Email jobs failing after latest update, certificate verify failed (unable to get local issuer certificate)

Sorry for another redundant question, as I can see there are many similar support requests to this, eg: Email Notifications Failing after Update , but our error message is slightly different:

“certificate verify failed (unable to get local issuer certificate)”

This is after the update on May 11th to 2.9.0
from_version: a76256756fc8442eab960cc1c7d37a737efb5a69,
repository: /var/www/discourse, /var/www/discourse/plugins/styleguide

which I can see on GitHub affects sidekiq - is it being more picky suddenly? I am also addressing this with our mailrelay, but if I can give them more specific information on how to fix this, or if it’s on my forum’s side (https://forum.solarfarmer.dnv.com/) then that would help us trouble shoot faster.

Thanks for any help.

1 Like

This is the same problem as Email Hostname Certificate Mismatch Causing sidekiq Queue Overload, Severe Site Instability

3 Likes

@RGJ I tried running

openssl s_client -connect  smtp.mydomain.info:25 -starttls smtp -showcerts 2>&1|grep "depth=0"

but it doesn’t show any other domains, it just says the same error as sidekiq: “unable to get local issuer certificate” and a bunch of other stuff. I tried changing the app.yml mail settings to and back to our mail relay, and running ./launcher rebuild app each time, but so far nothing works.

1 Like

There are three possible causes for this:

  • expired certificate
  • hostname in the certificate is different than the hostname you’re connecting to
  • no certificate at all

It looks like you are experiencing the latter one. The only resolution is to make sure you have a correctly configured SMTP server, supporting STARTTLS and with a correct certificate.

3 Likes

Thanks @RGJ - but why did this issue only begin after upgrading to version 2.9.0? Is it because STARTTLS is being stricter about enforcing this requirement. Nothing has changed for our mail relay or in the app.yml mail configuration. The site’s IP is whitelisted with the mail relay which is maintained by the IT department. I don’t have any control over it. The site CNAME is also controlled by our IT department. They do have different domains, the CNAME is “dnv.com” and mail relay is “dnvgl.com” is that part of the issue? I am pursuing this in parallel with our IT department, but trying to give them as much info as I can. I apologize for my ignorance, a lot of this is way over my head, so I may be using incorrect terms. Sorry :frowning:

1 Like

Because there was a change where Discourse upgraded to Rails 7 between 2.9.0.beta3 and beta4, which triggered this.

See Email Hostname Certificate Mismatch Causing sidekiq Queue Overload, Severe Site Instability - #47 by RGJ

3 Likes

Our IT dept says, “there’s nothing wrong with certificates [for the mail relay] all are active and properly configured to be used with smtp service. Second - I haven’t heard of any problems from any other services/clients that are using this mail relay.” :cry:

1 Like

IT has created a new email account using office365 onmicrosoft, but I am still having issues. Now I get either ReadTimeout or SMTPAuthenticationError: Unrecognized authentication type

my current config:

DISCOURSE_SMTP_ADDRESS: smtp.office365.com
DISCOURSE_SMTP_PORT: 587
DISCOURSE_SMTP_USER_NAME: myusername
DISCOURSE_SMTP_PASSWORD: "mypassword"  # are quotes needed?
DISCOURSE_SMTP_ENABLE_START_TLS: true  # is this right?
DISCOURSE_SMTP_DOMAIN: outlook.com  
DISCOURSE_NOTIFICATION_EMAIL: myusername@mycompany.onmicrosoft.com

where my* are specific to the new email account.

1 Like

@RGJ I want to thank everyone for their help. I finally, finally have this resolved. The tweak for office365 is to use DISCOURSE_SMTP_AUTHENTICATION: login.

The offce365 smtp server and port config are smtp.office365.com:587 with STARTTLS enabled, which is the default anyway.

And the username is the full email address at the organization using office365, usually myaccount@mycompany.onmicrosoft.com. This may or may not be the same as your notification email.

Here is my final config:


  DISCOURSE_SMTP_ADDRESS: smtp.office365.com
  DISCOURSE_SMTP_PORT: 587
  DISCOURSE_SMTP_USER_NAME: myacct@mycompany.onmicrosoft.com
  DISCOURSE_SMTP_PASSWORD: mypassword
  DISCOURSE_SMTP_ENABLE_START_TLS: true
  DISCOURSE_SMTP_DOMAIN: outlook.com
  DISCOURSE_NOTIFICATION_EMAIL: myacct@mycompany.com
  DISCOURSE_SMTP_AUTHENTICATION: login

according to Mail Tester it is 10 for 10!

2 Likes

We are experiencing the very same issue here with a PROPERLY configured SMTP server used by dozens of other services. The SMTP server employs a wildcard certificate issued byt Let’s Encrypt.

The error says:" (unable to get local issuer certificate)"

I think that it’s a bug as described at Disabling starttls or certificate verification does not work any more

Except you say that you have a valid cert. So I might be wrong.

try to check the domain name using the commands recommended by @RGJ

openssl s_client -connect  smtp.mydomain.info:25 -starttls smtp -showcerts 2>&1|grep "depth=0"

make sure your domain matches the certificate returned from openssl if any. Also check this thread “Email Hostname Cert Mismatch Causing sidekiq…” linked above

Also the email trouble shooting guide helped me a lot. I had to read it very closely several times to get what I needed. Maybe you will find something there?

1 Like