I am using PHP's imap_open function to connect to an IMAP email server. This has been working fine for several years, but the email server was recently changed and I have started getting the following error:
"Cannot connect to mail server: Certificate failure for
subdomain.mail.domain.com: Unable to locate common name in
certificate"
The email server's tech support responded:
"The common name for our cert is "*.mail.domain.com". As it is a wildcard certificate, there is no explicit hostname for it. It appears that your scripts are expecting the certificate to return explicitly for "subdomain.mail.domain.com" when our wildcard certificate will not. This is why the error above occurs."
If I disable SSL certificate checking using the /novalidate-cert flag in the imap_open function I'm able to connect, but I'd obviously prefer to keep certificate validation enabled. Is there a way to do this with wildcard certificates and the imap_open function?
Related
Symfony is throwing error when I try to send email. Apparently there is ssl certificate verification failure. The project is running on linux nginx server.
The .env file has following configuration.
MAILER_URL=smtp://user:pass#mail.ourserver.de??encryption=ssl&auth_mode=login
Error log
app.ERROR: Could not send mail: Failed sending mail to following
recipients: {{ recipients }} with Error: Connection could not be
established with host "ssl://mail.ourserver.de :465":
stream_socket_client(): SSL operation failed with code 1. OpenSSL
Error messages: error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed
Error Code:0
Do I need to get ssl certificate for the domain in this case "mail.ourserver.de" and add cert and key in linux openssl configuration?
A hack to make it work! I have found it in stackoverflow answers, but not sure if it's a good practice and does that make the ssl connection vulnerable to attack?
verify_peer=false parameter
MAILER_URL=smtp://user:pass#mail.ourserver.de??encryption=ssl&auth_mode=login&verify_peer=false
If i disable verify_peer option, it does work, but Is ssl verification taking place when peer verification is set to false or it's being completely disabled?
It's failing to verify your server's certificate. There's a guide for checking and updating certificates here. (it's for PHPMailer but the parts regarding certificates are still relevant)
If you did not add a SSL certificate yourself, but use SSL, you probably have an autogenerated, self signed certificate in place.
Yes, you should assign a domain name to the server and get some valid, trusted SSL certificate for it. You can use the free LetsEncrypt service. The details depend on the mail server software.
I have problems when inserting data to firebase from a domain with certificate (ssl), from LOCALHOST and a Domain http:// works corractamete, but from one https:// does not work.
This comes out in the debug (I'm using CakePhpv2)
Error: [SocketException] stream_socket_client(): Peer certificate
CN=firebaseio.com' did not match expected CN=xxxxxx.firebaseio.com'
stream_socket_client(): Failed to enable crypto
stream_socket_client(): unable to connect to ssl://uxxxxxxxx.com:443
(Unknown error)
When making requests to SSL services HttpSocket will attempt to validate the SSL certifcate using peer validation. If the certificate fails peer validation or does not match the hostname being accessed the connection will fail, and an exception will be thrown. By default HttpSocket will use the mozilla certificate authority file to verify SSL certificates. You can use the following options to configure how SSL certificates are handled:
ssl_verify_peer Set to false to disable SSL verification. This is not
recommended.
ssl_verify_host Set to false if you wish to ignore
hostname match errors when validating certificates.
ssl_allow_self_signed Set to true to enable self-signed certificates
to be accepted. This requires ssl_verify_peer to be enabled.
ssl_cafile Set to the absolute path of the Certificate Authority file
that you wish to use for verifying SSL certificates.
$socket = new HttpSocket(array(
'ssl_verify_host' => false
));
See CakePHP HttpSocket Handling SSL certificates
I was pulling my inboxes using php-imap/php-imap library and inboxes managed by CPanel. All in sudden script stopped with following error.
Connection error: Certificate failure for imap.domain.com:
Server name does not match certificate:
/OU=Domain Control Validated/OU=PositiveSSL/CN=<amazon.domain.com>
in /.../vendor/php-imap/php-imap/src/PhpImap/Mailbox.php
here is the imap path I am using:
{imap.domain.com:143/imap/tls}INBOX
I also tried {imap.domain.com:143/novalidate-cert/imap/tls}INBOX but all in vain.
What change could have have stopped it?
How to fix it and avoid such failure in future?
IMAP port is 993..143 for POP..Try it..
{imap.domain.com:993/imap/ssl/novalidate-cert}INBOX
I'm trying to open the non-secure (port 143) IMAP connection (I am using PHP):
imap_open('{localhost:143/imap}INBOX', USERNAME, PASS);
and I get the next error: Certificate failure for localhost: self signed certificate ...
Ok. I've tried to use /novalidate-cert mailbox param. Then I get another error: Can not authenticate to IMAP server.
I've also tried to combine all possible non-secure connection params like /notls,/norsh and /secure. But I always get errors.
This is the Dovecot configuration I'm using:
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=LOGIN] Dovecot ready.
The certificate is really self-signed and generated with openssl.
The questions are:
Why does the certificate error occurs when I am using non-secure connection?
What is wrong with the mail server configuration?
Use this code
imap_open('{localhost:143/imap/novalidate-cert/debug}INBOX', USERNAME, PASS);
Instead of this
imap_open('{localhost:143/imap}INBOX', USERNAME, PASS);
STARTTLS of course uses the certificate to start the TLS channel, hence why you saw a self-signed cert error. Can not authenticate, however, implies your username and password are wrong. Try logging in using telnet to verify your user and password are correct
I need to connect to a mail server which has a an ssl certificate. I am able to connect to the server using the following code:
imap_open ("{localhost:993/imap/ssl/novalidate-cert}", "user_id", "password");
But this would ignore or skip validation of the certificate. How can i enable validation of the certificate?
Using the following code as per the php manual gives me an invalid certificate error.
imap_open ("{localhost:993/imap/ssl}", "user_id", "password");
What am I doing wrong?
Are you using a self signed certificate? If you are then the validation would fail. If you are not using a self signed certificate make sure it is configured properly for your host/domain.