacerts
    readOnly: true

Start the Appian site. You will find your customized cacerts trust store at /usr/local/appian/ae/java/jre/lib/security/cacerts alongside other original files in the ~/security directory

Affected Versions

This article applies to all versions of self-managed Appian on Kubernetes.

Last Reviewed: March 2023

Tags: email, appianOnKubernetes, infrastructure

[DRAFT SP-8161] KB-XXXXX "PKIX path building failed" error seen when sending emails in a self-managed Kubernetes install

Maggie Deppe-Walker — Wed, 08 Feb 2023 06:02:29 GMT

Revision 6 posted to Appian Knowledge Base by Maggie Deppe-Walker on 2/8/2023 6:02:29 AM

Symptoms

Sending emails over HTTPS fails because the webapp pod does not trust the CA which was used to sign the certificate the SMTP server presents. The following error will be seen in the webapp pod log:

jakarta.mail.MessagingException: Could not convert socket to TLS;
...
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

This is because the certificate being presented by the SMTP server is not trusted by the webapp pod for one of the following reasons:

The certificate is self-signed.
The certificate is signed by a Certificate Authority, but the server is not presenting the full certificate chain with all intermediate certs up to the CA root cert.

Action

The external certificate needs to be added to the default Java trust store. This can be done by following the instructions below:

Extract the default Java trust store from the Appian webapp deployment:
1. kubectl -n *namespace* cp <APPIAN_SITE_NAME>-webapp-0:/usr/local/appian/ae/java/jre/lib/security/cacerts ./cacerts
Import the target server’s certificate and CA root certificate into the cacerts trust store:
1. keytool -import -alias targetServerCert -file ./<TARGET_SERVER_CERT>.PEM -keystore ./cacerts -storepass changeit
2. keytool -import -alias myRootCA -file ./<ROOT_CA>.pem -keystore ./cacerts -storepass changeit
Confirm that the certificates were added to the cacerts trust store:
1. keytool -list -keystore ./cacerts -storepass changeit
Convert the cacerts file to base64. We will refer to this file as <cacerts_base64>:
1. base64 -w0 ./cacerts > cacerts_base64
Create a secret based on the above cacerts file:
1. kubectl create secret generic cacerts-secret --from-file=keystore.jks=./cacerts_base64 -n <APPIAN_SITE_NAMESPACE>

Configure the Appian Custom Resource to mount the customized trust store by adding the following in the Appian site yaml, under .spec.webapp

additionalVolumes:
  - name: keystore-secret
    secret:
      secretName: "cacerts-secret"
      items:
        - key: keystore.jks
          path: cacerts

additionalVolumeMounts:
  - name: keystore-secret
    mountPath: /usr/local/appian/ae/java/jre/lib/security/cacerts
    subPath: cacerts
    readOnly: true

Start the Appian site. You will find your customized cacerts trust store at /usr/local/appian/ae/java/jre/lib/security/cacerts alongside other original files in the ~/security directory

Affected Versions

This article applies to all versions of self-managed Appian on Kubernetes.

Tags: email, appianOnKubernetes, infrastructure

"PKIX path building failed" error seen when sending emails in a self managed Kubernetes install

Tejas Kargutkar — Tue, 07 Feb 2023 14:54:01 GMT

Revision 5 posted to Appian Knowledge Base by Tejas Kargutkar on 2/7/2023 2:54:01 PM

Symptoms

Sending emails over HTTPS fails because the webapp pod does not trust the CA which was used to sign the certificate the SMTP server presents. The following error will be seen in the webapp pod log:

jakarta.mail.MessagingException: Could not convert socket to TLS;
...
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

This is because the certificate being presented by the SMTP server is not trusted by the webapp pod for one of the following reasons:

The certificate is self-signed.
The certificate is signed by a Certificate Authority, but the server is not presenting the full certificate chain with all intermediate certs up to the CA root cert.

Action

The external certificate needs to be added to the default Java trust store. This can be done by following the instructions below:

Extract the default Java trust store from the Appian webapp deployment:
1. kubectl -n *namespace* cp <APPIAN_SITE_NAME>-webapp-0:/usr/local/appian/ae/java/jre/lib/security/cacerts ./cacerts
Import the target server’s certificate and CA root certificate into the cacerts trust store:
1. keytool -import -alias targetServerCert -file ./<TARGET_SERVER_CERT>.PEM -keystore ./cacerts -storepass changeit
2. keytool -import -alias myRootCA -file ./<ROOT_CA>.pem -keystore ./cacerts -storepass changeit
Confirm that the certificates were added to the cacerts trust store:
1. keytool -list -keystore ./cacerts -storepass changeit
Convert the cacerts file to base64. We will refer to this file as <cacerts_base64>:
1. base64 -w0 ./cacerts > cacerts_base64
Create a secret based on the above cacerts file:
1. kubectl create secret generic cacerts-secret --from-file=keystore.jks=./cacerts_base64 -n <APPIAN_SITE_NAMESPACE>

Configure the Appian Custom Resource to mount the customized trust store by adding the following in the Appian site yaml, under .spec.webapp

additionalVolumes:
  - name: keystore-secret
    secret:
      secretName: "cacerts-secret"
      items:
        - key: keystore.jks
          path: cacerts

additionalVolumeMounts:
  - name: keystore-secret
    mountPath: /usr/local/appian/ae/java/jre/lib/security/cacerts
    subPath: cacerts
    readOnly: true

Start the Appian site. You will find your customized cacerts trust store at /usr/local/appian/ae/java/jre/lib/security/cacerts alongside other original files in the ~/security directory

Affected Versions

This article applies to all versions of self-managed Appian on Kubernetes.

