Rocket Chat Server can not set LAN SMTP Server, and the site has correct certificate signed by our own CA certificate that only exist in LAN. I’ve even install ca-certificates in docker bundle system using docker exec -it -u 0 bash and then install our CA.crt into /usr/share/ca-certificates, but it does not works with these error output when I click “test sending email”:
smtps
Updating process.env.MAIL_URL
Exception in defer callback: Error: self signed certificate in certificate chain
at ...
code: 'ESOCKET'
command: 'CONN'
smtp
Updating process.env.MAIL_URL
Exception in defer callback: [Error: ... ../deps/openssl/openssl/ssl/record/ssl3_record.c:332:]
{
library: 'SSL routines',
function: 'ssl3_get_record',
reason: 'wrong version number',
code:' ESOCKET',
command: 'CONN'
}
Version of Rocket.Chat Server: 3.18.1
Operating System: debian 10
Deployment Method: docker
Number of Running Instances: 1
DB Replicaset Oplog: true
NodeJS Version:
MongoDB Version: 4.0
Proxy: none yet
Firewalls involved: false
Just wondering why I have install our own CA.crt to /usr/share/ca-certificates with command dpkg-reconfigure ca-certificates but the rocketchat still emit error that self signed certificate in certificate chain , what does it means? which self signed certificate it is pointing to?
I’ve use command openssl s_client -connect my.smtp.server.addr.com:465 to verify and checked that the ssl information is correct, which show that it is signed by our own CA certificate instead of a self signed certificate.
currently the website is run in http, I have not make reverse-proxy yet.
mongo and rocketchat are installed by docker and communicate with --link argument on rocketchat docker run command.
Hi!
Can you please check this answer?
Hi!
I was checking the source code for your question, and searching for MAIL_URL I found this:
I think the best you can get right now is a mix and match of the following options:
rocketchat:
...
environment:
- MAIL_URL=smtps://user:password@smtp_server:25&secure=false&ignoreTLS=true
One could work around this requirement by setting up an smtp relay that will use the provided certificate and provide a smtp server that will work with Rocket.Chat.
TL;DR
environment:
- MAIL_URL=smtp://user:password@smtp_server:smtp_port&secure=false&ignoreTLS=true
reetp
September 28, 2021, 6:43pm
3
Is this Issue related to the original OP?
opened 09:17AM - 28 Sep 21 UTC
<!--
Please see our guide for opening issues: https://rocket.chat/docs/contr… ibuting/reporting-issues
If you have questions or are looking for help/support please see: https://rocket.chat/docs/getting-support
If you are experiencing a bug please search our issues to be sure it is not already present: https://github.com/RocketChat/Rocket.Chat/issues
-->
### Description:
I deploy rocketchat on a LAN environment which has no internet access, so I can not use the public CA signed certificate. Instead, I deploy other web services with SSL support by using custom CA certificate to sign the website SSL certificate, for example, my SMTP Server. Therefore, I would like to set smtps on rocketchat, but receive error says **self signed certificate in certificate chain**, I guess is the smtps ssl verifying did not pass.
### Steps to reproduce:
1. Deploy mongo and rocketchat by docker according to official instruction at https://hub.docker.com/r/rocketchat/rocket.chat
2. Login to rocketchat with http://localhost:80 and do some admin configuration, then use rocketchat as normal.
3. Trying to set email-smtp, filling with this params:
- protocol: smtps
- server: smtp.server.addr.com
- port: 465
- ignoreTLS: false
- pool: false
- username: <valid email account>
- password: <valid email password>
- from mail: same as username
Then click **save changes** and **send test email to myself**, no email is delivered and logs says:
```
Updating process.env.MAIL_URL
Exception in defer callback: Error: self signed certificate in certificate chain
at ...
code: 'ESOCKET'
command: 'CONN'
```
4. use docker command `docker exec -it -u 0 <instance name> bash` and `apt-get install ca-certificates` to install necessary software for adding custom CA certificate to system area under `/usr/share/ca-certificates`
5. `docker cp myCA.crt <instance name> /tmp/`
6. `docker exec -it -u 0 <instance name> bash` and `dpkg-reconfigure ca-certificates`
7. reboot docker instance and try sending email again, failed with same logs pasted above.
In stackoverflow, somebody say I can add some ignore flag to `main.js`, but I neither try the method nor be willing to disable TLS identify, cause it will put my data in and insecure situation. I just want the rocketchat docker can recognize the site SSL certificate signed by my custom CA certificate, which I have put it under `/usr/share/ca-certificates`.
