I’m getting the following error when using the mail-receiver app as of today. It was working fine before.
It’s trying to send the e-mail to Discourse via API. Is it possible it’s caused by DST Root CA X3 certificate expiration?
If yes, anyone has any idea about how to solve it? I tried to rebuild both app and mail-receiver, recreating Let’s Encrypt certificates, etc…
<19>Sep 30 22:07:26 receive-mail[96]: Failed to POST the e-mail to https://forum.validadortiss.com.br/admin/email/handle_mail: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
## this is the incoming mail receiver container template
##
## After making changes to this file, you MUST rebuild
## /var/discourse/launcher rebuild mail-receiver
##
## BE *VERY* CAREFUL WHEN EDITING!
## YAML FILES ARE SUPER SUPER SENSITIVE TO MISTAKES IN WHITESPACE OR ALIGNMENT!
## visit http://www.yamllint.com/ to validate this file as needed
base_image: discourse/mail-receiver:release
update_pups: false
expose:
- "25:25" # SMTP
And here is the (partial) output of the rebuild operation (omitted the parts that have API keys):
Ensuring launcher is up to date
Fetching origin
Launcher is up-to-date
Stopping old container
+ /usr/bin/docker stop -t 60 mail-receiver
mail-receiver
cd /pups && /pups/bin/pups --stdin
sha256:5f123a8eb11784828d5195ee0f328a0ea5a5d2ce36eeae1760e3d47b0dbeb15c
165ebaa91836a07696924f95d3746cbd1cc14412f478ba715ee40f502780ab7a
Removing old container
+ /usr/bin/docker rm mail-receiver
mail-receiver
``
It looks like your docker installation had cached the :release tag. To avoid the need for a docker pull in future, we might be able to add some logic to our launcher script.
The app images are handled differently, so there won’t be any caching issue there.
Emails sent during the outage should have been returned to the sending server with a “temporary fail”. Those servers should retry the mail periodically, so hopefully you will see the missing emails arrive in the next few hours.
Excelent. Thank you again for the fast response. The world seems to be suffering from this Root CA X3 mess, you have now made your contribution to make the world a little bit better now.
All mail-receivers installed before today will need to be updated. (technically, any install using a base image earlier than 67222bded865)
The docker pull will be necessary until we update launcher (which is unlikely to be today/tomorrow). I just pushed an announcement topic here, because I know this will be disruptive to many sites. It includes update instructions, including the docker pull: