Smarthost validation: curl must not verify certificates

[stephdl]

Steps to reproduce

• go to settings page of cockpit
• set a smarthost with the credential of a nethserver with a selfsigned certificate
• the validation fails even if the credentials are good

Expected behavior

I expect that we can pass the validation of the smarthost because we got the good credential

Actual behavior

The validation fails because curl by sending an email try to verify the certificate and fail to do so, hence the error. We must use the -k option to accept any certificate even self signed.

We can find the trace log in the console as evidence

[root@project ~]# echo '{"action":"test-smarthost","SmartHostName":"groupware.jonas.local","SmartHostPort":"587","SmartHostUsername":"mtraeumner@jonas.local","SmartHostPassword":"MyPassword","SmartHostTlsStatus":true}' | /usr/bin/sudo /usr/libexec/nethserver/api/system-settings/execute | jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* About to connect() to groupware.jonas.local port 587 (#0)
*   Trying 192.168.46.5...
* Connected to groupware.jonas.local (192.168.46.5) port 587 (#0)
< 220 groupware.jonas.local ESMTP Postfix
> EHLO project
< 250-groupware.jonas.local
< 250-PIPELINING
< 250-SIZE 20000000
< 250-VRFY
< 250-ETRN
< 250-STARTTLS
< 250-ENHANCEDSTATUSCODES
< 250-8BITMIME
< 250 DSN
> STARTTLS
< 220 2.0.0 Ready to start TLS
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
*       subject: L=MyCity,C=DE,OU=Main,OID.2.5.29.17=jonas.local,E=it@My-MailProvider.de,ST=SomeState,O=My Business,CN=groupware.jonas.local
*       start date: Jul 13 06:40:27 2020 GMT
*       expire date: Jul 11 06:40:27 2030 GMT
*       common name: groupware.jonas.local
*       issuer: L=MyCity,C=DE,OU=Main,OID.2.5.29.17=jonas.local,E=it@MyMailProvider.de,ST=SomeState,O=Jonas GmbH,CN=groupware.jonas.local
* NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)
* Peer's certificate issuer has been marked as not trusted by the user.
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Components

nethserver-cockpit

See also

https://community.nethserver.org/t/sending-system-mails-over-an-other-server/18353/40

---

thank m.traeumner

[stephdl]

QA

install nethserver-cockpit* from testing
go to the setting page to set a smarthost
with the credential of a smarthost you must pass the validation (the certificate can be LE or self-signed)

[nethbot]

in 7.9.2009/testing:

• nethserver-cockpit-1.10.0-1.4.g8228906.ns7.noarch.rpm x86_64 armhfp aarch64
• nethserver-cockpit-lib-1.10.0-1.4.g8228906.ns7.noarch.rpm x86_64 armhfp aarch64

[gsanchietti]

Verified by Michael Träumner

[nethbot]

in 7.9.2009/updates:

• nethserver-cockpit-1.10.1-1.ns7.noarch.rpm x86_64 armhfp aarch64
• nethserver-cockpit-lib-1.10.1-1.ns7.noarch.rpm x86_64 armhfp aarch64