SMTP TLS verification and custom CA
Summary
SMTP TLS verification fails when using a custom CA (Currently using gitlab EE 11.9.4 with docker).
Steps to reproduce
- Add a custom CA certificate to /etc/gitlab/trusted-certs
- Add a SMTP server (in the gitlab.rb config file) which uses a certificated issued by the custom CA.
- Send an email using the Notify.test_email command
Used config
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "<internal.smtp.fqdn>"
gitlab_rails['smtp_port'] = 587
gitlab_rails['smtp_user_name'] = "gitlab"
gitlab_rails['smtp_password'] = "<password>"
gitlab_rails['smtp_authentication'] = "login"
gitlab_rails['smtp_enable_starttls_auto'] = true
gitlab_rails['smtp_tls'] = false
gitlab_rails['smtp_openssl_verify_mode'] = 'peer'
gitlab_rails['gitlab_email_from'] = '<email>'
gitlab_rails['gitlab_email_reply_to'] = '<email>'
What is the current bug behavior?
The SMTP server certificate is rejected.
What is the expected correct behavior?
The TLS peer verification should pass if the certificate was issued by a custom CA added to /etc/gitlab/trusted-certs.
Relevant logs and/or screenshots
root@docker02:~# docker exec -it gitlab gitlab-rails console
-------------------------------------------------------------------------------------
GitLab: 11.9.4-ee (55be7f0)
GitLab Shell: 8.7.1
postgresql: 9.6.11
-------------------------------------------------------------------------------------
Loading production environment (Rails 5.0.7.1)
irb(main):001:0> Notify.test_email('<email-removed>', 'Test', 'test').deliver_now
Notify#test_email: processed outbound mail in 148.6ms
Sent mail to <email-removed> (51.6ms)
Date: Mon, 01 Apr 2019 23:09:11 +0000
From: GitLab <<email-removed>>
Reply-To: GitLab <<email-removed>>
To: <email-removed>
Message-ID: <5ca29a17500b3_21ff3fe3765ca5f054270@a85dddb56733.mail>
Subject: Test
Mime-Version: 1.0
Content-Type: text/html;
charset=UTF-8
Content-Transfer-Encoding: 7bit
Auto-Submitted: auto-generated
X-Auto-Response-Suppress: All
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html><body><p>test</p></body></html>
Traceback (most recent call last):
16: from /opt/gitlab/embedded/lib/ruby/gems/2.5.0/gems/actionmailer-5.0.7.1/lib/action_mailer/message_delivery.rb:96:in `block in deliver_now'
15: from /opt/gitlab/embedded/lib/ruby/gems/2.5.0/gems/mail-2.7.1/lib/mail/message.rb:260:in `deliver'
14: from /opt/gitlab/embedded/lib/ruby/gems/2.5.0/gems/actionmailer-5.0.7.1/lib/action_mailer/base.rb:541:in `deliver_mail'
13: from /opt/gitlab/embedded/lib/ruby/gems/2.5.0/gems/activesupport-5.0.7.1/lib/active_support/notifications.rb:164:in `instrument'
12: from /opt/gitlab/embedded/lib/ruby/gems/2.5.0/gems/activesupport-5.0.7.1/lib/active_support/notifications/instrumenter.rb:21:in `instrument'
11: from /opt/gitlab/embedded/lib/ruby/gems/2.5.0/gems/activesupport-5.0.7.1/lib/active_support/notifications.rb:164:in `block in instrument'
10: from /opt/gitlab/embedded/lib/ruby/gems/2.5.0/gems/actionmailer-5.0.7.1/lib/action_mailer/base.rb:543:in `block in deliver_mail'
9: from /opt/gitlab/embedded/lib/ruby/gems/2.5.0/gems/mail-2.7.1/lib/mail/message.rb:260:in `block in deliver'
8: from /opt/gitlab/embedded/lib/ruby/gems/2.5.0/gems/mail-2.7.1/lib/mail/message.rb:2159:in `do_delivery'
7: from /opt/gitlab/embedded/lib/ruby/gems/2.5.0/gems/mail-2.7.1/lib/mail/network/delivery_methods/smtp.rb:100:in `deliver!'
6: from /opt/gitlab/embedded/lib/ruby/gems/2.5.0/gems/mail-2.7.1/lib/mail/network/delivery_methods/smtp.rb:109:in `start_smtp_session'
5: from /opt/gitlab/embedded/lib/ruby/2.5.0/net/smtp.rb:518:in `start'
4: from /opt/gitlab/embedded/lib/ruby/2.5.0/net/smtp.rb:561:in `do_start'
3: from /opt/gitlab/embedded/lib/ruby/2.5.0/net/smtp.rb:584:in `tlsconnect'
2: from /opt/gitlab/embedded/lib/ruby/2.5.0/net/protocol.rb:44:in `ssl_socket_connect'
1: from /opt/gitlab/embedded/lib/ruby/2.5.0/net/protocol.rb:44:in `connect_nonblock'
OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate))