ORCID iDA note to self (and others) for when this problem happens again. My university today updated the certificate for their OWA webmail service, signed by a certificate authority that I did not have in my trust chain.
This triggers the following error in DavMail: “java.security.cert.CertificateException: User rejected certificate”.
In order to fix it, you need to install the certs into the Java keystore, which is different to the central ca-certificates package on Debian.
So, use Firefox or similar to download the PEM files (authority + chain), then do the following in a bash script:
“for file in *.pem; do openssl x509 -outform der -in “$file” -out /tmp/certificate.der; keytool -import -alias “$file” -keystore ./java/cacerts -file /tmp/certificate.der -deststorepass changeit -noprompt; done;”