This question already has answers here:
Laravel certificate verification errors when sending TLS email
(2 answers)
Closed 1 year ago.
My config:
PHP version: 7.4.5
Laravel version: 7
Swiftmailer version: 6.2.3
Observed behaviour
Swift_TransportException
Connection could not be established with host ... :stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Expected behavior
Working -> I think there was a breaking change in underlying libs and used encryption methods, cause I have systems where it is working with the exactly same swiftmailer version.
Example to reproduce
Install the latest Laravel 7.
Create proper configs and mails.
Try to send email with port 587 and tls enabled. Error:
stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Try to send email with port 465 and ssl enabled. Error:
Connection could not be established with host ... :stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Please note that:
Configs are 100% validated and I can send emails from many different systems, but not using this library -> swiftmailer -> used_by -> laravel.
I've tried different smtp mailing vendors and the results are identical.
What am I doing wrong here?
The solution was really trivial.
What was needed to solve this problem, was to set up MAIL_ENCYRPTION to tcp in .env.
instead of tls or ssl on corresponding ports.
For some strange reasons, setting tls (no matter version) or ssl, with proper ports didn't work.
Therefore, if you are experiencing these types of problems, please set MAIL_ENCYRPTION=tcp - this should solve your errors.
Happy coding...
Related
Symfony is throwing error when I try to send email. Apparently there is ssl certificate verification failure. The project is running on linux nginx server.
The .env file has following configuration.
MAILER_URL=smtp://user:pass#mail.ourserver.de??encryption=ssl&auth_mode=login
Error log
app.ERROR: Could not send mail: Failed sending mail to following
recipients: {{ recipients }} with Error: Connection could not be
established with host "ssl://mail.ourserver.de :465":
stream_socket_client(): SSL operation failed with code 1. OpenSSL
Error messages: error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed
Error Code:0
Do I need to get ssl certificate for the domain in this case "mail.ourserver.de" and add cert and key in linux openssl configuration?
A hack to make it work! I have found it in stackoverflow answers, but not sure if it's a good practice and does that make the ssl connection vulnerable to attack?
verify_peer=false parameter
MAILER_URL=smtp://user:pass#mail.ourserver.de??encryption=ssl&auth_mode=login&verify_peer=false
If i disable verify_peer option, it does work, but Is ssl verification taking place when peer verification is set to false or it's being completely disabled?
It's failing to verify your server's certificate. There's a guide for checking and updating certificates here. (it's for PHPMailer but the parts regarding certificates are still relevant)
If you did not add a SSL certificate yourself, but use SSL, you probably have an autogenerated, self signed certificate in place.
Yes, you should assign a domain name to the server and get some valid, trusted SSL certificate for it. You can use the free LetsEncrypt service. The details depend on the mail server software.
This question already has answers here:
Laravel certificate verification errors when sending TLS email
(2 answers)
Closed 1 year ago.
We have installed our own postfix/virtualmin server and we have a laravel application,the problem is when we use external smtp servers, it is not problem to use tls option, and the emails are getting sent ok, but when using our new smtp server, when using tls we have this error :
stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
It has to be something regarding missing certificates in our postfix/virtualmin server, but, i do not know where to start, we have already a letsencrypt certificates for it, but i believe we maybe need to convert them to ca or something like that ? i'm not sure, that's why i need your help.
Thank you,
Download the latest cacert.pem file from cURL website.
wget https://curl.haxx.se/ca/cacert.pem
Edit php.ini (you can do php --ini to find it), update (or create if they don't exist already) those two lines:
curl.cainfo="/path/to/downloaded/cacert.pem"
...
openssl.cafile="/path/to/downloaded/cacert.pem"
Those lines should already exist but commented out, so uncomment them and edit both values with the path to the downloaded cacert.pem
Restart PHP and Nginx/Apache.
I figured it out the problem.
My virtualmin/postfix setup was missing the CA certificiation, and since i used letsencrypt for ssl, i had to put the path of generated CA in the config.
Here : Webmin --> Servers ---> PostFix Mail Server ----> Smtp authentication and encryption.
I am using PHPMailer on PHP 5.6, the increased security around certificated in PHP 5.6 is certainly fun.
I am trying to send a test message to a domain hosted on dreamhost, the error that comes back from PHPMailer is: Could not connect to SMTP host.
That error is not right though, I have logging enabled and here is what is actually going on.
Connection: opening to mx1.sub4.homie.mail.dreamhost.com:25,
timeout=30, options=array ( ) Connection: opened S: 220
homiemail-mx32.g.dreamhost.com ESMTP
C: EHLO s81a.ikbb.com
S: 250-homiemail-mx32.g.dreamhost.com 250-PIPELINING 250-SIZE 40960000
250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250 8BITMIME
C: STARTTLS
S: 220 2.0.0 Ready to start TLS
C: QUIT
S: SMTP ERROR: QUIT command failed: Connection: closed
I could not understand why PHPMailer just gives up, issuing a QUIT command when it should start sending the message. I got another clue from another log:
PHP Warning: stream_socket_enable_crypto(): Peer certificate CN=*.mail.dreamhost.com' did not match expected CN=mx1.sub4.homie.mail.dreamhost.com' in /home/ikbb/domains/dev.ikbb.com/public_html/includes/phpmailer/5.2.10/class.smtp.php
If I use some custom options to prevent validation of the cert they are using I can get it to continue. Here is what I have:
$mail->SMTPOptions = array (
'ssl' => array(
'verify_peer' => false,
'verify_peer_name' => false,
'allow_self_signed' => true));
If I put the SMTPOptions in there and skip the peer verification, message goes OK - with no warning in PHP at all.
