5

I am facing problem with Open SSL certificate error while sending email in production server. Everything is working fine in development mode. Below is my configuration code in production mode.

config.action_mailer.raise_delivery_errors = true

config.action_mailer.delivery_method = :smtp

config.action_mailer.smtp_settings = {
 :address => "smtp.gmail.com",
 :port => 587,  
 :authentication => "plain",
 :enable_starttls_auto => true,
 :user_name => 'xxxxxxx',
 :password => 'xxxxx',
 :openssl_verify_mode  => 'none'
}

I have already looked at the solution in previous post But, that does not solve my problem.

Could anyone kindly help with this one?

Community
  • 1
  • 1
Shyam Visamsetty
  • 444
  • 2
  • 6
  • 16
  • `openssl_verify_mode => 'none'` should work. Make sure its not being overriden somewhere. Sadly, turning off hostname matching is the best that can be done in mail because the other choice is no encryption. Opportunistic encryption is better than no encryption. Security diversification strategies like Trust On First Use (TOFU) would help, but the systems are rarely implemented. – jww May 06 '14 at 16:19
  • thanks for the comment. I have actually tried to disable encryption as well by putting :enable_starttls_auto => false and still get the same error. – Shyam Visamsetty May 06 '14 at 16:38
  • No, you want `enable_starttls_auto => true`. That gets you the opportunistic encryption. The problem appears to be in the hostname verification, which seems odd because Google certs are well formed (not like a hosting company that does not pay proper attention to details). Your problem lies elsewhere. – jww May 06 '14 at 16:43
  • What hostname(s) are present in the certificate? Is there an interception proxy in play? Does Ruby traverse the SANs, or does it just look at the CN? – jww May 06 '14 at 16:46
  • Try this to see the certificate: `$ openssl s_client -tls1 -starttls smtp -connect smtp.gmail.com:587 -servername smtp.gmail.com 2>/dev/null | openssl x509 -text -noout`. – jww May 06 '14 at 16:50
  • thanks. it could be possible for that error. I took snapshot of my production server and created a new image as 'staging' but it contained the same certificate as production. would that cause a problem? I cannot push this to production until it is working fine on the staging mode. – Shyam Visamsetty May 06 '14 at 16:58
  • this is the output of the certificate which I see. http://pastebin.com/aZ1ERJDr – Shyam Visamsetty May 06 '14 at 17:01
  • let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/52122/discussion-between-shyam-visamsetty-and-jww) – Shyam Visamsetty May 06 '14 at 17:03
  • That cert looks good, and it should not be causing the error you are experiencing. Did you run `openssl s_client` from your staging server, or did you run it from your workstation? – jww May 06 '14 at 17:04
  • Next, I would look at OpenSSL and Ruby versions. OpenSSL 0.9.8 and 1.0.0 are *not* binary compatible. I'm not sure about Ruby compatibility. OpenSSL will experience odd errors and unexplained crashes when compiling for 0.9.8 and using 1.0.1 (and vice versa). – jww May 06 '14 at 17:12
  • I am using 'OpenSSL 1.0.1 14 Mar 2012 built on: Fri May 2 20:24:44 UTC 2014' – Shyam Visamsetty May 06 '14 at 17:22

1 Answers1

0

Try adding the domain name in smtp_setings

:domain => 'www.your-domain-name.com'
ShreyasUdupa
  • 84
  • 8