Can't use STARTTLS in email configuration with Nexus Repository Truststore

[chkpnt]

When I configure the email configuration to use and require STARTTLS (of course, "Enable SSL/TLS encryption upon connection" is disabled), Nexus indeed tries to use STARTTLS, but failing as expected, as the server's certificate or the issuer's certificate isn't trusted:

Stacktrace with STARTTLS enabled and required, but without using Nexus Repository Truststore

``` Caused by: javax.mail.MessagingException: Could not convert socket to TLS at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:2155) at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:752) at javax.mail.Service.connect(Service.java:366) at javax.mail.Service.connect(Service.java:246) at javax.mail.Service.connect(Service.java:195) at javax.mail.Transport.send0(Transport.java:254) at javax.mail.Transport.send(Transport.java:124) at org.apache.commons.mail.Email.sendMimeMessage(Email.java:1459) ... 132 common frames omitted Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alert.createSSLException(Alert.java:131) at sun.security.ssl.TransportContext.fatal(TransportContext.java:331) at sun.security.ssl.TransportContext.fatal(TransportContext.java:274) at sun.security.ssl.TransportContext.fatal(TransportContext.java:269) at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654) at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473) at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369) at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377) at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422) at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182) at sun.security.ssl.SSLTransport.decode(SSLTransport.java:152) at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1401) at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1309) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440) at com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:602) at com.sun.mail.util.SocketFetcher.startTLS(SocketFetcher.java:529) at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:2150) ... 139 common frames omitted Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:456) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:323) at sun.security.validator.Validator.validate(Validator.java:271) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:315) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:223) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129) at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638) ... 152 common frames omitted Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:127) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:451) ... 158 common frames omitted ```

I've now added the required certificates to the Nexus Truststore and enabled "Use certificate connected to the Nexus Repository Truststore". The test mail still can't be send. What's weird: The stacktrace looks like Nexus is now trying to use SMTPS instead of SMTP + STARTTLS:

Stacktrace with STARTTLS enabled and required and with using Nexus Repository Truststore

``` Caused by: javax.mail.MessagingException: Could not connect to SMTP host: , port: 25 at com.sun.mail.smtp.SMTPTransport.openServer(SMTPTransport.java:2211) at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:740) at javax.mail.Service.connect(Service.java:366) at javax.mail.Service.connect(Service.java:246) at javax.mail.Service.connect(Service.java:195) at javax.mail.Transport.send0(Transport.java:254) at javax.mail.Transport.send(Transport.java:124) at org.apache.commons.mail.Email.sendMimeMessage(Email.java:1459) ... 132 common frames omitted Caused by: javax.net.ssl.SSLException: Unsupported or unrecognized SSL message at sun.security.ssl.SSLSocketInputRecord.handleUnknownRecord(SSLSocketInputRecord.java:455) at sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:184) at sun.security.ssl.SSLTransport.decode(SSLTransport.java:109) at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1401) at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1309) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440) at com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:602) at com.sun.mail.util.SocketFetcher.createSocket(SocketFetcher.java:376) at com.sun.mail.util.SocketFetcher.getSocket(SocketFetcher.java:214) at com.sun.mail.smtp.SMTPTransport.openServer(SMTPTransport.java:2175) ... 139 common frames omitted ```

Environment: Nexus Repository OSS 3.59.0-01 (Docker).

[mrprescott]

Thanks for filing this, this sounds like something we need to look into.

[eitch]

I too can confirm that i can't configure email server on my newly created docker instance.

[chkpnt]

Any updates on this? Being forced to send mails unencrypted doesn't feel right in 2024.