Graylog transport email error using gmail as smtp

Graylog Central (peer support)
1

I am using gmail smtp settings in graylog/server.conf file.

Getting below error message when try to send test mail
"The Graylog server encountered an error while trying to send an email. This is the detailed error message: org.apache.commons.mail.EmailException: Sending the email to the following server failed : smtp.gmail.com:465 (javax.mail.MessagingException: Could not connect to SMTP host: smtp.gmail.com, port: 465; nested exception is: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)"

Even I have tried our company mail server SMTP keeping SSL and TLS option set as true, but getting same error as mentioned above.

How to solve this?

Any help will be apprecaited.

2

Are you using a custom trust store for your JVM?
Are you using the latest “official” trust store (e. g. via the package ca-certificates-java if you’re using Ubuntu Linux) for your JVM?

3

I have followed the Graylog documentation to create the self signed certificate.

How to confirm whether it is a custom trust store for JVM or usind package ca-certificates-java?

4

What have you been doing exactly?
What JVM command line parameters are you using?

5

I have placed below JAVA_OPTS inside /etc/default/graylog-server

GRAYLOG_SERVER_JAVA_OPTS="-Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -Djavax.net.ssl.trustStore=/etc/graylog/ssl/keystore.jks -Djavax.net.ssl.trustStorePassword=xxxxxxx"

After that I was able to start Graylog with TLS enable.

6

You’re overwriting the default trust store, which contains all well-known certificate authorities (i. e. the one that issued the certificate for smtp.gmail.com) with the javax.net.ssl.trustStore system property.

7

I think Gmail certificates is already there inside truststore, below is the output

keytool -keystore /etc/ssl/certs/java/cacerts.jks -storepass xxxxx -list | grep globalsign

debian:globalsign_root_ca_-r3.pem, Nov 23, 2017, trustedCertEntry,
debian:globalsign_ecc_root_ca-r5.pem, Nov 23, 2017, trustedCertEntry,
debian:globalsign_root_ca-r2.pem, Nov 23, 2017, trustedCertEntry,
debian:globalsign_ecc_root_ca-_r4.pem, Nov 23, 2017, trustedCertEntry,
debian:globalsign_root_ca.pem, Nov 23, 2017, trustedCertEntry,

8

Yes, but you’re using /etc/graylog/ssl/keystore.jks as your JVM trust store with Graylog


9

Thank You for pointing the exact cause of issue.

Is there a way to import all default certificate authorities into /etc/graylog/ssl/keystore.jks?

Reason of creating this custom keystore is just only to enable TLS which was not working with default cacerts.jks.

10

Why not do it the other way round and import your self-signed certificates or your custom CA certificate into the existing trust store?

Other than that, you could use keytool -importkeystore to import the contents of the existing trust store into your own trust store:

1 Like
11

Thank You so much.

I have imported existing CA to /etc/graylog/ssl/keystore.jks and now mails are getting triggered based on event condition.

:Nishit Shah

12

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.