I’m trying to send an email on runtime Mule using an SMTPS connector running on a AWS EC2 Lynx machine to AWS SES but I keep getting a ‘Unable to connect to mail transport’ Mule exception.
I can Telnet from the EC2 machine to the AWS SES endpoint but cannot get EHLO to work, I may be doing something wrong there.
I can successfully send the email to AWS SES from my own PC running my app on Anypoint using the same SMTPS connector and the same AWS SES credentials so I know everything is good there.
I’m thinking there must be a difference between Anypoint and runtime Mule?
Here is my connector code, do I need to add a trust store for it to work on runtime?
<smtps:connector name="SMTPS" contentType="text/html" validateConnections="true" doc:name="SMTPS">
<smtps:tls-client />
<smtps:tls-trust-store />
</smtps:connector>
Here is the relevant part of the log
INFO org.mule.lifecycle.AbstractLifecycleManager - Initialising: 'SMTPS.dispatc her.1395684883'. Object is: SmtpMessageDispatcher
2016-11-08 16:30:25,149 [[feecalculator].HTTP_Listener_Configuration.worker.01] INFO org.mule.api.security.tls.TlsPropertiesMapper - Defaulting mule.email.smtp s trust store to client Key Store
2016-11-08 16:30:25,361 [[feecalculator].HTTP_Listener_Configuration.worker.01] INFO org.mule.api.security.tls.TlsProperties - Loading configuration file: tls- default.conf
2016-11-08 16:30:25,620 [[feecalculator].HTTP_Listener_Configuration.worker.01] ERROR org.mule.exception.CatchMessagingExceptionStrategy -
Message : Unable to connect to mail transport.
Element : /sendEmailFlow/processors/0/0/0 # feecalculator:sendEmai l.xml:22 (Prod SMTPS)
Exception stack is:
Unable to connect to mail transport. (org.mule.api.endpoint.EndpointException)
The difference on my local machine is 'tls-default.conf not found' :
INFO 2016-11-08 16:19:16,533 [[feecalculator].HTTP_Listener_Configuration.worker.08] org.mule.lifecycle.AbstractLifecycleManager: Initialising: 'SMTPS.dispatcher.1555978287'. Object is: SmtpMessageDispatcher
INFO 2016-11-08 16:19:16,539 [[feecalculator].HTTP_Listener_Configuration.worker.08] org.mule.api.security.tls.TlsPropertiesMapper: Defaulting mule.email.smtps trust store to client Key Store
WARN 2016-11-08 16:19:16,574 [[feecalculator].HTTP_Listener_Configuration.worker.08] org.mule.api.security.tls.TlsProperties: File tls-default.conf not found, using default configuration.
INFO 2016-11-08 16:19:20,100 [[feecalculator].HTTP_Listener_Configuration.worker.08] org.mule.lifecycle.AbstractLifecycleManager: Starting: 'SMTPS.dispatcher.1555978287'. Object is: SmtpMessageDispatcher
Solved:
On my development machine Anypoint defaults to the JRE 1.8 installed ‘cacerts’ trust store in the ‘security’ folder which contains a trust for AWS SES whereas the AWS EC2 Lynx openJDK 1.8 either does not have a trust installed or Mule CE does not default to the installed trust store, I’m not sure which. This explains why my development machine could send an mail via SES but the production system could not.
The solution is to use openssl to create a trust store file for the SES domain certificate and specify the trust file in the SMTPS connector (smtps:tls-trust-store). If a file path is not specified, the trust file needs to be added to the Mule project src/main/resources folder for the project domain or project application when no project domain exists.
This issue is further complicated by a difference between Anypoint and Mule CE, Anypoint requires SES endpoint declarations that contain ‘special characters’ to be double escaped where as Mule CE does not.
Related
I am using aws and have created an EC2 server. While merging it with a DNS taken from godaddy, now i am not able to upload my WAR file on DNSname:port/manager, not I am able to upload my WAR file on aws [Public DNS (IPv4)]:port/manager.
Getting error while uploading a file showing the following:
This site can’t be reached The connection was reset.