Tags: email, appianOnKubernetes, infrastructure

"PKIX path building failed" error seen when sending emails in a self managed Kubernetes install

Tejas Kargutkar — Tue, 07 Feb 2023 14:53:29 GMT

Revision 4 posted to Appian Knowledge Base by Tejas Kargutkar on 2/7/2023 2:53:29 PM

Symptoms

Sending emails over HTTPS fails because the webapp pod does not trust the CA which was used to sign the certificate the SMTP server presents. The following error will be seen in the webapp pod log:

jakarta.mail.MessagingException: Could not convert socket to TLS;
...
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

This is because the certificate being presented by the SMTP server is not trusted by the webapp pod for one of the following reasons:

The certificate is self-signed.
The certificate is signed by a Certificate Authority, but the server is not presenting the full certificate chain with all intermediate certs up to the CA root cert.

Action

The external certificate needs to be added to the default Java trust store. This can be done by following the instructions below:

Extract the default Java trust store from the Appian webapp deployment:
1. kubectl -n *namespace* cp <APPIAN_SITE_NAME>-webapp-0:/usr/local/appian/ae/java/jre/lib/security/cacerts ./cacerts
Import the target server’s certificate and CA root certificate into the cacerts trust store:
1. keytool -import -alias targetServerCert -file ./<TARGET_SERVER_CERT>.PEM -keystore ./cacerts -storepass changeit
2. keytool -import -alias myRootCA -file ./<ROOT_CA>.pem -keystore ./cacerts -storepass changeit
Confirm that the certificates were added to the cacerts trust store:
1. keytool -list -keystore ./cacerts -storepass changeit
Convert the cacerts file to base64. We will refer to this file as <cacerts_base64>:
1. base64 -w0 ./cacerts > cacerts_base64
Create a secret based on the above cacerts file:
1. kubectl create secret generic cacerts-secret --from-file=keystore.jks=./cacerts_base64 -n <APPIAN_SITE_NAMESPACE>

Configure the Appian Custom Resource to mount the customized trust store by adding the following in the Appian site yaml, under .spec.webapp

additionalVolumes:
  - name: keystore-secret
    secret:
      secretName: "cacerts-secret"
      items:
        - key: keystore.jks
          path: cacerts

additionalVolumeMounts:
  - name: keystore-secret
    mountPath: /usr/local/appian/ae/java/jre/lib/security/cacerts
    subPath: cacerts
    readOnly: true

Start the Appian site. You will find your customized cacerts trust store at /usr/local/appian/ae/java/jre/lib/security/cacerts alongside other original files in the ~/security directory

Affected Versions

This article applies to all versions of self-managed Appian on Kubernetes.

Tags: email, appianOnKubernetes, infrastructure

"PKIX path building failed" error seen when sending emails in a self managed Kubernetes install

Tejas Kargutkar — Tue, 07 Feb 2023 14:51:58 GMT

Revision 3 posted to Appian Knowledge Base by Tejas Kargutkar on 2/7/2023 2:51:58 PM

Symptoms

Sending emails over HTTPS fails because the webapp pod does not trust the CA which was used to sign the certificate the SMTP server presents. The following error will be seen in the webapp pod log:

jakarta.mail.MessagingException: Could not convert socket to TLS;
...
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

This is because the certificate being presented by the SMTP server is not trusted by the webapp pod for one of the following reasons:

The certificate is self-signed.
The certificate is signed by a Certificate Authority, but the server is not presenting the full certificate chain with all intermediate certs up to the CA root cert.

