labca icon indicating copy to clipboard operation
labca copied to clipboard
verified publisher icon hakwerk

mail-tester does not trust LabCA Root CA

Open prueckls opened this issue 1 year ago • 5 comments

My private mail server uses a certificate from LabCA. However, when I configure the email notification in the admin interface and test the settings, I receive the following error:

gui-1 | 2024/09/07 16:31:44 errorHandler: err=2024-09-07T16:31:44.225567+00:00Z mail-tester[855]: 6 mail-tester mr-umAU Debug server listening on :8008 gui-1 | 2024-09-07T16:31:44.225634+00:00Z mail-tester[855]: 6 mail-tester qOzN7w0 Versions: mail-tester=(Unspecified Unspecified) Golang=(go1.22.5) BuildHost=(Unspecified) gui-1 | 2024-09-07T16:31:44.270759+00:00Z mail-tester[855]: 3 mail-tester x4jQqQQ [AUDIT] mail-tester failed to connect: tls: failed to verify certificate: x509: certificate signed by unknown authority

Is it possible to make the mail-tester trust my own CA?

prueckls avatar Sep 07 '24 16:09 prueckls

I agree with you that this should be possible, however I had a quick look and it is not as trivial as I hoped to fix this.

Currently mail-tester uses the host's root CA set, so only the official public root CAs are trusted. I need to find some time to investigate further and come up with a solution that works in all scenarios.

In the mean time you could try adding the LabCA root CA certificate to the host's trust store, using something like this:

sudo cp /home/labca/boulder_labca/test-root.pem /usr/local/share/ca-certificates/labca_root.crt
sudo update-ca-certificates

hakwerk avatar Sep 09 '24 18:09 hakwerk

I've added the LabCA root CA to the host trust store as per your instructions and reinstalled LabCA. Unfortunately, I am still encountering the same error message. For context, I am running Debian 12 and Docker 27 on the host system.

Would it be possible to add an option in the email settings to bypass or ignore server certificate validation?

prueckls avatar Sep 09 '24 19:09 prueckls

In the latest release (v24.09) it is now possible to either use the LabCA root certificate, or skip TLS server certificate validation completely for the email server

hakwerk avatar Sep 29 '24 18:09 hakwerk

Thank you for this update. I've updated my installation but now I 'm receiving this error:

gui-1 | 2024/09/29 19:39:05 ERROR: Message from server: '2024-09-29T19:39:03.540899+00:00Z mail-tester[1220]: 6 mail-tester mr-umAU Debug server listening on :8008 gui-1 | 2024-09-29T19:39:03.540923+00:00Z mail-tester[1220]: 6 mail-tester qOzN7w0 Versions: mail-tester=(Unspecified Unspecified) Golang=(go1.22.5) BuildHost=(Unspecified) gui-1 | 2024-09-29T19:39:05.203641+00:00Z mail-tester[1220]: 3 mail-tester 85iN1wo [AUDIT] mail-tester failed to connect: 535 5.7.8 Error: authentication failed: (reason unavailable) gui-1 | ERROR! On line 172 in commander script

I am pretty sure that the credentials are correct, my mailserver logs: SASL PLAIN authentication failed: (reason unavailable)

Encryption needs to be STARTTLS for my server, what is the default used by Mail-Tester?

prueckls avatar Sep 29 '24 19:09 prueckls

Problem identified: My email account password contains the characters '&' and ',', which caused some scrambled content in the file '/home/labca/boulder_labca/secrets/smtp_password'. After manually editing the password into the file, everything is now working correctly. This is certainly a bug.

prueckls avatar Sep 29 '24 19:09 prueckls