Reputation: 1035
Could not connect to SMTP host - failed to verify certificate
I have following situation:
Server 1: Windows server with email server. Server address pattern: mail.myservers.com
Server 2: Ubuntu 20 (fresh instal month ago) with lsws web server, without email server. Server address pattern: s2.myservers.com
Server 2 is used for hosting PHP apps. Few days ago I installed brand new wordpress web. Since server 2 is not having email server then sendmail is simply not working. All sites have to use workaround via SMTP server like wordpress uses PHPMailer.
Web hosted on server 2 using address pattern myproject.com. While I am trying to test SMTP from wordpress administration I am getting following error.
Versions:
WordPress: 5.7.2
WordPress MS: No
PHP: 8.0.2
WP Mail SMTP: 2.8.0
Params:
Mailer: smtp
Constants: No
ErrorInfo: SMTP Error: Could not connect to SMTP host.
Host: mail.myservers.com
Port: 587
SMTPSecure: tls
SMTPAutoTLS: bool(true)
SMTPAuth: bool(true)
Server:
OpenSSL: OpenSSL 1.1.1f 31 Mar 2020
Apache.mod_security: No
Debug:
Mailer: Ostatní SMTP
SMTP Error: Could not connect to SMTP host.
SMTP Debug:
2021-06-01 16:30:46 Connection: opening to mail.myservers.com:587, timeout=300, options=array()
2021-06-01 16:30:46 Connection: opened
2021-06-01 16:30:46 SERVER -> CLIENT: 220 mail.myservers.com ESMTP
2021-06-01 16:30:46 CLIENT -> SERVER: EHLO myproject.com
2021-06-01 16:30:46 SERVER -> CLIENT: 250-mail.myservers.com250-SIZE 30720000250-STARTTLS250-AUTH LOGIN250 HELP
2021-06-01 16:30:46 CLIENT -> SERVER: STARTTLS
2021-06-01 16:30:46 SERVER -> CLIENT: 220 Ready to start TLS
2021-06-01 16:30:46 Connection failed. Error #2: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed [/home/myproject.com/public_html/wp-includes/PHPMailer/SMTP.php line 467]
SMTP Error: Could not connect to SMTP host.
2021-06-01 16:30:46 CLIENT -> SERVER: QUIT
2021-06-01 16:30:46
2021-06-01 16:30:46
2021-06-01 16:30:46 Connection: closed
SMTP Error: Could not connect to SMTP host.
I run email server for 4 years on LetsEncrypt cert. I had no problem ever since. My guess is something is wrongly configured on ubuntu server.
I read few topics including PHPMailer troubleshooting steps:
- Ubuntu time is synchronized
- PHPMailer troubleshooting cert verify failing
- My guess is this is for wrong PHP version (7.2). Web is using 8.0 so I edited conf to path below
php -i | grep cafile openssl.cafile => no value => no valuecurl.cainfo =/etc/ssl/certs/ca-certificates.crt, openssl.cafile=/etc/ssl/certs/ca-certificates.crt
echo QUIT | openssl s_client -crlf -starttls smtp -connect smtp.gmail.com:587returns ok- Checked certificates for
mail.myservers.com s2.myservers.com myproject.comvia external service. Returns ok - hosts
127.0.0.1 s2.myservers.com s2 127.0.0.1 s2 .. ipv6 loopbacks
I ran out of ideas.
EDIT: miken reply
subject=C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1
subject=C = US, O = IdenTrust, CN = IdenTrust Public Sector Root CA 1
Steffen reply
openssl s_client -connect mail.myservers.com:587 -starttls smtp
CONNECTED(00000003)
depth=0 CN = mail.myservers.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = mail.myservers.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:CN = mail.myservers.com
i:C = US, O = Let's Encrypt, CN = R3
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=CN = mail.myservers.com
Upvotes: 0
Views: 2012
Answers (1)
Reputation: 123270
TL;DR: The certificate chain returned by the server is missing an important intermediate certificate. Without this the leaf certificate of the server can not be checked against the trust store. That's why validation fails.
In detail: The full certificate chain returned by the mail server is this:
Certificate chain
0 s:CN = mail.myservers.com
i:C = US, O = Let's Encrypt, CN = R3
From this output can be seen that the server only returns the leaf certificate with the subject of the server, which is issued by R3. It does not return the intermediate certificate for R3 which is issued by ISRG Root X1. But the root certificate is ISRG Root X1 and only this root certificate is in the trust store. See also Let's Encrypt Certificate Hierarchy 2021.
The fix need to be done at the server side, i.e. the full chain with leaf certificate and intermediate certificate should be provided by the server. Since hMailServer is used see also this documentation which explicitly states: "This certificate should contain the trust chain (Root CA and any Intermediary Certificates), in addition to the Server Certificate". While some applications might work around missing certificates or some simply ignore certificate errors, this is still a server side problem.
Alternatively the problem can be worked around at the client side by importing the missing intermediate certificate into the client side trust store.
Upvotes: 2
Related Questions
- Why does PHPMailer fail to connect to my SMTP server
- SMTP ERROR: Failed to connect to server: (0) SMTP connect() failed
- SMTP Error: Could not connect to SMTP host
- WP Mail SMTP connect() failed
- Cannot connect to GMail SMTP (PHPMailer) - Certificate Verify Failed
- PHPMailer SMTP localhost, certificate error
- Sending Mail with via SMTP using WordPress?
- PHP SMTP issue - unable to connect to ssl
- Could not connect to SMTP host PHP Mailer
- I could not connect to SMTP host