Try:
Checking the connection
Checking the proxy and the firewall
Running Windows Network Diagnostics
ERR_CONNECTION_RESET
Is the port open from your laptop/desktop or wherever you are uploading from? Can you telnet to the host/port?
Trying to configure portworx volume backups (ptxctl cloudsnap) to localhost minio server (emulating S3).
First step is to create cloud credentials using ptxctl cred c
e.g.
./pxctl credentials create --provider s3 --s3-access-key mybadaccesskey --s3-secret-key mybadsecretkey --s3-region local --s3-endpoint 10.0.0.1:9000
This results in:
Error configuring cloud provider.Make sure the credentials are correct: RequestError: send request failed caused by: Get https://10.0.0.1:9000/: EOF
disabling SSL (which is not configured as this is just a localhost test) gives me:
./pxctl credentials create --provider s3 --s3-access-key mybadaccesskey --s3-secret-key mybadsecretkey --s3-region local --s3-endpoint 10.0.0.1:9000 --s3-disable-ssl
Which returns:
Not authenticated with the secrets endpoint
I've tried this with both minio gateway (nas) and minio server - same result.
Portworx container is running within Rancher
Any thoughts appreciated
Resolved via instructions at https://docs.portworx.com/secrets/portworx-with-kvdb.html
i.e. set secret type to kvdb in /etc/pwx/config.json
"secret": {
"cluster_secret_key": "",
"secret_type": "kvdb"
},
Then login using ./pxctl secrets kvdb login
After this, credentials create was successful and subsequent cloudsnap backup. Test was using --s3-disable-ssl switch
Note - kvdb is plain text so not suitable for production obvs.
WAS 8.5 full profile isn't officially supported on OSX by IBM so the only option to perform development from OSX is to install stub runtime and connect to WAS installed remotely. I'm trying to install such scenario but something done wrong and can't connect to my WAS.
There's my installation:
On OSX El Capitan Installed:
RAD 9.5 with WAS 8.5 stub runtime (WebSphere Application Server traditional V8.5 stub)
Installed Virtual Box with Ubuntu Desktop edition 14.04
Ubuntu's hostname: anatoly-ubuntu-vm and it's accessible from host, i.e. ping anatoly-ubuntu-vm works fine
On Ubuntu installed:
WAS 8.5 full profile at /opt/IBM/WebSphere
Created AppSrv01 profile at /opt/IBM/WebSphere/AppServer/profiles
WAS installed with root user, IBM Installation Manager required root permission when was started
My connection settings in RAD:
server name: WebSphere Application Server traditional V8.5 stub at anatoly-ubuntu-vm
hostname: anatoly-ubuntu-vm
Runtime environment: WebSphere Application Server traditional V8.5 stub
Connection type:
I've tried RMI 2809 and SOAP 8880 both options didn't work
Enable the server to start remotely is checked and Select the operating system running the remote server: checked Linux option with my username and password. I've tried my regular Ubuntu account and root, both option didn't work.
Server profile path defined as /opt/IBM/WebSphere/AppServer/profiles/AppSrv01
When I try to start server I get the following exception:
The following problems has occurred when starting the server.
CTGRI0001E The application could not establish a connection to
anatoly-ubuntu-vm .
What am I doing wrong?
UPDATE 1:
After I've written this post I've figured out that SSH server isn't installed and configured at all as described here: Requirements for using Remote Execution and Access (RXA) Now, I've installed and it seems like connecting but stuck at 23% at stage Preparing launch delegate, after a while it throw the following error:
The following problems has occurred when starting the server. The
server may not be started in the correct mode. You can restart the
server to desired mode if it is started. CTGRI0075E A file transfer to
or from the system named [anatoly-ubuntu-vm] timed out before the
transfer could complete. The current timeout interval is set to 240000
milliseconds, and might need to be increased.
UPDATE 2:
As I can see despite error message server is started and I even can connect to web console anatoly-ubuntu-vm:9060/console/ibm but it looks that not SOAP connection, neither RMI connection don't work. When I run Test Connection from Settings overview page in RAD, I get the following error:
The connection failed after trying to use all the available connection
types.
Verify the port values are correct and the server has been started. If
the security of the server is enabled, verify the "Security is enabled
on this server" check box is selected, and the user ID and password
are provided. You can specify this in the server editor or when
creating a new server.
