Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Email certificate error with Docker #1698

Closed
skuzzle opened this issue Sep 16, 2018 · 13 comments

Comments

@skuzzle
Copy link
Contributor

commented Sep 16, 2018

I am running Firefly III version 4.7.6.2 on Ubuntu 18.04.1 LTS

Description
I'm in the middle of migrating my legacy windows setup to a linux server with docker. So far everything works fine (docker setup and data import has been incredibly simple). There seems to be only one problem left. I can't get the mail notifications to work.

image

As far as I understand the docker container should install the required dependencies on its own, so I do not see what's the problem here. Or is this dependent on some configuration of the host system (I'm pretty new to docker)?

Debug info:

Debug information generated at 2018-09-16 09:28:36 UTC for Firefly III version 4.7.6.2.

Variable Content
FF version 4.7.6.2
FF API version 0.7
App environment local
App debug mode false
App cache driver file
App logging warning, stdout
PHP version 7.1.21
Display errors Off
Session start 2018-09-01 00:00:00
Session end 2018-09-30 23:59:59
Session first 2017-10-01 00:00:00
Error reporting ALL errors
Host Linux
Interface apache2handler
UserID 1
Attempt at "en" false
Attempt at "English" false
Attempt at "en_US.utf8" 'en_US.utf8'
Attempt at "en_US.UTF-8" 'en_US.UTF-8'
DB drivers mysql, pgsql, sqlite
Current driver mysql
Using Sandstorm? no
Is Sandstorm (.env) false
Is Docker (.env) true
bunq uses sandbox false
Trusted proxies (.env) **
User agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
Loaded extensions Core, date, libxml, openssl, pcre, sqlite3, zlib, ctype, curl, dom, fileinfo, filter, ftp, hash, iconv, json, mbstring, SPL, PDO, bz2, posix, Reflection, session, SimpleXML, pdo_sqlite, standard, tokenizer, xml, xmlreader, xmlwriter, mysqlnd, apache2handler, bcmath, Phar, gd, intl, pdo_mysql, pdo_pgsql, tidy, zip
Installed packages bacon/bacon-qr-code@1.0.3, bunq/sdk_php@dev-master, davejamesmiller/laravel-breadcrumbs@5.1.0, defuse/php-encryption@v2.2.1, doctrine/cache@v1.8.0, doctrine/dbal@v2.8.0, doctrine/event-manager@v1.0.0, doctrine/inflector@v1.3.0, doctrine/lexer@v1.0.1, dragonmantank/cron-expression@v2.2.0, egulias/email-validator@2.1.5, erusev/parsedown@1.7.1, fideloper/proxy@4.0.0, firebase/php-jwt@v5.0.0, guzzlehttp/guzzle@6.3.3, guzzlehttp/promises@v1.3.1, guzzlehttp/psr7@1.4.2, laravel/framework@v5.6.38, laravel/passport@v5.0.3, laravelcollective/html@v5.6.10, lcobucci/jwt@3.2.4, league/commonmark@0.17.5, league/csv@9.1.4, league/event@2.1.2, league/flysystem@1.0.46, league/fractal@0.17.0, league/oauth2-server@6.1.1, monolog/monolog@1.23.0, nesbot/carbon@1.25.0, paragonie/constant_time_encoding@v2.2.2, paragonie/random_compat@v2.0.17, phpseclib/phpseclib@2.0.11, pragmarx/google2fa@v3.0.3, pragmarx/google2fa-laravel@v0.2.0, psr/container@1.0.0, psr/http-message@1.0.1, psr/log@1.0.2, psr/simple-cache@1.0.1, ramsey/uuid@3.8.0, rcrowe/twigbridge@v0.9.6, swiftmailer/swiftmailer@v6.1.2, symfony/console@v4.1.4, symfony/css-selector@v4.1.4, symfony/debug@v4.1.4, symfony/event-dispatcher@v4.1.4, symfony/finder@v4.1.4, symfony/http-foundation@v4.1.4, symfony/http-kernel@v4.1.4, symfony/polyfill-ctype@v1.9.0, symfony/polyfill-mbstring@v1.9.0, symfony/polyfill-php56@v1.9.0, symfony/polyfill-php72@v1.9.0, symfony/polyfill-util@v1.9.0, symfony/process@v4.1.4, symfony/psr-http-message-bridge@v1.1.0, symfony/routing@v4.1.4, symfony/translation@v4.1.4, symfony/var-dumper@v4.1.4, tijsverkoyen/css-to-inline-styles@2.2.1, twig/twig@v1.35.4, vlucas/phpdotenv@v2.5.1, zendframework/zend-diactoros@1.8.5,
@JC5

This comment has been minimized.

Copy link
Member

commented Sep 16, 2018

It should connect just fine. Are you using a public email service or something self-hosted?