How can I trap that error, so I know there is an issue but still send the message?
I had the same problem and I found the answer in the PHPMailer documentation.
PHP 5.6 certificate verification failure
In a change from earlier versions, PHP 5.6 verifies certificates on SSL connections. If the SSL config of the server you are connecting to is not correct, you will get an error like this:
Warning: stream_socket_enable_crypto(): SSL operation failed with code 1.
OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
The correct fix for this is to replace the invalid, misconfigured or self-signed certificate with a good one. Failing that, you can allow insecure connections via the SMTPOptions property introduced in PHPMailer 5.2.10 (it's possible to do this by subclassing the SMTP class in earlier versions), though this is not recommended:
$mail->SMTPOptions = array(
'ssl' => array(
'verify_peer' => false,
'verify_peer_name' => false,
'allow_self_signed' => true
)
);
You can also change these settings globally in your php.ini, but that's a really bad idea; PHP 5.6 made this change for very good reasons.
Sometimes this behaviour is not quite so apparent; sometimes encryption failures may appear as the client issuing a QUIT immediately after trying to do a STARTTLS. If you see that happen, you should check the state of your certificates or verification settings.
Solution for WHM/cPanel(s) : Disable SMTP Restriction by following below process:
a) Open WHM and search for SMTP restriction, make sure it's disable.(You can go through Home »Security Center »SMTP Restrictions directly as well)
b) Or Same thing can be done via Tweak Settings (Directly go for Home »Server Configuration »Tweak Settings or you can click on tweak setting link shown in upper image)
For those of you using cPanel, I tried the SMTP check code from the examples folder in PHPMailer and I got this same error:
PHP Warning: stream_socket_enable_crypto(): Peer certificate CN=*.mail.dreamhost.com' did not match expected CN=mx1.sub4.homie.mail.dreamhost.com' in /home/ikbb/domains/dev.ikbb.com/public_html/includes/phpmailer/5.2.10/class.smtp.php
I realized that it was not an error related to PHPMailer, so I searched for similar errors related to CentOS and I found this link that shed some light: Issue sending mails through 3rd party. You have to take a look at "SMTP Restrictions" in cPanel.
For PHP 5.6 use the following. Adding "tls://" is the key.
$mail->Host = gethostbyname('tls://smtp.gmail.com');
See: http://php.net/manual/en/context.ssl.php
Disable SMTP Restriction in WHM
As somebody mentioned here, the issue is an invalid SSL certificate.
Your website might have a valid SSL certificate, but it might not apply to the mail.website.net or smtp.website.net subdomains. If your hosting provider has an interface for generating SSL certificates for your website, try to search if there isn't a possibility to select subdomains for which the certificate will generate.
I had a similar problem after I've upgraded to PHP 5.6 on my WordPress machine. The WP Mail SMTP by WPForms (wp-mail-smtp) plugin were configured to use localhost as SMTP Host. I've changed it to the FQHN (Fully Qualified Host Name) as it is defined in the SSL cert.
After this change it is working fine.
If you just migrated to a different server, most likely you can fix this by disabling SMTP restriction from WHM :
I'm getting this error with PHPMailer on a PHP 5.6 server.
Warning: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in class.smtp.php on line 344
The interesting thing is I'm trying to send email through the local SMTP server # localhost, and I'm not using SSL or TLS - it's plain SMTP on port 25.
$mail->SMTPSecure=''
$mail->SMTPPort //not set
The server has a valid SSL Certificate installed for the website domain.
I've read the documentation on GitHub about PHP 5.6 certificate verification failure and it doesn't seem to address this scenario.
I've added this code, but still receive the error:
$mail->SMTPOptions = array(
'ssl' => array(
'verify_peer' => false,
'verify_peer_name' => false,
'allow_self_signed' => true
)
);
I guess the main question is, what SSL certificate, or lack thereof is it complaining about?
PHPMailer's github page mentions this type of error:
This is covered in the troubleshooting docs. PHP 5.6 verifies SSL certificates by default, and if your cert doesn't match, it will fail with this error. The correct solution is to fix your SSL config - it's not PHP's fault!
I see that you've gone through the trouble of making the PHPMailer settings insecure as is not recommended in the troubleshooting docs. Did you notice that requires PHPMailer 5.2.10?
