Adding an smtp ca certs setting #1486
Conversation
In order to get TLS peer verification working on my gandi.net SMTP settings, I need certificate from trusted Certificate Authorities to verify the server. This change aim at configuring action mailer to use a default ca certificates file. I use the provided docker-compose containers. The default certificate authority certificate seems to dictated by ruby "OpenSSL::X509::DEFAULT_CERT_FILE" ``` root@masto:~# docker exec -ti mastodon_web_1 sh /mastodon # ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE' /etc/ssl/cert.pem ``` The main issue is that it doesn't exists: ``` mastodon@masto:~$ docker exec -it mastodon_web_1 sh /mastodon # file /etc/ssl/cert.pem /etc/ssl/cert.pem: cannot open `/etc/ssl/cert.pem' (No such file or directory) ```
This brings the ca cert choice up to the user in case /etc/ssl/certs/ca-certificates.crt is not suitable.
| @@ -102,6 +102,7 @@ | |||
| :authentication => ENV['SMTP_AUTH_METHOD'] || :plain, | |||
| :openssl_verify_mode => ENV['SMTP_OPENSSL_VERIFY_MODE'] || 'peer', | |||
| :enable_starttls_auto => ENV['SMTP_ENABLE_STARTTLS_AUTO'] || true, | |||
| :ca_file => ENV['SMTP_SSL_CERT_FILE'] || "/etc/ssl/certs/ca-certificates.crt", | |||
There was a problem hiding this comment.
I'm not sure this latter value is a standard location we can rely on.
This might be a fix for some servers ... but I think a better improvement here would be to improve the documentation to show how ruby can be set up with correct CA certs, instead of having what is basically a work-around as the standard approach.
There was a problem hiding this comment.
Agree. I would remove the or and, if not set, leave it empty.
There was a problem hiding this comment.
There are more than one way to fix this issue.
We could add the env variable in the docker file and not provide a default value in the production.rb
That way we only fix the one use case (docker containers) we have proper control over.
I can change the PR to reflect this is it is the consensus.
|
It works, thanks. |
|
Happy to close as #1563 provides a solution to people not being able to send email. |
In order to get TLS peer verification working on my gandi.net SMTP settings, I need certificate from trusted Certificate Authorities to verify the server.
This change aim at configuring action mailer to use a default ca certificates file.
The second commit makes the change configurable via the .env file facility
I used the provided docker-compose containers and run into problem since 1.1.1 to send emails out.
I investigated and found the verification to be broken.
The default certificate authority certificate seems to dictated by ruby "OpenSSL::X509::DEFAULT_CERT_FILE"
The main issue is that it doesn't exists:
With this change, I was able to send emails again.