-
-
Notifications
You must be signed in to change notification settings - Fork 6.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding an smtp ca certs setting #1486
Conversation
In order to get TLS peer verification working on my gandi.net SMTP settings, I need certificate from trusted Certificate Authorities to verify the server. This change aim at configuring action mailer to use a default ca certificates file. I use the provided docker-compose containers. The default certificate authority certificate seems to dictated by ruby "OpenSSL::X509::DEFAULT_CERT_FILE" ``` root@masto:~# docker exec -ti mastodon_web_1 sh /mastodon # ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE' /etc/ssl/cert.pem ``` The main issue is that it doesn't exists: ``` mastodon@masto:~$ docker exec -it mastodon_web_1 sh /mastodon # file /etc/ssl/cert.pem /etc/ssl/cert.pem: cannot open `/etc/ssl/cert.pem' (No such file or directory) ```
This brings the ca cert choice up to the user in case /etc/ssl/certs/ca-certificates.crt is not suitable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've tested this and works as expected. Thanks
@@ -102,6 +102,7 @@ | |||
:authentication => ENV['SMTP_AUTH_METHOD'] || :plain, | |||
:openssl_verify_mode => ENV['SMTP_OPENSSL_VERIFY_MODE'] || 'peer', | |||
:enable_starttls_auto => ENV['SMTP_ENABLE_STARTTLS_AUTO'] || true, | |||
:ca_file => ENV['SMTP_SSL_CERT_FILE'] || "/etc/ssl/certs/ca-certificates.crt", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure this latter value is a standard location we can rely on.
This might be a fix for some servers ... but I think a better improvement here would be to improve the documentation to show how ruby can be set up with correct CA certs, instead of having what is basically a work-around as the standard approach.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree. I would remove the or
and, if not set, leave it empty.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are more than one way to fix this issue.
We could add the env variable in the docker file and not provide a default value in the production.rb
That way we only fix the one use case (docker containers) we have proper control over.
I can change the PR to reflect this is it is the consensus.
It works, thanks. |
Happy to close as #1563 provides a solution to people not being able to send email. |
In order to get TLS peer verification working on my gandi.net SMTP settings, I need certificate from trusted Certificate Authorities to verify the server.
This change aim at configuring action mailer to use a default ca certificates file.
The second commit makes the change configurable via the .env file facility
I used the provided docker-compose containers and run into problem since 1.1.1 to send emails out.
I investigated and found the verification to be broken.
The default certificate authority certificate seems to dictated by ruby "OpenSSL::X509::DEFAULT_CERT_FILE"
The main issue is that it doesn't exists:
With this change, I was able to send emails again.