Server: Allow SelfSigned/Untrusted certificates for outgoing mail servers
Steps to reproduce
- Clean Install Nextcloud
- GoTo Admin page, Additional settings, Email Server
- Configure Mail Server, With SSL, Port 465, Test settings
Expected behaviour
Would expect that the server accepts Self Signed certificates, or display a warning about its certificate.
Actual behaviour
Nextcloud test error comes back with:
A problem occurred while sending the email. Please revise your settings. (Error: Connection could not be established with host mail.***.nl [ #0])
Server configuration
Operating system: Raspbian Jesse
Web server: Apache 2.4.10
Database: Mysql 5.5.52
PHP version: 5.6.26
Nextcloud version: 10.0.1
Updated from an older Nextcloud/ownCloud or fresh install: Fresh
Where did you install Nextcloud from: Zip File
Signing status:
Signing status
No errors have been found.
List of activated apps:
App list
Enabled:
- activity: 2.3.2
- comments: 1.0.0
- dav: 1.0.1
- federatedfilesharing: 1.0.1
- federation: 1.0.1
- files: 1.5.2
- files_pdfviewer: 0.8.1
- files_sharing: 1.0.0
- files_texteditor: 2.1
- files_trashbin: 1.0.0
- files_versions: 1.3.0
- files_videoplayer: 0.9.8
- firstrunwizard: 1.1
- gallery: 15.0.0
- notifications: 0.3.0
- password_policy: 1.0.0
- provisioning_api: 1.0.0
- serverinfo: 1.1.1
- survey_client: 0.1.5
- systemtags: 1.0.2
- theming: 1.0.1
- updatenotification: 1.0.1
- workflowengine: 1.0.1
Disabled:
- admin_audit
- encryption
- external
- files_accesscontrol
- files_automatedtagging
- files_external
- files_retention
- templateeditor
- user_external
- user_ldap
- user_saml
The content of config/config.php:
Config report
{
"system": {
"instanceid": "oc5b9w8gt082",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"***.nl"
],
"datadirectory": "\/var\/www\/nextcloud\/data",
"overwrite.cli.url": "https:\/\/**.nl",
"dbtype": "mysql",
"version": "9.1.1.5",
"dbname": "nextcloud",
"dbhost": "localhost",
"dbport": "",
"dbtableprefix": "oc_",
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"logtimezone": "UTC",
"installed": true,
"mail_smtpmode": "smtp",
"mail_smtpauthtype": "LOGIN",
"mail_smtpauth": 1,
"mail_from_address": "**",
"mail_domain": "***.nl",
"mail_smtphost": "mail.**.nl",
"mail_smtpport": "465",
"mail_smtpname": "***REMOVED SENSITIVE VALUE***",
"mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
"mail_smtpsecure": "ssl"
}
}
Basicly the 'bug' is that the error message only shows error #0 ,
This message should maybe include something more then #0, like certificate is invalid.
The feature request is to include a selection box (with big warnings) that allows the use of self signed (or untrusted) certificates.
OS3DrNick
All 14 comments
I guess the solution would be the same as https://github.com/nextcloud/server/issues/1413
nickvergessen
on 26 Oct 2016
Why not get a valid certificate? These days, with LetsEncrypt and other free certificate providers, there is no reasons to not have a valid certificate.
schiessle
on 9 Nov 2016
I also needed to be able to use an smtp server that uses a self signed cert (which I don't control), I made the attached changes to allow me to configure support for self signed certs.
johnhomelan
on 5 Apr 2018
I own a Zimbra Community server which comes with self signed certificates. Unfortunately, it is not easy to use letsencrypt certificates in that case so having an option to either pin TLS certificates or to disable certificate verification is still mandatory.
tigre-bleu
on 17 Dec 2018
Why not get a valid certificate? These days, with LetsEncrypt and other free certificate providers, there is no reasons to not have a valid certificate.
Not everyone has the possibility to get a free cert.
There are setups behind other ports than 443 / 80 and in that case, in combination with dyndns, it becomes very difficult.
aconitumnapellus
on 18 Mar 2019
I also needed to be able to use an smtp server that uses a self signed cert (which I don't control), I made the attached changes to allow me to configure support for self signed certs.
Sadly, even after fixxing the patch with the newest source code, it doesnt work anymore...
:/
aconitumnapellus
on 18 Mar 2019
I'm influenced by this as well
eN0Rm
on 24 Mar 2019
have this problem too :[[
raulcesar
on 1 Jun 2019
This issue has been automatically marked as stale because it has not had recent activity and it seems to be missing some essential informations. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] picture](https://avatars3.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 7 Jun 2019
https://unix.stackexchange.com/a/132163 here is another workaround. If you add the self-signed certificate to your certificate manager connections are accepted.
kesselb
on 8 Jun 2019
in nextcloud/head, I'm setting up Email server (https://nextcloud.pgnd.lan/settings/admin)
my config includes
config/local.config.php
'mail_smtpmode' => 'smtp',
'mail_smtpsecure' => 'tls',
'mail_sendmailmode' => 'smtp',
'mail_smtpauthtype' => 'PLAIN',
'mail_from_address' => 'nextcloud',
'mail_domain' => 'example.com',
'mail_smtphost' => 'mail.example.com',
'mail_smtpport' => '587',
'mail_smtpauth' => 1,
I submit mail to a local mail server instance on the LAN, locked down with an internal self-signed, SSL cert.
