Email Hostname Certificate Mismatch Causing sidekiq Queue Overload, Severe Site Instability

RGJ · May 2, 2022, 6:49pm

Certainly. I can imagine that if a mail server requires starttls it will override the starttls setting but DISCOURSE_SMTP_OPENSSL_VERIFY_MODE should still be able to prevent an error.

Is anyone able to repro this?

mstm · May 6, 2022, 7:01pm

@Geoffrey_Challen how did you fix it?

Today I have update my forum to 2.9.0.beta4 (c99a6b10fb) and now I have the same error, discourse cannot send emails:
SSL_connect returned=1 errno=0 state=error: certificate verify failed (Hostname mismatch)

I have not changed the configuration of the VPS and email!

My app.yml:

  DISCOURSE_SMTP_ADDRESS: smtp.mydomain.info
  DISCOURSE_SMTP_PORT: 25
  DISCOURSE_SMTP_USER_NAME: info@mydomain.info
  DISCOURSE_SMTP_PASSWORD: "mypassword"
  DISCOURSE_SMTP_ENABLE_START_TLS: false           # (optional, default true)
  DISCOURSE_SMTP_DOMAIN: mydomain.info             # (required by some providers)
  #DISCOURSE_NOTIFICATION_EMAIL: noreply@discourse.example.com    # (address to send notifications from)

Tried and nothing changes …

Please now i can’t send emails and i can’t use TLS, what can i do?

RGJ · May 6, 2022, 7:48pm

Issue this command and see for what hostname the certificate is for

openssl s_client -connect  smtp.mydomain.info:25 -starttls smtp -showcerts 2>&1|grep "depth=0"

Replacing smtp.mydomain.info with the address of your SMTP server of course.

Then try to see if you can reach the SMTP server using that hostname.

mstm · May 6, 2022, 8:19pm

Thanks for your help @RGJ

hostname is CN = *.aruba.it so it’s different from mydomain.info and yes I can reach SMTP server using hostname and telnet.

Everything worked perfectly before ./launcher rebuild app

But… I have DISCOURSE_SMTP_ENABLE_START_TLS: false why does it keep looking for the certificate?

pfaffman · May 7, 2022, 12:21am

You can access the host using a name that matches the certificate. You can ask the server administrator to add the host name that your desire to the certificate.

That’s a good question, but you can make its answer moot by following the above advice, or so I think.

Another question, I think, is why did the mail admin break it for you?

Maybe that setting worked before and now it doesn’t. Whether it’s easier to track down that big or change the the hostname and see if that solves your problem is unclear.

mstm · May 7, 2022, 5:58am

No one made any changes, I’m sure, I just did ./launcher rebuild for install this plugin.

So should I change the hostname of the VPS to something that ends with .aruba.it?

pfaffman · May 7, 2022, 10:15am

That’s what it sounds like.

It’s possible that there is a regression that’s caused the issue, but I think that you can solve your immediate issue by changing the hostname

RGJ · May 7, 2022, 10:44am

This might help finding the correct one:

dig +short smtp.mydomain.info|xargs -n 1 nslookup|grep name=

mstm · May 7, 2022, 10:53am

Unfortunately it doesn’t work, the error is the same:
SSL_connect returned=1 errno=0 state=error: certificate verify failed (Hostname mismatch)

With version 2.9.0.beta4 (0acbd63320) was working, can I downgrade?

I created a new temporary email account with start tls support, I hope it will be fixed before the 2.9.0.beta5 release.

Geoffrey_Challen · May 7, 2022, 2:05pm

I followed the advice above and set the hostname to the name on the certificate.

It’s worth noting that, in this case, the problem only seems to have occurred after a laucher-initiated rebuild, rather than merely on an upgrade. Perhaps a problem with the launcher scripts?

mstm · May 11, 2022, 2:05pm

Can you please tell me how did you do it?
I’m going crazy, I can’t use SMTP server with port 25 or 587 without SSL and TLS

Thanks

Geoffrey_Challen · May 11, 2022, 3:02pm

I may not be able to help you then, since my configuration doesn’t require TLS. I think the only thing to do is either use a third-party email provider that provides valid certs, or wait for a fix that allows bypassing this issue.

pfaffman · May 11, 2022, 3:25pm

Did you try Richard’s dig command to find a hostname for your SMTP server for which it has a certificate?

mstm · May 12, 2022, 6:41am

Mine is also without TLS and SSL

RGJ · May 12, 2022, 1:23pm

Similar issue here Can't Send Emails - #14 by sukria.
Did something change in the base image or in an external library or gem?

mstm · May 12, 2022, 2:04pm

Yes that’s right, it’s the same problem … it started about two weeks ago.

Falco · May 12, 2022, 4:07pm

Can you try both

DISCOURSE_SMTP_ENABLE_START_TLS: false 
DISCOURSE_SMTP_OPENSSL_VERIFY_MODE: none

?

mstm · May 12, 2022, 4:54pm

Are the first things I tried but still the same error

SSL_connect returned=1 errno=0 state=error: certificate verify failed (Hostname mismatch)

pratyushmittal · May 14, 2022, 5:00am

Hey, I tried it with both the options. It still doesn’t work:

  DISCOURSE_SMTP_ADDRESS: REDACTED
  DISCOURSE_SMTP_PORT: 25
  DISCOURSE_SMTP_USER_NAME: REDACTED
  DISCOURSE_SMTP_PASSWORD: REDACTED
  DISCOURSE_SMTP_ENABLE_START_TLS: false           # (optional, default true)
  DISCOURSE_SMTP_OPENSSL_VERIFY_MODE: none
  DISCOURSE_SMTP_AUTHENTICATION: "login"

I still get certificate verify failed (self signed certificate).

mstm · May 14, 2022, 7:44am

For me it has been a blocking bug for a long time …
I recommend you to create a new temporary email address that has SMTP TLS support.