The Great Open Source Debate with Elastic, Gluu and GitHub 🎤 Oct 26

RocketChat SMTP Server configure failed under private CA certificate signed smtp ssl certificate

Description

Rocket Chat Server can not set LAN SMTP Server, and the site has correct certificate signed by our own CA certificate that only exist in LAN. I’ve even install ca-certificates in docker bundle system using docker exec -it -u 0 bash and then install our CA.crt into /usr/share/ca-certificates, but it does not works with these error output when I click “test sending email”:

smtps

  • port: 465
Updating process.env.MAIL_URL
Exception in defer callback: Error: self signed certificate in certificate chain
at ...

code: 'ESOCKET'
command: 'CONN'

smtp
-port: 25

Updating process.env.MAIL_URL
Exception in defer callback: [Error: ... ../deps/openssl/openssl/ssl/record/ssl3_record.c:332:]
{
library: 'SSL routines',
function: 'ssl3_get_record',
reason: 'wrong version number',
code:' ESOCKET',
command: 'CONN'
}

Server Setup Information

  • Version of Rocket.Chat Server: 3.18.1
  • Operating System: debian 10
  • Deployment Method: docker
  • Number of Running Instances: 1
  • DB Replicaset Oplog: true
  • NodeJS Version:
  • MongoDB Version: 4.0
  • Proxy: none yet
  • Firewalls involved: false

Just wondering why I have install our own CA.crt to /usr/share/ca-certificates with command dpkg-reconfigure ca-certificates but the rocketchat still emit error that self signed certificate in certificate chain, what does it means? which self signed certificate it is pointing to?

I’ve use command openssl s_client -connect my.smtp.server.addr.com:465 to verify and checked that the ssl information is correct, which show that it is signed by our own CA certificate instead of a self signed certificate.

Any additional Information

  • currently the website is run in http, I have not make reverse-proxy yet.
  • mongo and rocketchat are installed by docker and communicate with --link argument on rocketchat docker run command.

Hi!

Can you please check this answer?

TL;DR
I think you can only get a mix and match of the following configurations, at your docker:

environment: 
  - MAIL_URL=smtp://user:password@smtp_server:smtp_port&secure=false&ignoreTLS=true

Is this Issue related to the original OP?

I’m not sure the solutions here necessarily give the security the poster on the Issue, or the OP here, what they really want.

A point to note with everything about mail is you only have to go though one NON ‘S’ secure server and your whole chain of security collapses.

And once it leaves your server you cannot control how it is routed… could go through multiple non ‘S’ servers.

The only real way to give a reasonable guarantee of security/privacy with email is E2E eg PGP or say Signal or Rocket)

Everything else is really just chasing ghosts.

Yes, I submitted the issue as soon as I make a topic in rocketchat forum.

My SMTP Server has only open port 465, and port 25 is closed. So I have to use smtp server enhanced by SSL from port 465. Do you have any idea that what is the problem?

But SSL can make sure data on the TCP is encrypted. At least the username and password is not exposed.

Please don’t do that. It makes life confusing. Github is only for bugs, not support issues.

See this on how to ask for help properly. Only open an issue when we are pretty sure it is a bug in the code.

Yes, not describing the issue properly.

Your bug is not the same as this post.

So you missed out bits like this:

I deploy rocketchat on a LAN environment which has no internet access

So does Rocket have internet access or not? Where is the SMTP server? On the LAN or elsewhere? Does it have internet access too? What sort of certificates does the SMTP server use?

Please give some more detail of where all these servers are and how they are connected.

True. But that is about it. If that is on your own LAN only then it probably isn’t your highest priority.

Last, this is really a Meteor/Node Issue.

There are lots of pages on Meteor and self signed certificates and the general answer seem sot be to set it something like tlsAllowInvalidCertificates

create a fullchain cert as per this :slight_smile:

  • Both email server and rocketchat server has no internet access and in 192.168.1.1/24.
  • We create a CA certificate, and signs for many web services with it.
  • All user who need to visit these web will have to install the CA to their computer first. So on Chrome we can see a green lock icon. Is that similar to the official CA function act in internet?

发件人: “John Crisp via Rocket.Chat” rocketchat@discoursemail.com
日期: 2021年9月29日周三 22:54
收件人: ceweithr@163.com
主 题: [Rocket.Chat] [Community Support] RocketChat SMTP Server configure
failed under private CA certificate signed smtp ssl certificate

Well, seems that we have a clue. So:

  • what should I exactly do on my rocket chat docker container to use own CA file?
  • Is is pointing to metor framework? Can be fixed through configuration or re compiling?

Thanks.

发件人: “John Crisp via Rocket.Chat” rocketchat@discoursemail.com
日期: 2021年9月29日周三 23:05
收件人: ceweithr@163.com
主 题: [Rocket.Chat] [Community Support] RocketChat SMTP Server configure
failed under private CA certificate signed smtp ssl certificate

Hey @MArtiniz1988! Welcome to our forum.

As this thread is not about API, can you open a new one?

You can check the api doc here: https://developer.rocket.chat/reference/api

thanks!