@skuzzle

This comment has been minimized.

Copy link
Contributor Author

commented Sep 16, 2018

I'm currently using the mail server of my web hoster using TLS on port 25. The identical configuration worked just fine on the windows machine. A openssl test connection does also work fine:

root@xxxx:~# docker exec firefly echo QUIT | openssl s_client -crlf -starttls smtp -connect alfa3020.alfahosting-server.de:25
CONNECTED(00000003)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSACertification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = Hosted by Alfahosting GmbH, OU = PositiveSSL Wildcard, CN = *.alfahosting-server.de
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=Hosted by Alfahosting GmbH/OU=PositiveSSL Wildcard/CN=*.alfahosting-server.de
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
@JC5

This comment has been minimized.

Copy link
Member

commented Sep 17, 2018

mmmm. I'll do some digging. It depends on how the underlying library connects. I'll keep you posted.

@JC5

This comment has been minimized.

Copy link
Member

commented Sep 17, 2018

I see you're connecting on port 25, but traditionally, SMTP with SSL uses 465 or 587. Could you try those as well? Can't guarantee anything though.

I'm looking at the code and most stuff is pretty standard. What setting do you have for MAIL_ENCRYPTION in your .env file? Otherwise, I can't find much except a lot of idiots suggesting you should turn off certificate validation (which you should never do).

@JC5 JC5 added the question label Sep 17, 2018

@skuzzle

This comment has been minimized.

Copy link
Contributor Author

commented Sep 17, 2018

I have now tried an alternative mail server but I get the same result. These are my current settings:

docker inspect firefly
[...]
"MAIL_DRIVER=smtp",
"MAIL_HOST=smtp.strato.de",
"MAIL_PORT=587",
"MAIL_FROM=******",
"MAIL_USERNAME=******",
"MAIL_PASSWORD=******",
"MAIL_ENCRYPTION=tls"

I've also tried several permutations of the following: encryption=<empty>, tls, ssl and driver = smtp, sendmail and port = 25, 465, 587. But all configurations but the above one fail even earlier with a connection error or similar.

Where does firefly store the logs when running from docker? I tried to search the container using docker exec -i -t firefly /bin/bash and then cd'ing to storage/logs, but the folder is empty? Or does this mean that firefly has not produced any log message yet? I've set APP_DEBUG=false and APP_LOG_LEVEL=warning. I was hoping to find some more insight into the mail problem.

@JC5

This comment has been minimized.

Copy link
Member

commented Sep 17, 2018

Quick reply: docker logs to stdout. Change the log channel to daily and the level to debug. Might not get you anywhere though I’m afraid. Could be an issue with the image. I’ll have to test it later this week.

@stale

This comment has been minimized.

Copy link

commented Oct 1, 2018

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Oct 1, 2018

@skuzzle

This comment has been minimized.

Copy link
Contributor Author

commented Oct 6, 2018

Here are some new information:
Within the container, I executed the following command:

php -r 'print_r(openssl_get_cert_locations());' | grep '\[default_cert_file\]' | awk '{print $3}'

This yielded /usr/local/ssl/cert.pem but the respective file does not exist. I then downloaded CA file from http://curl.haxx.se/ca/cacert.pem to that location an now everything seems fine.

I know that modifying the container is not a persistent solution. I suspect that there should be some configuration options so that either a proper CA file is delivered ootb at the above path or the default_cert_file path is changed to a location where such a file is found. I guess that either the openssl installation or the OS itself should bring such a CA file?

@stale stale bot removed the stale label Oct 6, 2018

@JC5

This comment has been minimized.

Copy link
Member

commented Oct 6, 2018

It's not that difficult to provide an up to date file through the Dockerfile. I'll write it down.

@mukowman

This comment has been minimized.

Copy link

commented Oct 10, 2018

I can confirm the same issue using docker with GMAIL TLS on 587.
I can confirm that skuzzle's fix worked for me.

JC5 added a commit that referenced this issue Oct 10, 2018

@Drudoo

This comment has been minimized.

Copy link

commented Oct 17, 2018

I had the same error. Got it fixed by adding:

'stream' => [
  'ssl' => [
    'allow_self_signed' => true,
    'verify_peer' => false,
    'verify_peer_name' => false,
  ],
],

to the end of config/mail.php

@JC5

This comment has been minimized.

Copy link
Member

commented Oct 17, 2018

By adding those settings you turn off all security between your email provider and yourself. When dealing with financial information this does not seem to be a good idea. It would make me very nervous. I suggest you use the fix that skuzzle recommended.

@Drudoo

This comment has been minimized.

Copy link

commented Oct 17, 2018

I see, let me remove that asap and use skuzzles idea!

@JC5 JC5 added the fixed label Oct 28, 2018

@JC5 JC5 closed this Oct 28, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.