Configuration in /etc/ssl/openssl.cnf ignored, can't send mail

[plambe]

Describe the issue

Hi, I'm updating a weblate installation (from version 2.12). I've successfully reached version 4.10.1-1 by using the docker containers, however I can't get sending mails to work. The issue is that now weblate can't send mail, here's the relevant error message out of the docker container:

check stderr | ?: (weblate.E003) Cannot send e-mail ([SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:997)), please check EMAIL_* settings.

Here's the relevant part of the docker-compose.override.yml file:

      WEBLATE_EMAIL_PORT: 587
      WEBLATE_EMAIL_USE_TLS: 1
      WEBLATE_EMAIL_HOST_USER: 'translate@someotherdomain.tld'
      WEBLATE_EMAIL_HOST_PASSWORD: "yes_a_password_is_here"

Openssl (executed inside the container) also complains:

$ openssl s_client -connect mail.somewhere.tld:587 -starttls smtp | grep 'dh key'
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mail.somewhere.tld
verify return:1
140229475751232:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:../ssl/statem/statem_clnt.c:2156:
$

Our mail server seems to have a short DH key, which should have been worked around by changing a value in /etc/ssl/openssl.cnf:

docker exec --user root -it weblate-docker_weblate_1 bash -c "sed -i 's#^CipherString = DEFAULT@SECLEVEL=2#CipherString = DEFAULT@SECLEVEL=1#' /etc/ssl/openssl.cnf"

The above successfully changes the value and once done, openssl (executed inside the container) no longer complains:

$ openssl s_client -connect mail.somewhere.tld:587 -starttls smtp | grep 'dh key'
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mail.somewhere.tld
verify return:1
250 SIZE 0
^C
$

which to me means that the docker container is now OK with the short DH key, however weblate for some reason does not respect the new content of openssl.cnf, even after I restart its docker container. I tried restarting the whole VM that hosts this with no luck.

Could you please assist me with that, or give me some hints as to what I might have done wrong, etc?

In case you need more info, I'll provide that as soon as I can.

Regards, Plamen

I already tried

• [X] I've read and searched the documentation.
• [X] I've searched for similar issues in this repository.

Steps to reproduce the behavior

1. Get weblate 4.10 as a docker container
2. Have an old mail server with a short DH key
3. Try sending a letter or just wait for weblate's automatic check to see it's unable to send letters
4. Change the openssl.cnf file
5. Try step 3 again, no luck

Expected behavior

Once /etc/ssl/openssl.cnf is updated, I expect the weblate docker container to respect this file's contents.

Screenshots

No response

Exception traceback

No response

Additional context

No response

[nijel]

You have to overwrite the file before Weblate starts. Once Python is running i don't think it will read the configuration again.

[github-actions[bot]]

This issue looks more like a support question than an issue. We strive to answer these reasonably fast, but purchasing the support subscription is not only more responsible and faster for your business but also makes Weblate stronger.

In case your question is already answered, making a donation is the right way to say thank you!

[plambe]

Hi Nijel,

As I mentioned, after the openssl.cnf file is updated, I've tried both restarting the docker container, which will restart python/django/weblate, as well as restarting the VM that hosts this and the rest of the weblate docker containers (db, cache, https, etc). Until it's composed again, openssl.cnf stays patched.

That's why I thought that's an issue with the docker-compose repo, instead of a support question.

[nijel]

If you edit the file and restart the container, the edits are IMHO gone.

[plambe]

Well, you are correct and I didn't check it earlier...

Thanks a lot, it's appreciated.

I'll get a patch through by using a Dockerfile and building instead of using the images from dockerhub.

[github-actions[bot]]

The issue you have reported is now resolved. If you don’t feel it’s right, please follow its labels to get a clue for further steps.

• In case you see a similar problem, please open a separate issue.
• If you are happy with the outcome, don’t hesitate to support Weblate by making a donation.

[nijel]

You can also override the file using a Docker volume.