The correct fix for this is to replace the invalid, misconfigured or self-signed certificate with a good one. Failing that, you can allow insecure connections via the SMTPOptions property introduced in PHPMailer 5.2.10 (it's possible to do this by subclassing the SMTP class in earlier versions), though this is not recommended
There's also suggestions for enabling debug output:
$mail->SMTPDebug = 4;
If you look at the debug output, you may glean more helpful info.
EDIT: this also is not about your website's cert, it's about the cert (if any) being hosted by your SMTP mail server endpoint.
I am using PHPMailer on PHP 5.6, the increased security around certificated in PHP 5.6 is certainly fun.
I am trying to send a test message to a domain hosted on dreamhost, the error that comes back from PHPMailer is: Could not connect to SMTP host.
That error is not right though, I have logging enabled and here is what is actually going on.
Connection: opening to mx1.sub4.homie.mail.dreamhost.com:25,
timeout=30, options=array ( ) Connection: opened S: 220
homiemail-mx32.g.dreamhost.com ESMTP
C: EHLO s81a.ikbb.com
S: 250-homiemail-mx32.g.dreamhost.com 250-PIPELINING 250-SIZE 40960000
250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250 8BITMIME
C: STARTTLS
S: 220 2.0.0 Ready to start TLS
C: QUIT
S: SMTP ERROR: QUIT command failed: Connection: closed
I could not understand why PHPMailer just gives up, issuing a QUIT command when it should start sending the message. I got another clue from another log:
PHP Warning: stream_socket_enable_crypto(): Peer certificate CN=*.mail.dreamhost.com' did not match expected CN=mx1.sub4.homie.mail.dreamhost.com' in /home/ikbb/domains/dev.ikbb.com/public_html/includes/phpmailer/5.2.10/class.smtp.php
If I use some custom options to prevent validation of the cert they are using I can get it to continue. Here is what I have:
$mail->SMTPOptions = array (
'ssl' => array(
'verify_peer' => false,
'verify_peer_name' => false,
'allow_self_signed' => true));
If I put the SMTPOptions in there and skip the peer verification, message goes OK - with no warning in PHP at all.
How can I trap that error, so I know there is an issue but still send the message?
I had the same problem and I found the answer in the PHPMailer documentation.
PHP 5.6 certificate verification failure
In a change from earlier versions, PHP 5.6 verifies certificates on SSL connections. If the SSL config of the server you are connecting to is not correct, you will get an error like this:
Warning: stream_socket_enable_crypto(): SSL operation failed with code 1.
OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
The correct fix for this is to replace the invalid, misconfigured or self-signed certificate with a good one. Failing that, you can allow insecure connections via the SMTPOptions property introduced in PHPMailer 5.2.10 (it's possible to do this by subclassing the SMTP class in earlier versions), though this is not recommended:
$mail->SMTPOptions = array(
'ssl' => array(
'verify_peer' => false,
'verify_peer_name' => false,
'allow_self_signed' => true
)
);
You can also change these settings globally in your php.ini, but that's a really bad idea; PHP 5.6 made this change for very good reasons.
Sometimes this behaviour is not quite so apparent; sometimes encryption failures may appear as the client issuing a QUIT immediately after trying to do a STARTTLS. If you see that happen, you should check the state of your certificates or verification settings.
Solution for WHM/cPanel(s) : Disable SMTP Restriction by following below process:
a) Open WHM and search for SMTP restriction, make sure it's disable.(You can go through Home »Security Center »SMTP Restrictions directly as well)
b) Or Same thing can be done via Tweak Settings (Directly go for Home »Server Configuration »Tweak Settings or you can click on tweak setting link shown in upper image)
For those of you using cPanel, I tried the SMTP check code from the examples folder in PHPMailer and I got this same error:
PHP Warning: stream_socket_enable_crypto(): Peer certificate CN=*.mail.dreamhost.com' did not match expected CN=mx1.sub4.homie.mail.dreamhost.com' in /home/ikbb/domains/dev.ikbb.com/public_html/includes/phpmailer/5.2.10/class.smtp.php
I realized that it was not an error related to PHPMailer, so I searched for similar errors related to CentOS and I found this link that shed some light: Issue sending mails through 3rd party. You have to take a look at "SMTP Restrictions" in cPanel.
For PHP 5.6 use the following. Adding "tls://" is the key.
$mail->Host = gethostbyname('tls://smtp.gmail.com');
See: http://php.net/manual/en/context.ssl.php
Disable SMTP Restriction in WHM
As somebody mentioned here, the issue is an invalid SSL certificate.
Your website might have a valid SSL certificate, but it might not apply to the mail.website.net or smtp.website.net subdomains. If your hosting provider has an interface for generating SSL certificates for your website, try to search if there isn't a possibility to select subdomains for which the certificate will generate.
I had a similar problem after I've upgraded to PHP 5.6 on my WordPress machine. The WP Mail SMTP by WPForms (wp-mail-smtp) plugin were configured to use localhost as SMTP Host. I've changed it to the FQHN (Fully Qualified Host Name) as it is defined in the SSL cert.
After this change it is working fine.
If you just migrated to a different server, most likely you can fix this by disabling SMTP restriction from WHM :