When I click "Test email settings : Send Email", it FAILs with,
A problem occurred while sending the email. Please revise your settings. (Error: Connection could not be established with host mail.example.com [ #0])
This apparently is a known problem, from Sep '18,
https://help.nextcloud.com/t/additional-settings-email-configuration-solved/22070/8
As suggested there, editing
edit 3rdparty/swiftmailer/swiftmailer/lib/classes/Swift/Transport/StreamBuffer.php
267 - $this->stream = @stream_socket_client($host.':'.$this->params['port'], $errno, $errstr, $timeout, STREAM_CLIENT_CONNECT, $streamContext);
+ $this->stream = @stream_socket_client($host.’:’.$this->params[‘port’], $errno, $errstr, $timeout, STREAM_CLIENT_CONNECT, stream_context_create(array('ssl'=>['verify_peer'=>false, 'verify_peer_name'=>false, 'allow_self_signed'=>true])));
fixes THAT problem -- email's sent/received
Well done, testuser! If you received this email, the email configuration seems to be correct. Nextcloud - a safe home for all your data This is an automatically sent email, please do not reply.
IMO, this is not an 'enhancement' as much as a 'bug'. Inability to submit to completely legit SMTP email servers, with perfectly valid internal-CA/enterprise certs, is brokenness, not a missing feature.
And no, "just use LetsEncrypt", is not a solution,
pgnd
on 19 Jul 2019
IMO, this is not an 'enhancement' as much as a 'bug'. Inability to submit to completely legit SMTP email servers, with perfectly valid internal-CA/enterprise certs, is brokenness, not a missing feature.
No. Nextcloud (php actually) checks your system certificate storage. System trusts the certificate => No patch required. ~Sure we could introduce some "skip certificate verification" flag but a proper setup is the better solution.~
kesselb
on 20 Jul 2019
My CA crt is available on the server.
It's just not insecurely in the SYSTEM-WIDE root store. For intra-LAN-based comms, I do not use the system instance of openssl; rather I use one at '/some/other/bin/path/openssl', with relevant certs @ /some/other/secure/credential/path/*.pem, specified on a per-app basis.
I add the certs if & as necessary ONLY for authorized apps.
For client apps such as browsers, e.g. Firefox, the app has a cerfificate store to which one can add CA & client certs. It's deployed using Firefox's enterprise policy options.
For server apps such as Nginx, Postfix, etc, CA & client certs for intra-LAN server comms are, again, specific for each server app in their respective configurations. Backend, intra-lan comms use own-CA, self-signed certs with each app getting a config for the trusted_cert & ssl_cert locations; public-facing frontends use public-CA (e.g. LetsEncrypt) -signed certs, with app certs specified in per-app dirs.
How can NC be configured simlarly, using different certs/stores for different tasks?
PHP's ssl context options
include options for specifying 'cafile', 'local_cert', 'local_pk', etc.
wherein php checks the system certificate you _tell_ it to check.
also there's the NC option for
'openssl' => array(
'config' => '/absolute/location/of/a/customized/openssl.cnf',
),
Sure we could introduce some "skip certificate verification" flag
'mail_smtpstreamoptions' => [
'ssl' => [
'allow_self_signed' => true,
'verify_peer' => false,
'verify_peer_name' => false
]
],
https://github.com/nextcloud/server/pull/12766 exposed the swift mailer streaming options. Add the above to your config.php: https://docs.nextcloud.com/server/16/admin_manual/configuration_server/email_configuration.html#troubleshooting
kesselb
on 20 Jul 2019
Related issues
georgehrke
·
3Comments
georgehrke
·
3Comments
ChristophWurst
·
3Comments
mfechner
·
3Comments
ghost
·
3Comments
Most helpful comment
in nextcloud/head, I'm setting up Email server (https://nextcloud.pgnd.lan/settings/admin)
my config includes
I submit mail to a local mail server instance on the LAN, locked down with an internal self-signed, SSL cert.
When I click "Test email settings : Send Email", it FAILs with,
This apparently is a known problem, from Sep '18,
As suggested there, editing
fixes THAT problem -- email's sent/received
IMO, this is not an 'enhancement' as much as a 'bug'. Inability to submit to completely legit SMTP email servers, with perfectly valid internal-CA/enterprise certs, is brokenness, not a missing feature.
And no, "just use LetsEncrypt", is not a solution,