3

After a clean installation using the bitnami image I followed the instructions to set up the mailers.

It looks like this:

[
  {
    "key": "stmp-mailer",
    "type": "smtp",
    "options": {
      "host": "server",
      "user": "user" ,
      "port": 587,
      "password": "passwd",
      "protocol": "tls"
    }
  }
]

After this if I try to send a mail from the test app, I get the following message:

EXCEPTION: (RuntimeException) stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed at [<arcanist>/src/error/PhutilErrorHandler.php:263]
arcanist(head=stable, ref.stable=ac54d61d7af2), phabricator(head=stable, ref.stable=86ad69863930)

After a little search I found that I can just tell Arcanist to bypass the certificate. However, I’m unable to run almost anything using arcanist. A sample:

$  arc set-config https.blindly-trust-domains '["example.com"]'
[2020-12-14 18:48:55] EXCEPTION: (TypeError) Argument 1 passed to ArcanistBlindlyTrustHTTPEngineExtension::setDomains() must be of the type array, string given, called in /opt/bitnami/arcanist/scripts/arcanist.php on line 304 at [<arcanist>/src/configuration/ArcanistBlindlyTrustHTTPEngineExtension.php:10]
arcanist(head=stable, ref.stable=ac54d61d7af2)
  #0 ArcanistBlindlyTrustHTTPEngineExtension::setDomains(string) called at [<arcanist>/scripts/arcanist.php:304]

but the same happens if I run get-config

Is this crash normal or any kind of misconfiguration?

Arcanist version: arcanist ac54d61d7af20f5d65ba889974f23a86bfb6cd57 (19 Oct 2020)

-- UPDATE --

Running the following command:

openssl s_client -starttls smtp -connect MAIL_SERVER:587

produces a couple of errors, followed from a certificate

erify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = XXX
verify error:num=21:unable to verify the first certificate

I tried then to pull the certificate to a .pem file, and then add it using update-ca-certificates, which seems to works. But I see no difference at all.

Ladadadada
  • 26,337
  • 7
  • 59
  • 90
danijepg
  • 81
  • 3
  • 1
    Did you tag this with [tag:self-signed-certificate] because you know the SSL cert is self-signed? Because if it is, that's the problem. If you control that certificate, your best solution would be to get a valid one. LetsEncrypt can make you one for free. – Ladadadada Dec 22 '20 at 14:54
  • should it not be: "key": "***smtp***-mailer", – Sturban Dec 23 '20 at 20:02
  • @Sturban, Sure, but I guesst that's only an identifier – danijepg Dec 28 '20 at 08:21
  • @Ladadadada I have checked, it's not self-signed – danijepg Dec 28 '20 at 08:21

1 Answers1

0

Try testing the individual components. You can rule out arcanist as the source of the problem by using openssl directly:

openssl s_client -starttls smtp -connect example.com:587 -servername example.com

Verify that the target TLS certificate is set up correctly and verifies from your local machine, then check that your server can verify it as well. Failures at each of these steps point to a different problem. The target SMTP server could have an expired or invalid certificate or your server could be missing root certificates that allow you to verify the one the SMTP server is using.

You're looking for this in the output if everything is working properly:

Verify return code: 0 (ok)

If both tests show OK, then you might have to start adding debugging code to arcanist to see if it is possibly causing the problem.

Ladadadada
  • 26,337
  • 7
  • 59
  • 90
  • Running openssl as you say prompts and error (unable to get local issuer certificate, unable to verify the first certificate). Followed by a certificate. I could imagine this was the problem by I was trying to just bypass it so I don't need to add it to the server. – danijepg Dec 23 '20 at 07:46