### Expected behavior:
SMTP configuration of my private smtp server over personal CA signed SSL certificate works. Because I would like to use my own CA to ensure data transferring security.
### Actual behavior:
SMTP configuration fails and say something about **self signed certificate in certificate chain**.
### Server Setup Information:
- Version of Rocket.Chat Server: 3.18.1
- Operating System: debian 10
- Deployment Method: docker
- Number of Running Instances: 1
- DB Replicaset Oplog: true
- NodeJS Version: 12.22.1
- MongoDB Version: 4.0
### Client Setup Information
- Desktop App or Browser Version: 3.4.0
- Operating System: ubuntu 18.04
### Additional context
### Relevant logs:
```
Updating process.env.MAIL_URL
Exception in defer callback: Error: self signed certificate in certificate chain
at TLSSocket.onConnectSecure (_tls_wrap.js:1502:34)
at TLSSocket.emit (event.js:314:20)
at TLSSocket.EventEmitter.emit (domain.js:483:12)
at TLSSocket._finishInit (_tls_wrap.js:937:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:711:12)
at TLSWrap.callbackTrampoline (_internal/async_hooks.js:126.14) {
code: 'ESOCKET',
command: 'CONN'
}
```
I’m not sure the solutions here necessarily give the security the poster on the Issue, or the OP here, what they really want.
A point to note with everything about mail is you only have to go though one NON ‘S’ secure server and your whole chain of security collapses.
And once it leaves your server you cannot control how it is routed… could go through multiple non ‘S’ servers.
The only real way to give a reasonable guarantee of security/privacy with email is E2E eg PGP or say Signal or Rocket)
Everything else is really just chasing ghosts.
Yes, I submitted the issue as soon as I make a topic in rocketchat forum.
My SMTP Server has only open port 465, and port 25 is closed. So I have to use smtp server enhanced by SSL from port 465. Do you have any idea that what is the problem?
But SSL can make sure data on the TCP is encrypted. At least the username and password is not exposed.
reetp
September 29, 2021, 2:39pm
6
Please don’t do that. It makes life confusing. Github is only for bugs, not support issues.
See this on how to ask for help properly. Only open an issue when we are pretty sure it is a bug in the code.
Readme.md
# Rocket.Chat - Asking for help
For users with issues with Rocket.Chat please do yourselves a few favours before asking for help.
Before you start.
First, you must ALWAYS test on the latest version of Rocket.Chat - you can also try [https://open.rocket.chat](https://open.rocket.chat) which always runs development versions. A large amount of issues are fixed with an update.
You are going to need to provide some basic information if you want a chance of resolving your issue.
show original
reetp
September 29, 2021, 2:44pm
7
Yes, not describing the issue properly.
Your bug is not the same as this post.
So you missed out bits like this:
I deploy rocketchat on a LAN environment which has no internet access
So does Rocket have internet access or not? Where is the SMTP server? On the LAN or elsewhere? Does it have internet access too? What sort of certificates does the SMTP server use?
Please give some more detail of where all these servers are and how they are connected.
reetp
September 29, 2021, 2:50pm
8
True. But that is about it. If that is on your own LAN only then it probably isn’t your highest priority.
reetp
September 29, 2021, 2:54pm
9
Last, this is really a Meteor/Node Issue.
There are lots of pages on Meteor and self signed certificates and the general answer seem sot be to set it something like tlsAllowInvalidCertificates
create a fullchain cert as per this
Both email server and rocketchat server has no internet access and in 192.168.1.1/24.
We create a CA certificate, and signs for many web services with it.
All user who need to visit these web will have to install the CA to their computer first. So on Chrome we can see a green lock icon. Is that similar to the official CA function act in internet?
发件人: “John Crisp via Rocket.Chat” rocketchat@discoursemail.com ceweithr@163.com
Well, seems that we have a clue. So:
what should I exactly do on my rocket chat docker container to use own CA file?
Is is pointing to metor framework? Can be fixed through configuration or re compiling?
Thanks.
发件人: “John Crisp via Rocket.Chat” rocketchat@discoursemail.com ceweithr@163.com
Hey @MArtiniz1988 ! Welcome to our forum.
As this thread is not about API, can you open a new one?
You can check the api doc here: https://developer.rocket.chat/reference/api
thanks!
