We’ve our own Microsoft Exchange server & recently we changed the multi-domain SSL certificate with one Wildcard certificate. We’ve got the new certificate against the same FQDN that was used with the MDC and things were working, until we had to restart our servers after a power cycle.
Exchange server stopped sending receiving and sending emails & we had to setup the Exchange Back End server with new Wildcard certificate, that we never did earlier whenever the MDC was renewed. Well, much more were in the pipeline.
After a regular maintenance restart, we noticed our Oracle Application R12 instance completely stopped sending Workflow mailer notifications that allowed our users to respond to work notifications through emails. The strangest thing was, we were able to send email from the EBS host console, using shell scripts…however reconfiguring the notification mailer always failed, complaining about wrong username or password. Checking the smtp log file shown us the error message:
%% Invalidated: [Session-1, SSL_NULL_WITH_NULL_NULL]
%% Invalidated: [Session-2, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
Thread-10, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown
Thread-10, WRITE: TLSv1.2 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 03 00 02 02 2E .......
Thread-10, called closeSocket()
Thread-10, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
We “knew” that there was nothing wrong with the certificate as it worked everywhere else. On 4th day, we decided to check the Exchange environment.
We found both expired (We moved to SSL 10+ years back and never removed expired certificates from the stores) & new certificates and yet everything looked as they should (Exchange was working!). After some quick discussions, decided to remove the expired certificate from Exchange to give it a try. That was it. Technically, it looks like both the expired and new certificates were matching FQDN and java mailer was referring the expired certificate as it was the first one in the list.