Action

The external certificate needs to be added to the default Java trust store. This can be done by following the instructions below:

Extract the default Java trust store from the Appian webapp deployment:
1. kubectl -n *namespace* cp <APPIAN_SITE_NAME>-webapp-0:/usr/local/appian/ae/java/jre/lib/security/cacerts ./cacerts
Import the target server’s certificate and CA root certificate into the cacerts trust store:
1. keytool -import -alias targetServerCert -file ./<TARGET_SERVER_CERT>.PEM -keystore ./cacerts -storepass changeit
2. keytool -import -alias myRootCA -file ./<ROOT_CA>.pem -keystore ./cacerts -storepass changeit
Confirm that the certificates were added to the cacerts trust store:
1. keytool -list -keystore ./cacerts -storepass changeit
Convert the cacerts file to base64. We will refer to this file as <cacerts_base64>:
1. base64 -w0 ./cacerts > cacerts_base64
Create a secret based on the above cacerts file:
1. kubectl create secret generic cacerts-secret --from-file=keystore.jks=./cacerts_base64 -n <APPIAN_SITE_NAMESPACE>

Configure the Appian Custom Resource to mount the customized trust store by adding the following in the Appian site yaml, under .spec.webapp

additionalVolumes:
  - name: keystore-secret
    secret:
      secretName: "cacerts-secret"
      items:
        - key: keystore.jks
          path: cacerts

additionalVolumeMounts:
  - name: keystore-secret
    mountPath: /usr/local/appian/ae/java/jre/lib/security/cacerts
    subPath: cacerts
    readOnly: true

Affected Versions

This article applies to all versions of self-managed Appian on Kubernetes.

Tags: email, appianOnKubernetes, infrastructure

"PKIX path building failed" error seen when sending emails in a self managed Kubernetes install

Tejas Kargutkar — Mon, 06 Feb 2023 20:23:42 GMT

Revision 2 posted to Appian Knowledge Base by Tejas Kargutkar on 2/6/2023 8:23:42 PM

Symptoms

Sending emails over HTTPS fails because the webapp pod does not trust the CA which was used to sign the certificate the SMTP server presents. The following error will be seen in the webapp pod log:

jakarta.mail.MessagingException: Could not convert socket to TLS;
...
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

This is because the certificate being presented by the SMTP server is not trusted by the webapp pod for one of the following reasons:

The certificate is self-signed.
The certificate is signed by a Certificate Authority, but the server is not presenting the full certificate chain with all intermediate certs up to the CA root cert.

Action

The external certificate needs to be added to the default Java trust store. This can be done by following the instructions below:

Extract the default Java trust store from the Appian webapp deployment:
1. kubectl -n *namespace* cp <APPIAN_SITE_NAME>-webapp-0:/usr/local/appian/ae/java/jre/lib/security/cacerts ./cacerts
Import the target server’s certificate and CA root certificate into the cacerts trust store:
1. keytool -import -alias targetServerCert -file ./<TARGET_SERVER_CERT>.PEM -keystore ./cacerts -storepass changeit
2. keytool -import -alias myRootCA -file ./<ROOT_CA>.pem -keystore ./cacerts -storepass changeit
Confirm that the certificates were added to the cacerts trust store:
1. keytool -list -keystore ./cacerts -storepass changeit
Convert the cacerts file to base64. We will refer to this file as <cacerts_base64>:
1. base64 -w0 ./cacerts > cacerts_base64
Create a secret based on the above cacerts file:
1. kubectl create secret generic cacerts-secret --from-file=keystore.jks=./cacerts_base64 -n <APPIAN_SITE_NAMESPACE>

Affected Versions

This article applies to all versions of self-managed Appian on Kubernetes.

Tags: email, appianOnKubernetes, infrastructure

"PKIX path building failed" error seen when sending emails in a self managed Kubernetes install

Tejas Kargutkar — Mon, 06 Feb 2023 19:48:39 GMT

Revision 1 posted to Appian Knowledge Base by Tejas Kargutkar on 2/6/2023 7:48:39 PM

Symptoms

Sending emails over HTTPS fails because the webapp pod does not trust the CA which was used to sign the certificate the SMTP server presents. The following error will be seen in the webapp pod log:

jakarta.mail.MessagingException: Could not convert socket to TLS;
...
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

This is because the certificate being presented by the SMTP server is not trusted by the webapp pod for one of the following reasons:

The certificate is self-signed.
The certificate is signed by a Certificate Authority, but the server is not presenting the full certificate chain with all intermediate certs up to the CA root cert.

Action

The external certificate needs to be added to the default Java trust store. This can be done by following the instructions below:

Extract the default Java trust store from the Appian webapp deployment:
1. kubectl -n *namespace* cp <APPIAN_SITE_NAME>-webapp-0:/usr/local/appian/ae/java/jre/lib/security/cacerts ./cacerts
Import the target server’s certificate and CA root certificate into the cacerts trust store:
1. keytool -import -alias targetServerCert -file ./<TARGET_SERVER_CERT>.PEM -keystore ./cacerts -storepass changeit
2. keytool -import -alias myRootCA -file ./<ROOT_CA>.pem -keystore ./cacerts -storepass changeit
Confirm that the certificates were added to the cacerts trust store:
1. keytool -list -keystore ./cacerts -storepass changeit
Convert the cacerts file to base64. We will refer to this value as <CACERTS_BASE64>:
1. base64 -w0 ./cacerts
Create a secret based on the above cacerts file:
1. kubectl create secret generic cacerts-secret --from-file=keystore.jks=./cacerts

Affected Versions

This article applies to all versions of self-managed Appian on Kubernetes.

Tags: email, appianOnKubernetes, infrastructure