Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error sending email notification: starttls failed: x509: certificate signed by unknown authority #193

Closed
gregbkr opened this issue Dec 11, 2015 · 10 comments

Comments

Projects
None yet
8 participants
@gregbkr
Copy link

commented Dec 11, 2015

Hello,

How can I get pass the TLS error for sending email notification to a remote server?

I configured the var:
SMTP_AUTH_USERNAME
SMTP_AUTH_PASSWORD
and command: "-config.file=/alertmanager.conf -notification.smtp.smarthost=mail.xxx.com:587 -notification.smtp.sender=support-testing@xxx.com"

I have this error:

time="2015-12-11T16:06:48Z" level=error msg="Error sending email notification: starttls failed: x509: certificate signed by unknown authority" file=notifier.go line=758

I tried to use the prometheus config: tls_config :

Disable validation of the server certificate. [ insecure_skip_verify: ] http://prometheus.io/docs/operating/configuration/

File prometheus.yml:

scrape_configs:  

  # Container via Cadvisor
  - job_name: 'container'

    target_groups:
      - targets: ['192.168.33.10:8888'] # cadvisor
        labels:
          group: 'dev'

    tls_config:
      insecure_skip_verify: true

I am not sure really where to put the tls_config parameters, anywhere is failing except here...

Any help welcome ;-)
Thank you! Good evening!
Greg

@fabxc

This comment has been minimized.

Copy link
Member

commented Dec 14, 2015

You are setting the TLS options for scraping the cAdvisvor metrics endpoint. The error is related to validating certifcates when sending email notifications for which you cannot configure skipping verification.
You have to setup your system in a way that your certificates can be verified.

@gregbkr

This comment has been minimized.

Copy link
Author

commented Dec 14, 2015

Thanks a lot Fabxc! So I can't use that option.
Do you guys target a remote email server and validate your certificate,
OR do you use a post fix null client with no certificate to relay the email?
Thank you for you help!

@opskumu

This comment has been minimized.

Copy link

commented Dec 15, 2015

@gregbkr maybe you can modify the source code manager/notifier.go:

@@ -572,7 +586,7 @@ func (n *notifier) sendEmailNotification(to string, op notificationOp, a *Alert)
                return fmt.Errorf("invalid address: %s", err)
        }

-       tlsConfig := &tls.Config{ServerName: host}
+       tlsConfig := &tls.Config{ServerName: host, InsecureSkipVerify: true}
        if err := c.StartTLS(tlsConfig); err != nil {
                return fmt.Errorf("starttls failed: %s", err)
        }

then, go build it.

@lyda

This comment has been minimized.

Copy link

commented Dec 28, 2015

Note that bb47752 removed the option of not using STARTTLS - you now must use SSL even when not authenticating.

Which is... broken.

@stapelberg

This comment has been minimized.

Copy link
Contributor

commented Apr 4, 2016

Now that PR #266 is merged, STARTTLS can be disabled. I think this issue can be closed.

@akinnunen

This comment has been minimized.

Copy link

commented Apr 14, 2016

I bumped to this problem also when using self signed certificates but managed to solve it eventually. I created a blog post about it @ http://blog.amigapallo.org/2016/04/14/alertmanager-docker-container-self-signed-smtp-server-certificate/

Hope someone finds it helpful!

@cdwertmann

This comment has been minimized.

Copy link

commented May 18, 2016

Could somebody elaborate how to turn off the use of STARTTLS? In the alertmanager.conf tried

global:
  require_tls: false

and

global:
  smtp_require_tls: false

but it still fails with

time="2016-05-18T06:57:16Z" level=warning msg="Notify attempt 10 failed: starttls failed: x509: certificate is valid for XXX, not YYY" source="notify.go:193"

@stapelberg

This comment has been minimized.

Copy link
Contributor

commented May 20, 2016

@cdwertmann You’re adding require_tls to the global configuration section, but it’s a per-email-config option, i.e. it needs to go alongside where you specify to/from/…

@cdwertmann

This comment has been minimized.

Copy link

commented May 20, 2016

@stapelberg Thank you. Interesting choice since every other parameter related to the SMTP connection is in the global section. Why would some email recipients require TLS and others not when talking to the same server?

@stapelberg

This comment has been minimized.

Copy link
Contributor

commented May 20, 2016

The SMTP settings are available in both the local and the global section. The global section is used as fallback, but the local section is more specific. This wasn’t clear to me when I implemented RequireTLS, so that’s why it’s only available in the local section.

One might argue that it’s good to encourage users to enable TLS, and not having a global setting to use has some nagging effect :). Then again, this is not my project, so I can’t comment on whether a PR which introduced RequireTLS in the global section would be accepted.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.