0

I develop a webapp on my local machine and use the mailtrap.io email testing service to check outgoing emails. I haven't changed anything, but a few days ago the mailtrap service gives back the below error message:

ErrorException stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

Mailtrap advises the following:

Regarding SSL error while trying to send emails to Mailtrap You are not alone. Please update your OpenSSL version You might hear about the global issue with Letsencrypt certificates: its old root certificate expired on Sep 30. Mostly it impacted clients who use OpenSSL versions prior 1.1.0. The most common solution is to update your OpenSSL. If you can’t do that read the recipe for v.1.0.2 from OpenSSL.

Reading the linked article did not really help me to solve the problem.

In parellel I found this page explaining how to install some new certificates to avoid similar problems, but it did not help.

I also removed the expired certificate as described here, but still get the same error message.

I work on mac (Catalina 10.15.7) and now I'm thinking about somehow updateing the openssl on my machine. openssl version tells me that I have LibreSSL 2.8.3 on my machine.

Am I on the right track? Should I update LibreSSL to the latest version to solve this problem? How do I do that? Are there any side-effects? Is there a better solution to solve this problem?

Thanks for any advice, W.

wanderlusted
  • 187
  • 13
  • LibreSSL is not the same as OpenSSL. In many cases the differences don't matter, but here they do; LibreSSL forked from OpenSSL 1.0.1, and does not have the changes made in OpenSSL 1.1.0 that fully fix this problem. I'd be surprised if adding the ISRG root(s) is needed; at least ISRG X1 has been widely accepted since 2017, although I don't know if/when MacOS added it. (corrected) AFAICT the OpenSSL 1.0.1 logic will not work for current LE, although I don't have LibreSSL to verify it is the same. – dave_thompson_085 Oct 06 '21 at 20:43
  • @dave_thompson_085 Thanks for the comment. It seems that the LibreSSL [release notes](https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.3.5-relnotes.txt) has a fix for this. I'm a little concerned about the side-effects of updating this on my mac, and not even sure how to do this update, but I don't see any other solutions. Let me know, if you have any further comments! Thanks! – wanderlusted Oct 07 '21 at 11:32
  • I'm a little surprised because trusted_first was not in real OpenSSL 1.0.1 only 1.0.2; I guess Libre backported it at some point. But if they say it's in the release I'd believe them and try it, or else [brew claims to have real OpenSSL 1.1.1l](https://formulae.brew.sh/formula/openssl@1.1) – dave_thompson_085 Oct 07 '21 at 21:01

2 Answers2

0

Finally I could solve this issue without upgrading anything. The key point was to realize from PHPInfo that my PHP uses openSLL that is installed under my MAMP installation. I had to remove the expired DST Root CA X3 root certificate from the .pem file under this installation and now everything works correctly.

wanderlusted
  • 187
  • 13
0

Let's try for Linux:

apt-get update
apt install ca-certificates openssl
Emir Mamashov
  • 1,108
  • 9
  • 14