For a Technote with details on the most common server connection
problem, see http://www.ibm.com/support/docview.wss?uid=swg21266028.
The last connection attempt failed with the following exception:
ADMC0016E: The system cannot create a SOAP connector to connect to
host anatoly-ubuntu-vm at port 8880.
UPDATE 3
As #DanielBarbarian guessed I tried to run ./wsadmin.sh -port 8880 and it worked and returned
Connected to process "server1" on node anatoly-ubuntu-vmNode01 using SOAP connector; The type of process is: UnManagedProcess`
This is settings of my ports:
UPDATE 4
When I trying to run telnet anatoly-ubuntu-vm 8880 from OSX host I get the following response (ip address changed to non real due to privacy issue):
anatoly-mac:~ anatoly$ telnet anatoly-ubuntu-vm 8880
Trying 192.168.10.10...
Connected to anatoly-ubuntu-vm
Escape character is '^]'.
HTTP/1.1 408 Request Timeout
Content-Type: text/html
Content-Length: 117
Connection: close
<HTML><TITLE>408 - Request Timeout</TITLE><BODY>
<h1>408 Connection timed out while reading request</h1></BODY>
</HTML>Connection closed by foreign host
Firefox v39 will no longer connect to my web application over HTTPS. I'm using Spring Boot with embedded Tomcat and I've made sure I'm using the latest version of Boot (v1.2.5). Firefox shows the following error message:
Secure Connection Failed
An error occurred during a connection to [website]. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)
I understand this is to protect against a known vulnerability called Logjam. A solution for Tomcat is provided at weakdh.org.
Spring Boot passes SSL configuration to Tomcat via application.properties and as such I have added server.ssl.ciphers to my application.properties as follows:
server.port=443
server.ssl.key-store=/home/ec2-user/boot.p12
server.ssl.key-store-password=...
server.ssl.keyStoreType=PKCS12
server.ssl.keyAlias=...
server.ssl.ciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_SHA,TLS_ECDHE_RSA_WITH_AES_256_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_SHA384,TLS_ECDHE_RSA_WITH_AES_256_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_128_SHA,TLS_DHE_DSS_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_256_SHA256,TLS_DHE_DSS_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_256_SHA
After restarting boot, I notice the following in my log file:
WARN 2674 [main] --- o.a.t.util.net.jsse.JSSESocketFactory : None of the ciphers specified are supported by the SSL engine : TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, ...
Additionally, connecting using Firefox fails with the following message:
Secure Connection Failed
The connection to [website] was interrupted while the page was loading.
And I see the following in my log file:
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
Unfortunately I'm no encryption expert. Can anyone suggest how to fix this? Do I need to recreate my HTTPS certificate?
The solution was to upgrade server Java on the server from 1.7 to 1.8.
sudo yum remove java-1.7.0-openjdk
sudo yum install java-1.8.0
After this was complete, no other configuration was necessary. Not even modyfing Tomcat as per the advice at weakdh.org.
The application log in the event viewer shows
Unable to load SiteMinder host configuration object or host configuration file
for Siteminder 12.51 on IIS 7.5 (64bit) OS Windows 2008 (64bit).
When do you get the error? Is it when you're configuring the Webagent?
Anyway, verify the following.
Verify your environment variables are set correctly, if must have references to the Webagent files, you may need to export the envvars in the webagent or policy server folder (nete_wa_env...) file.
if the host config object you're using exists? Verify this using the
Admin UI
If the hostname is configured in the policy server as a trusted host
Verify if the settings are correct in the corresponding SmHost.conf file in the webagent folder
Verify and eliminate any duplicate or conflicting lines in your IIS config files which refer to siteminder.
Verify the host config object and the agent config object settings.
make sure WebAgent.conf is pointing to the correct SmHost.conf and SmHost.conf has the correct HostConfigObject defined (with the exact case that is used in the Policy Store).
If the HCO in the Policy Store is named "DefaultHostSettings" and SmHost.conf contains HostConfigObject=defaulthostsettings you will get this type of error.
Try re-registering the web agent with the policy server using the smreghost command.