Incoming mail feature use the trusted certificates
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Description
After many tries to configure the IMAP, I finally discover my problem. (thanks to @markglenfletcher for the ruby code)
Our email server have a self-signed certificate and I put him on: /etc/gitlab/ssl/trusted-certs/receive_mail.pem.
But the server does not validate the certificate:
config_path = Rails.root.join('config', 'mail_room.yml')
config_file = YAML.load(ERB.new(File.read(config_path)).result)
config = config_file[:mailboxes].first
imap = Net::IMAP.new(config[:host], port: config[:port], ssl: config[:ssl])
# Triggered error
# OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed
# from /opt/gitlab/embedded/lib/ruby/2.3.0/net/imap.rb:1492:in `connect'
# from /opt/gitlab/embedded/lib/ruby/2.3.0/net/imap.rb:1492:in `start_tls_session'
# from /opt/gitlab/embedded/lib/ruby/2.3.0/net/imap.rb:1085:in `initialize'
# from (irb):10:in `new'
# from (irb):10
# from /opt/gitlab/embedded/service/gem/ruby/2.3.0/gems/railties-4.2.7.1/lib/rails/commands/console.rb:110:in `start'
# from /opt/gitlab/embedded/service/gem/ruby/2.3.0/gems/railties-4.2.7.1/lib/rails/commands/console.rb:9:in `start'
# from /opt/gitlab/embedded/service/gem/ruby/2.3.0/gems/railties-4.2.7.1/lib/rails/commands/commands_tasks.rb:68:in `console'
# from /opt/gitlab/embedded/service/gem/ruby/2.3.0/gems/railties-4.2.7.1/lib/rails/commands/commands_tasks.rb:39:in `run_command!'
# from /opt/gitlab/embedded/service/gem/ruby/2.3.0/gems/railties-4.2.7.1/lib/rails/commands.rb:17:in `<top (required)>'
# from bin/rails:9:in `require'
# from bin/rails:9:in `<main>'But when I skip certificate check, all works fine:
config_path = Rails.root.join('config', 'mail_room.yml')
config_file = YAML.load(ERB.new(File.read(config_path)).result)
config = config_file[:mailboxes].first
imap = Net::IMAP.new(config[:host], port: config[:port], :ssl => { :verify_mode => OpenSSL::SSL::VERIFY_NONE })
imap.starttls if config[:start_tls]
imap.login(config[:email], config[:password])Environment
- CentOS Linux release 7.2.1511 (Core)
- Gitlab 8.15.4
Proposal
Implement the Net::IMAP receiving the certificates allowed in trusted certificates folder
Links / references
gitlab-ce#23560
https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/tasks/gitlab/check.rake#L724
http://www.redmine.org/boards/1/topics/33669
http://ruby-doc.org/stdlib-1.9.3/libdoc/net/imap/rdoc/Net/IMAP.html
https://docs.fedoraproject.org/en-US/Fedora_Security_Team/1/html/Secure_Ruby_Development_Guide/ch02s07s02.html