Symfony is throwing error when I try to send email. Apparently there is ssl certificate verification failure. The project is running on linux nginx server.
The .env file has following configuration.
MAILER_URL=smtp://user:pass#mail.ourserver.de??encryption=ssl&auth_mode=login
Error log
app.ERROR: Could not send mail: Failed sending mail to following
recipients: {{ recipients }} with Error: Connection could not be
established with host "ssl://mail.ourserver.de :465":
stream_socket_client(): SSL operation failed with code 1. OpenSSL
Error messages: error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed
Error Code:0
Do I need to get ssl certificate for the domain in this case "mail.ourserver.de" and add cert and key in linux openssl configuration?
A hack to make it work! I have found it in stackoverflow answers, but not sure if it's a good practice and does that make the ssl connection vulnerable to attack?
verify_peer=false parameter
MAILER_URL=smtp://user:pass#mail.ourserver.de??encryption=ssl&auth_mode=login&verify_peer=false
If i disable verify_peer option, it does work, but Is ssl verification taking place when peer verification is set to false or it's being completely disabled?
It's failing to verify your server's certificate. There's a guide for checking and updating certificates here. (it's for PHPMailer but the parts regarding certificates are still relevant)
If you did not add a SSL certificate yourself, but use SSL, you probably have an autogenerated, self signed certificate in place.
Yes, you should assign a domain name to the server and get some valid, trusted SSL certificate for it. You can use the free LetsEncrypt service. The details depend on the mail server software.
Related
This question already has answers here:
Laravel certificate verification errors when sending TLS email
(2 answers)
Closed 1 year ago.
My config:
PHP version: 7.4.5
Laravel version: 7
Swiftmailer version: 6.2.3
Observed behaviour
Swift_TransportException
Connection could not be established with host ... :stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Expected behavior
Working -> I think there was a breaking change in underlying libs and used encryption methods, cause I have systems where it is working with the exactly same swiftmailer version.
Example to reproduce
Install the latest Laravel 7.
Create proper configs and mails.
Try to send email with port 587 and tls enabled. Error:
stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Try to send email with port 465 and ssl enabled. Error:
Connection could not be established with host ... :stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Please note that:
Configs are 100% validated and I can send emails from many different systems, but not using this library -> swiftmailer -> used_by -> laravel.
I've tried different smtp mailing vendors and the results are identical.
What am I doing wrong here?
The solution was really trivial.
What was needed to solve this problem, was to set up MAIL_ENCYRPTION to tcp in .env.
instead of tls or ssl on corresponding ports.
For some strange reasons, setting tls (no matter version) or ssl, with proper ports didn't work.
Therefore, if you are experiencing these types of problems, please set MAIL_ENCYRPTION=tcp - this should solve your errors.
Happy coding...
I am using PHP's imap_open function to connect to an IMAP email server. This has been working fine for several years, but the email server was recently changed and I have started getting the following error:
"Cannot connect to mail server: Certificate failure for
subdomain.mail.domain.com: Unable to locate common name in
certificate"
The email server's tech support responded:
"The common name for our cert is "*.mail.domain.com". As it is a wildcard certificate, there is no explicit hostname for it. It appears that your scripts are expecting the certificate to return explicitly for "subdomain.mail.domain.com" when our wildcard certificate will not. This is why the error above occurs."
If I disable SSL certificate checking using the /novalidate-cert flag in the imap_open function I'm able to connect, but I'd obviously prefer to keep certificate validation enabled. Is there a way to do this with wildcard certificates and the imap_open function?
Is there any way to create PHP SoapServer with local secure WSDL URL using self-signed SSL certificate? Following code:
$soapServer = new SoapServer("https://mysite.local/my-document?wsdl");
throws always exception:
SoapServer::SoapServer(): SSL operation failed with code 1. OpenSSL
Error messages: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
(/var/www/app/modules/generators/components/WsSoap.php:110)
I could not find anything on how to turn off SSL validation for SoapServer.
Most of issues are related to SoapClient, which is not the case.
I also want to avoid installing any ca.pem local files with valid certificates, because it would be difficult on many servers, just need to create SoapServer for one-time unit testing, don't care about valid/invalid local domain. Using PHP 7.0.19. Thank you.
I have problems when inserting data to firebase from a domain with certificate (ssl), from LOCALHOST and a Domain http:// works corractamete, but from one https:// does not work.
This comes out in the debug (I'm using CakePhpv2)
Error: [SocketException] stream_socket_client(): Peer certificate
CN=firebaseio.com' did not match expected CN=xxxxxx.firebaseio.com'
stream_socket_client(): Failed to enable crypto
stream_socket_client(): unable to connect to ssl://uxxxxxxxx.com:443
(Unknown error)
When making requests to SSL services HttpSocket will attempt to validate the SSL certifcate using peer validation. If the certificate fails peer validation or does not match the hostname being accessed the connection will fail, and an exception will be thrown. By default HttpSocket will use the mozilla certificate authority file to verify SSL certificates. You can use the following options to configure how SSL certificates are handled:
ssl_verify_peer Set to false to disable SSL verification. This is not
recommended.
ssl_verify_host Set to false if you wish to ignore
hostname match errors when validating certificates.
ssl_allow_self_signed Set to true to enable self-signed certificates
to be accepted. This requires ssl_verify_peer to be enabled.
ssl_cafile Set to the absolute path of the Certificate Authority file
that you wish to use for verifying SSL certificates.
$socket = new HttpSocket(array(
'ssl_verify_host' => false
));
See CakePHP HttpSocket Handling SSL certificates
i'm using mandrill and setting up webhooks is failing. i moved my domain to a new server and set up ssl again.
now when i look at the web hooks admin page i see this error:
- Error: POST to https://my.website.com/hooks/mandrill.php failed: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
when i try to change the url for this webhook, all i get is
- We can't verify that the URL exists. More info
when i contacted mandrill support they suggested that it may be missing intermediate CA for my SSL cert. That browsers wouldn't care but the server did care and would fail.
this url helped me figure out that indeed my intermediate CA was not installed
- https://www.sslshopper.com/ssl-checker.html
ends up i didn't have the intermediate CA enabled in /etc/httpd/conf.d/ssl.conf. the lines were commented out. i removed the comments and restarted apache and all is working well now.
i could save the changed webhook and when i clicked send test it sent them. however there still was a stale error on the webhook about the ssl issue. but it was no longer preventing me from editting or sending webhooks
hope this saves someone else some time