search

hakwerk / labca

A private Certificate Authority for internal (lab) use, based on the open source ACME Automated Certificate Management Environment implementation from Let's Encrypt (tm).
https://lab-ca.net
Other
367 stars 39 forks source link

mail-tester does not trust LabCA Root CA #139

Open prueckls opened 2 months ago

prueckls commented 2 months ago

My private mail server uses a certificate from LabCA. However, when I configure the email notification in the admin interface and test the settings, I receive the following error:

gui-1 | 2024/09/07 16:31:44 errorHandler: err=2024-09-07T16:31:44.225567+00:00Z mail-tester[855]: 6 mail-tester mr-umAU Debug server listening on :8008 gui-1 | 2024-09-07T16:31:44.225634+00:00Z mail-tester[855]: 6 mail-tester qOzN7w0 Versions: mail-tester=(Unspecified Unspecified) Golang=(go1.22.5) BuildHost=(Unspecified) gui-1 | 2024-09-07T16:31:44.270759+00:00Z mail-tester[855]: 3 mail-tester x4jQqQQ [AUDIT] mail-tester failed to connect: tls: failed to verify certificate: x509: certificate signed by unknown authority

Is it possible to make the mail-tester trust my own CA?

hakwerk commented 2 months ago

I agree with you that this should be possible, however I had a quick look and it is not as trivial as I hoped to fix this.

Currently mail-tester uses the host's root CA set, so only the official public root CAs are trusted. I need to find some time to investigate further and come up with a solution that works in all scenarios.

In the mean time you could try adding the LabCA root CA certificate to the host's trust store, using something like this:

sudo cp /home/labca/boulder_labca/test-root.pem /usr/local/share/ca-certificates/labca_root.crt
sudo update-ca-certificates
prueckls commented 2 months ago

I've added the LabCA root CA to the host trust store as per your instructions and reinstalled LabCA. Unfortunately, I am still encountering the same error message. For context, I am running Debian 12 and Docker 27 on the host system.

Would it be possible to add an option in the email settings to bypass or ignore server certificate validation?

hakwerk commented 1 month ago

In the latest release (v24.09) it is now possible to either use the LabCA root certificate, or skip TLS server certificate validation completely for the email server

prueckls commented 1 month ago

Thank you for this update. I've updated my installation but now I 'm receiving this error:

gui-1 | 2024/09/29 19:39:05 ERROR: Message from server: '2024-09-29T19:39:03.540899+00:00Z mail-tester[1220]: 6 mail-tester mr-umAU Debug server listening on :8008 gui-1 | 2024-09-29T19:39:03.540923+00:00Z mail-tester[1220]: 6 mail-tester qOzN7w0 Versions: mail-tester=(Unspecified Unspecified) Golang=(go1.22.5) BuildHost=(Unspecified) gui-1 | 2024-09-29T19:39:05.203641+00:00Z mail-tester[1220]: 3 mail-tester 85iN1wo [AUDIT] mail-tester failed to connect: 535 5.7.8 Error: authentication failed: (reason unavailable) gui-1 | ERROR! On line 172 in commander script

I am pretty sure that the credentials are correct, my mailserver logs: SASL PLAIN authentication failed: (reason unavailable)

Encryption needs to be STARTTLS for my server, what is the default used by Mail-Tester?

prueckls commented 1 month ago

Problem identified: My email account password contains the characters '&' and ',', which caused some scrambled content in the file '/home/labca/boulder_labca/secrets/smtp_password'. After manually editing the password into the file, everything is now working correctly. This is certainly a bug.