Let's Encrypt X3 nightmare

I’m getting the following error when using the mail-receiver app as of today. It was working fine before.

It’s trying to send the e-mail to Discourse via API. Is it possible it’s caused by DST Root CA X3 certificate expiration?

If yes, anyone has any idea about how to solve it? I tried to rebuild both app and mail-receiver, recreating Let’s Encrypt certificates, etc…

<19>Sep 30 22:07:26 receive-mail[96]: Failed to POST the e-mail to https://forum.validadortiss.com.br/admin/email/handle_mail: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)

Thanks for the report @wlandgraf - we’ll get a new mail-receiver image pushed up to Dockerhub ASAP

The release tag on Dockerhub has now been updated. Assuming you followed the official setup instructions, you can pull the new image by running

cd /var/discourse
./launcher rebuild mail-receiver

https://hub.docker.com/layers/discourse/mail-receiver/release/images/sha256-67222bded8651b2aefae113c57f183bba5d82b78e9ea60630a996d14833657dc

Hi @david, your prompt response is really appreciated. However, that didn’t solve my problem. It still persists.

In /var/discourse/containers/mail-receiver.yml, what do you have on the base_image: line? It should be:

base_image: discourse/mail-receiver:release

(More info on that here)

Yes, that’s what I have.

This is the beginning of my file:

## this is the incoming mail receiver container template
##
## After making changes to this file, you MUST rebuild
## /var/discourse/launcher rebuild mail-receiver
##
## BE *VERY* CAREFUL WHEN EDITING!
## YAML FILES ARE SUPER SUPER SENSITIVE TO MISTAKES IN WHITESPACE OR ALIGNMENT!
## visit http://www.yamllint.com/ to validate this file as needed

base_image: discourse/mail-receiver:release
update_pups: false

expose:
  - "25:25"   # SMTP

And here is the (partial) output of the rebuild operation (omitted the parts that have API keys):

Ensuring launcher is up to date
Fetching origin
Launcher is up-to-date
Stopping old container
+ /usr/bin/docker stop -t 60 mail-receiver
mail-receiver
cd /pups && /pups/bin/pups --stdin
sha256:5f123a8eb11784828d5195ee0f328a0ea5a5d2ce36eeae1760e3d47b0dbeb15c
165ebaa91836a07696924f95d3746cbd1cc14412f478ba715ee40f502780ab7a
Removing old container
+ /usr/bin/docker rm mail-receiver
mail-receiver
``

Can you try

docker pull discourse/mail-receiver:release
cd /var/discourse
./launcher rebuild mail-receiver

That did it! Thank you very much! A few questions if you don’t mind:

1. Why was that necessary? Should I always manually pull the latest image before building?
2. Do I have to apply the same procedure (docker pull) when rebuilding the app?
3. I see e-mails sent after the rebuild arrived, but not the e-mails previously sent. Were those e-mails lost?

It looks like your docker installation had cached the :release tag. To avoid the need for a docker pull in future, we might be able to add some logic to our launcher script.

The app images are handled differently, so there won’t be any caching issue there.

Emails sent during the outage should have been returned to the sending server with a “temporary fail”. Those servers should retry the mail periodically, so hopefully you will see the missing emails arrive in the next few hours.

Excelent. Thank you again for the fast response. The world seems to be suffering from this Root CA X3 mess, you have now made your contribution to make the world a little bit better now.

Any clues on how to detect whether a mail receiver needs to be updated and whether the docker pull will be necessary?

All mail-receivers installed before today will need to be updated. (technically, any install using a base image earlier than 67222bded865)

The docker pull will be necessary until we update launcher (which is unlikely to be today/tomorrow). I just pushed an announcement topic here, because I know this will be disruptive to many sites. It includes update instructions, including the docker pull:

This topic was automatically closed after 30 hours. New replies are no longer allowed.