Invalide Certificate

[nam-truong-le]

Describe the bug We're getting error: x509: certificate signed by unknown authority while accessing api.mjml.io/v1/render

To Reproduce Use API to render html

Expected behavior Return html

MJML environment (please complete the following information): MJML API

Email sending environment(for rendering issues): Golang backend

Affected email clients (for rendering issues):

Screenshots

Additional context

[iRyusa]

I don't think Mailjet provide any support for the API anymore.

➜ curl https://api.mjml.io --verbose
*   Trying 146.148.121.109:443...
* Connected to api.mjml.io (146.148.121.109) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=mjml.io
*  start date: May 11 17:31:25 2024 GMT
*  expire date: Aug  9 17:31:24 2024 GMT
*  subjectAltName: host "api.mjml.io" matched cert's "api.mjml.io"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://api.mjml.io/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: api.mjml.io]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.4.0]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: api.mjml.io
> User-Agent: curl/8.4.0
> Accept: */*
>
< HTTP/2 401
< content-length: 125
< content-type: application/json; charset=UTF-8
< x-mj-request-guid: 08255b2a-d7e8-4fce-83cf-8486dee9c624
< date: Fri, 28 Jun 2024 08:13:27 GMT
<
* Connection #0 to host api.mjml.io left intact
{"message":"Authentication required","request_id":"08255b2a-d7e8-4fce-83cf-8486dee9c624","started_at":"2024-06-28T08:13:27Z"}%

Looks to be ok with curl on my end tho so it might something on your end ?

[dogawaf]

Hi

I reproduce the issue from an up to date ubuntu 22.04:

$ curl --version
curl 7.81.0 (x86_64-pc-linux-gnu) libcurl/7.81.0 OpenSSL/3.0.2 zlib/1.2.11 brotli/1.0.9 zstd/1.4.8 libidn2/2.3.2 libpsl/0.21.0 (+libidn2/2.3.2) libssh/0.9.6/openssl/zlib nghttp2/1.43.0 librtmp/2.3 OpenLDAP/2.5.17
Release-Date: 2022-01-05
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets zstd

$ curl -vvv https://api.mjml.io/
*   Trying 146.148.121.109:443...
* Connected to api.mjml.io (146.148.121.109) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS header, Unknown (21):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

[dogawaf]

The certificate chain is incomplete, see https://www.ssllabs.com/ssltest/analyze.html?d=api.mjml.io&hideResults=on So depending on the system making the request, it can fails if the missing certificate is not installed. The issue should be fixed by mjml devops, by including the missing certificate in the api.mjml.io ssl certificate.

[iRyusa]

Can you try with a more up to date curl

➜  curl --version
curl 8.4.0 (x86_64-apple-darwin23.0) libcurl/8.4.0 (SecureTransport) LibreSSL/3.3.6 zlib/1.2.12 nghttp2/1.58.0

[dogawaf]

Sadly iI is not about curl, but about that missing intermediate certificate used by Let's Encrypt, that is not installed in a lot of systems/browsers.

See that example, ran on the docker ubuntu:latest version.

# curl --version
curl 8.5.0 (x86_64-pc-linux-gnu) libcurl/8.5.0 OpenSSL/3.0.13 zlib/1.3 brotli/1.1.0 zstd/1.5.5 libidn2/2.3.7 libpsl/0.21.2 (+libidn2/2.3.7) libssh/0.10.6/openssl/zlib nghttp2/1.59.0 librtmp/2.3 OpenLDAP/2.6.7
Release-Date: 2023-12-06, security patched: 8.5.0-2ubuntu10.1
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd
# curl -vvv https://api.mjml.io/
* Host api.mjml.io:443 was resolved.
* IPv6: (none)
* IPv4: 146.148.121.109
*   Trying 146.148.121.109:443...
* Connected to api.mjml.io (146.148.121.109) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

The api.mjml.io webserver must be configured to include the whole certificate chain in order to be compatible with the widest possible systems. Also, old TLS version could be deactivated, and the cipher list currated (see ssllabs recommandations).

[iRyusa]

I don't really know if Mailjet provide any support on this API anymore. It's using a really old version of MJML and I highly advise to not rely on this.

You can try to reach them if you want any support on this but they don't have any SLA so it should be better to host your own in any PAAS.

I'm closing because I don't have any contact to see if they can sort it out for you.

[dogawaf]

Alright, it's pretty clear, thx for your time. I will try to contact Mailjet again (they initially sent me here), and I will write back here if anything new.

[dogawaf]

FYI, Mailjet team fixed the certificate issue.