Cert issued by the LetsEncrypt intermediate R10 is rejected: Path does not chain with any of the trust anchors

I have an account on the conversation.im server and tried to use it with the latest Spark 3.0.2 on Ubuntu 22.04. During connection I receive an error:

org.jivesoftware.smack.SmackException$SmackWrappedException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Certificate path validation failed
	at org.jivesoftware.smack.AbstractXMPPConnection.setCurrentConnectionExceptionAndNotify(AbstractXMPPConnection.java:687)
	at org.jivesoftware.smack.AbstractXMPPConnection.notifyConnectionError(AbstractXMPPConnection.java:987)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$4100(XMPPTCPConnection.java:131)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1167)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$700(XMPPTCPConnection.java:916)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:939)
	at java.base/java.lang.Thread.run(Thread.java:1583)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Certificate path validation failed
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130)
sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1318)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1195)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1138)
	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:447)
	at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:201)
	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1506)
	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1421)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection.proceedTLSReceived(XMPPTCPConnection.java:733)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$1400(XMPPTCPConnection.java:131)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:990)
	... 3 more
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Certificate path validation failed
	at org.jivesoftware.sparkimpl.certificates.SparkTrustManager.checkServerTrusted(SparkTrustManager.java:97)
	at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1430)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1302)
	... 17 more
Caused by: java.security.cert.CertPathValidatorException: Certificate path validation failed
	at org.jivesoftware.sparkimpl.certificates.SparkTrustManager.doTheChecks(SparkTrustManager.java:127)
	at org.jivesoftware.sparkimpl.certificates.SparkTrustManager.checkServerTrusted(SparkTrustManager.java:93)
	... 19 more
Caused by: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
	at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:157)
	at java.base/sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:83)
	at java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309)
	at org.jivesoftware.sparkimpl.certificates.SparkTrustManager.validatePath(SparkTrustManager.java:270)
	at org.jivesoftware.sparkimpl.certificates.SparkTrustManager.doTheChecks(SparkTrustManager.java:123)
	... 20 more

It looks like the problem is with the intermediate CA LetsEncrypt R10 which was added recently:

I tried to add the R10 cert to list of trusted in the Spark itself and it worked. But then I cleared the ~/.Spark settings and the problem begins again.

Actually I believe that this is some problem in the Spark itself. Could you please tell if this is true? Many personal XMPP server my have the same problem

May be useful:

the profile keeps user specific exceptions. which is why you lost the cert when you deleted the folder. If you add the r10 cert into the JRE trust store, this should solve the issue for you.

yes, but the R10 must work out of the box. Also I remembered that adding the cert to trusted in the Spark didn’t helped and I had to update the system’s castore (later I rolled back),
So we have two bugs here

to your point. adding the intermediate cert to the clients system CAstore is not be the best solution. After looking at it more closely, its likely the cert being presented by openfire doesn’t include full chain. Try re-importing your cert using the full chain.

The conversation.im server is not OpenFire but latest ejaberd. The exactly same issue with yax.im server that also uses LetsEncrypt certificate and use latest stable Prosody as a server.
See, here I tried to use my existing accounts with the Spark. But if an OpenFire server uses the LetsEncrypt cert then it should have the same issue.

I reported the bug [SPARK-2336] - Ignite Realtime Jira