During post request on send email API of mailgun it shows error using java web application

Question

I am using mailgun to send email but from last day it shows error during POST request on email send api as below.I am using java/spring/AWS to my web app.I tried to restart app and to check if certificate is already in the trust store but we never had generate trust store keys.

com.mashape.unirest.http.exceptions.UnirestException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.mashape.unirest.http.HttpClientHelper.request(HttpClientHelper.java:143) at com.mashape.unirest.request.BaseRequest.asJson(BaseRequest.java:68)

Answer 1

On 1/22, we updated our SSL certificates due to Symantec's PKI infrastructure set to become untrusted. Some older versions of Java do not have the "DigiCert Global Root G2" CA.

There are several options:

1. Import the "DigiCert Global Root G2" CA into your "cacerts" file.
2. Upgrade your JRE to 8u91 (or higher), which includes this root.

To import the "DigiCert Global Root G2" You can download the root from https://www.digicert.com/digicert-root-certificates.htm. Ensure you are downloading the correct root certificate.

Once the certificate is downloaded, you'll need to import it into with a command like the following:

keytool -import -trustcacerts -keystore /path/to/cacerts -storepass changeit -noprompt -alias digicert-global-root-g2 -file /path/to/digicert.crt

You will need to set the path to your Java Keystore and the location of the root certificate you downloaded.

Answer 2

Same issue for us (java). Here is what Mailgun support said:

Hello,

Thank you for reaching out to us in regards to our SSL certification renewal, >which are now fully completed. This update was pushed out to correct numerous >certificates that did not comply with the industry-developed CA/Browser Forum >Baseline Requirements by Symantec’s PKI business. You can read more about this >here.

Now that the updates have been completed, if you’re still having difficulties >sending, we can provide some suggestions to get your application back up and >running.

If you’re utilizing PHP- 1) Download the latest CA certificates from (https://curl.haxx.se/docs/caextract.html) This is an extract of a list of certificates vetted by Mozilla. 2) Set the path to the CA certificates in the .htaccess file with a directive like the following: php_value curl.cainfo "/path/to/cacert.pem" If you have access to your php.ini file, you can modify this value globally by setting curl.cainfo = "/path/to/cacert.pem"

If you’re utilizing cURL- _Ubuntu users:_https://askubuntu.com/questions/646594/how-to-fix-ca-cert-issues-with-curl-in-ubuntu-14-04 RedHat users: https://serverfault.com/questions/394815/how-to-update-curl-ca-bundle-on-redhat Be sure to restart your sending application after updating.

If a restart of your application does not clear the issue, the certificate cache may need to be cleared. Here is some additional information as to how this might be accomplished for you:

• http://unitstep.net/blog/2009/05/05/using-curl-in-php-to-access-https-ssltls-protected-sites/
• http://stackoverflow.com/questions/7219989/java-and-ssl-certificates

Because every sending application is be different, the exact method for updating the certifications/restarting your sending application may vary for you. If none of these options worked, some independent research might be needed for the update/restart method applicable to you.

While these suggestions are meant to help resolve the issues you are experiencing, making certain changes to your environment can always cause further issues with your application. We highly recommend making these changes in a non-production environment prior to releasing into production. These are only intended as suggested fixes and in no-way guarantee that this will fix the issue, further steps may need to be taken depending on your specific environment. As always Mailgun will always do our best to answer any questions that you may have, but there are limitations in the support we can provide.

Thanks, Keith@MG

Restarting the application did not fix the issue. I'm trying to find which CA they are using to see if we can import it in the trustore.