search

sleede / fab-manager

Fab-Manager is the FabLab management solution. It provides a comprehensive, web-based, open-source tool to simplify your administrative tasks and your marker's projects.
http://www.fab-manager.com
Other
229 stars 114 forks source link

mail delivery fails when TLS verify is enabled #354

Closed trombik closed 2 years ago

trombik commented 2 years ago

Describe the bug

mail delivery fails when TLS verify is enabled because smtp_settings does not set ca_file.

https://github.com/sleede/fab-manager/blob/d014e4da931bd6f24e47f3de7635ad492458c60d/config/environments/production.rb#L72-L81

see also: https://github.com/mikel/mail/pull/1374

To Reproduce Steps to reproduce the behavior:

  1. configure to use TLS-enabled MTA and SMTP_OPENSSL_VERIFY_MODE to peer
  2. Register as a new user
  3. See error
2022-05-14T14:00:31.445Z pid=45540 tid=3nus class=ActionMailer::DeliveryJob jid=ef7daf611244d7357b03e371 elapsed=1.111 INFO: fail
2022-05-14T14:00:31.446Z pid=45540 tid=3nus WARN: {"context":"Job raised exception","job":{"retry":true,"queue":"mailers","class":"ActiveJob::QueueAdapters::SidekiqAdapter::JobWrapper","wrapped":"ActionMailer::DeliveryJob","args":[{"job_class":"ActionMailer::DeliveryJob",
"job_id":"12e06060-a62f-4bc4-b2d8-df4dc4cb347d","provider_job_id":null,"queue_name":"mailers","priority":null,"arguments":["OverwrittenDeviseMailer","confirmation_instructions","deliver_now",{"_aj_globalid":"gid://fablab/User/2"},"C6Rbbyzxrzsf1coxbwuj",{"_aj_symbol_keys":
[]}],"executions":0,"locale":"en"}],"jid":"ef7daf611244d7357b03e371","created_at":1652535669.9782887,"enqueued_at":1652536830.334425,"error_message":"SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)","error_cla
ss":"OpenSSL::SSL::SSLError","failed_at":1652535670.0697207,"retry_count":5,"retried_at":1652536179.4414},"jobstr":"{\"retry\":true,\"queue\":\"mailers\",\"class\":\"ActiveJob::QueueAdapters::SidekiqAdapter::JobWrapper\",\"wrapped\":\"ActionMailer::DeliveryJob\",\"args\":
[{\"job_class\":\"ActionMailer::DeliveryJob\",\"job_id\":\"12e06060-a62f-4bc4-b2d8-df4dc4cb347d\",\"provider_job_id\":null,\"queue_name\":\"mailers\",\"priority\":null,\"arguments\":[\"OverwrittenDeviseMailer\",\"confirmation_instructions\",\"deliver_now\",{\"_aj_globalid
\":\"gid://fablab/User/2\"},\"C6Rbbyzxrzsf1coxbwuj\",{\"_aj_symbol_keys\":[]}],\"executions\":0,\"locale\":\"en\"}],\"jid\":\"ef7daf611244d7357b03e371\",\"created_at\":1652535669.9782887,\"enqueued_at\":1652536830.334425,\"error_message\":\"SSL_connect returned=1 errno=0 
state=error: certificate verify failed (unable to get local issuer certificate)\",\"error_class\":\"OpenSSL::SSL::SSLError\",\"failed_at\":1652535670.0697207,\"retry_count\":5,\"retried_at\":1652536179.4414}"}
2022-05-14T14:00:31.446Z pid=45540 tid=3nus WARN: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)
2022-05-14T14:00:31.446Z pid=45540 tid=3nus WARN: /usr/local/lib/ruby/2.7/net/protocol.rb:44:in `connect_nonblock'
/usr/local/lib/ruby/2.7/net/protocol.rb:44:in `ssl_socket_connect'
/usr/local/lib/ruby/2.7/net/smtp.rb:584:in `tlsconnect'
/usr/local/lib/ruby/2.7/net/smtp.rb:561:in `do_start'
/usr/local/lib/ruby/2.7/net/smtp.rb:518:in `start'
/usr/local/fab/fab_manager/vendor/bundle/ruby/2.7/gems/mail-2.7.1/lib/mail/network/delivery_methods/smtp.rb:109:in `start_smtp_session'
/usr/local/fab/fab_manager/vendor/bundle/ruby/2.7/gems/mail-2.7.1/lib/mail/network/delivery_methods/smtp.rb:100:in `deliver!'
/usr/local/fab/fab_manager/vendor/bundle/ruby/2.7/gems/mail-2.7.1/lib/mail/message.rb:2159:in `do_delivery'
/usr/local/fab/fab_manager/vendor/bundle/ruby/2.7/gems/mail-2.7.1/lib/mail/message.rb:260:in `block in deliver'
/usr/local/fab/fab_manager/vendor/bundle/ruby/2.7/gems/actionmailer-5.2.7.1/lib/action_mailer/base.rb:560:in `block in deliver_mail'

Expected behavior

mail deliver succeeds.

Screenshots

N/A

Server (please complete the following information):

Browser (please complete the following information):

Additional context

the MTA is smtp.gmail.com.

trombik commented 2 years ago

in https://github.com/mikel/mail/issues/1076#issuecomment-275809040, one claims "This is far out of scope for the Ruby Mail library".

first, i cannot remember an application with TLS support whose developer insists that implementing path to CA file is "out of scope".

second, to use a private CA, you need to do far more complex than simply specifying a file.

sylvainbx commented 2 years ago

Hi @trombik , would you like to open a PR for that issue ?

trombik commented 2 years ago

@sylvainbx created #359