Server: SMTP: Lets Encrypt certificate cannot be verified

Created on 14 Mar 2019  路  13Comments  路  Source: bitwarden/server

Hello,
my mail server uses Let's Encrypt certificates. Bitwarden can not connect to this server because the certificate can not be validated, but the certificates are valid.
As a mail server, I use Mailu 1.5, the certificates are generated based on the "TLS_FLAVOR" setting "letsencrypt".

Docker version: 18.09.3
docker-compose version: 1.23.2
Bitwarden version: 1.30.0

Config:

[email protected]
globalSettings__mail__smtp__host=mx1.MYDOMAIN.TLD
globalSettings__mail__smtp__port=465
globalSettings__mail__smtp__ssl=true
globalSettings__mail__smtp__username=MYUSERNAME
globalSettings__mail__smtp__password=MYPASSWORD

Log: https://pastebin.com/ysQAkBsw

Most helpful comment

.Net Core 3 has been released, 3.1.0 a few days ago.
May be worth a try.
Edit : just saw you are testing this on the master repo @kspearrin, good news, many thx 馃憤

I confirm server 1.33.0 fixes this issue 馃憤
We then do not need globalSettings__mail__smtp__trustServer=true anymore.
Thank you !

All 13 comments

Bitwarden version: 1.30.1
Docker version: 18.09.3, build 774a1f4

Doesn't work for me either. Has been working in the past, but now suddenly, it says "The SSL certificate presented by the server is not trusted by the system for one or more of the following reasons..." (valid Let's Encrypt certificates).

Setting that used to work in the past but doesn't work anymore:

[email protected]
globalSettings__mail__smtp__host=postfach.hostname.com
globalSettings__mail__smtp__port=587
globalSettings__mail__smtp__ssl=true
[email protected]
globalSettings__mail__smtp__password=<secret>

Switching from SMTPS to STARTTLS as suggested in https://github.com/bitwarden/server/issues/451 still doesn't work, same "SSL certificate presented by the server is not trusted by the system" error:

[email protected]
globalSettings__mail__smtp__host=postfach.hostname.com
globalSettings__mail__smtp__port=587
globalSettings__mail__smtp__ssl=false
[email protected]
globalSettings__mail__smtp__password=<secret>
globalSettings__mail__smtp__startTls=true

Try globalSettings__mail__smtp__trustServer=true

Try globalSettings__mail__smtp__trustServer=true

Thanks. But I think this is a horrible workaround if it does what I assume it does. It would defeat the purpose of using TLS to prevent man in the middle attacks.

Yes, I understand. I am just trying to see if that makes the error go away or not.

I have the same issues, and I can confirm that the trustServer=true does get rid of the error, and resumes, normal email delivery, however as you agree, this should not be used in production. I tried updating to the dev channel (as suggested in #451 ) and adding the startTls=true setting, but it still doesn't work.

Seems like a duplicate of https://github.com/bitwarden/server/issues/451 , which seems related to a bug in .NET Core 2.x. We'll have to wait for the fix in .NET Core 3.

Seems to be related to this bug: https://github.com/dotnet/corefx/issues/35035 and https://github.com/dotnet/corefx/issues/3034 and perhaps https://github.com/dotnet/corefx/issues/29064

Question: Could we include a flag to disable certificate revocation checking in SSLStream until upgrading to a fixed version of .net core? Sure it's not perfect, but it'd be still better than trusting any SSL certificate.

Issue (for me) still existing. Are there any updates for this?

Workaround with
globalSettings__mail__smtp__trustServer=true
does work for me, but isn't really nice, as already mentioned above.

.Net Core 3 has been released, 3.1.0 a few days ago.
May be worth a try.
Edit : just saw you are testing this on the master repo @kspearrin, good news, many thx 馃憤

Just to throw this in, I'm running 1.32 and this is still an issue for me. Hope the updates to .net fix it. For now I'm just running with the trust server workaround.

@kspearrin .net core 3 has been out for a few months. Did it fix the issue?

.Net Core 3 has been released, 3.1.0 a few days ago.
May be worth a try.
Edit : just saw you are testing this on the master repo @kspearrin, good news, many thx 馃憤

I confirm server 1.33.0 fixes this issue 馃憤
We then do not need globalSettings__mail__smtp__trustServer=true anymore.
Thank you !

Was this page helpful?
0 / 5 - 0 ratings