Hi there,
I'm trying to configure TLS for the SMTP setup on our Moodle, but can't get past an error that it's failing to verify the certifcate.
Basics about our server:
* Windows Server 2012 R2, running Moodle under IIS
* PHP 7.1.16
* Moodle 3.4.3
SMTP without TLS works fine, it's just when I go to enable TLS that I start running into problems.
Our Exchange server uses a self-signed cert, so I've saved it on the Moodle server and set openssl.cafile in php.ini to point to it. Running
php -r "print_r(openssl_get_cert_locations());"
from command line shows it as one of the locaitons.
Openssl is shown as enabled in phpinfo().
I thought to try this with smtp.gmail.com, but was surprised to see the same error. So I'm beginning to think it's not our certificate but something more basic that's off.
I've been using the eMail Test plugin for the testing. Here's output up to the failure when I tried with the Gmail smtp server:
2018-07-24 15:35:12 Connection: opening to smtp.gmail.com:587, timeout=300, options=array()
2018-07-24 15:35:12 Connection: opened
2018-07-24 15:35:13 SERVER -> CLIENT: 220 smtp.gmail.com ESMTP u14-v6sm20691314wrs.57 - gsmtp
2018-07-24 15:35:13 CLIENT -> SERVER: EHLO *****.*****.org.uk
2018-07-24 15:35:13 SERVER -> CLIENT: 250-smtp.gmail.com at your service, [217.154.157.34]
250-SIZE 35882577
250-8BITMIME
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-CHUNKING
250 SMTPUTF8
2018-07-24 15:35:13 CLIENT -> SERVER: STARTTLS
2018-07-24 15:35:13 SERVER -> CLIENT: 220 2.0.0 Ready to start TLS
2018-07-24 15:35:14 Connection failed. Error #2: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed [C:\inetpub\moodle\lib\phpmailer\src\SMTP.php line 403]
2018-07-24 15:35:14 SMTP Error: Could not connect to SMTP host.
2018-07-24 15:35:14 CLIENT -> SERVER: QUIT
Any ideas?
Thanks!
In reply to Jarrad Gisk
Re: Can't get TLS working for SMTP - certificate verify failed
by Ken Task -
Don't run Windows nor use SMTP to an Exchange box, etc. but recently have been shoring up SSL on Moodle servers. There are protocols and ciphers which now should be disabled and everything seems to be moving to TLS. In what you've shared I see ssl3 ... that's a protocol that probably should be disabled as well as weak ciphers.
Use https://www.ssllabs.com/ssltest/ to test certs on your Moodle and on the SMTP server you are attempting to use - Google's is probably an A+ on ssllabs - at least I would hope so as they have been pushing https everywhere/all the time now.
'spirit of sharing', Ken
In reply to Ken Task
Re: Can't get TLS working for SMTP - certificate verify failed
by Jarrad Gisk -
Well, after a couple of days investigation and testing, I've finally gotten it working. Quite a few variables at play that really confused things!
I imported the cert into the Windows certificate store of the Moodle server as a trusted CA , but this didn't work. I had previously had similar problems with LDAPS, and found documentation about saving the cert of the LDAPS server and adding a bit of extra config, so assumed I'd need to do something similar with SMTP TLS.
I quickly found reference to the cafile option in php.ini and placed a pem of the self-signed cert in a readable area and pointed php.ini to it, but - fail.
That's when I thought to try connecting to Google's SMTP server to confirm things were otherwise working and was surprised to get the failed STARTTLS, which was unexpected.
After much head scratching, I eventually realised that enabling the cafile option stops openssl/php from using the OS's built-in certificate store. So with cafile enabled, openssl/php stopped trusting Google's CA. I added this cert into the same pem referenced by cafile and could then connect to Google's SMTP server.
But still the self signed cert wouldn't work, despite being in the same pem.
I found reference to openssl's SMTPOptions for verify_peer, verify_peer_name, and allow_self_signed. I added these in to PHPMailer.php and found I could connect to our SMTP server only if I set verify_peer to false. So basically ignoring validation altogether, and certainly not something I wanted to leave.
In one of my later tests, I disabled the cafile (so allowing PHP/openssl to again use the Windows certificate store) and found I could connect with verify_peer true, verify_peer_name false, and allow_self_signed false. So it was doing a bit of cert validation, but not requiring that the cert was issued to the server using it.
As a self-signed windows cert, the 'Subject' of the cert was set to the servername, not it's FQDN. So I changed the connection in Moodle to use just to the servername and could connect with verify_peer true, verify_peer_name true, and allow_self_signed false! These are the default settings, so I could then completely remove the extra SMTPOptions I had added to PHPMailer.php.
This leaves me thinking a couple of things aren't quite working right, so I wanted to summarise here in case anyone else comes across this problem themselves in the future:
1) cafiles doesn't appear to work with self-signed certifcates (or at least not the self-signed cert our Windows Exchange server issued itself). I added this same cert to both the Windows certificate store and to the pem that I had added Google's CA to. The self-signed cert is only accepted when php/openssl is using the Windows certificate store, not when its using cafile; while it accepts the Google cert works in both cases.
2) The 'SMTP Hosts' setting in Moodle must use the name that appears in the 'Subject' of the certificate, even if the name you'd like to use is also in the 'alternative subject names' section of the certificate.
In reply to Jarrad Gisk
Re: Can't get TLS working for SMTP - certificate verify failed
by Matteo Scaramuccia -
Hi RJ,
did you update the Root Certificates in your Windows box?
Could https://moodle.org/mod/forum/discuss.php?d=366514#p1479026 be of any help?
HTH,
Matteo
In reply to Matteo Scaramuccia
Re: Can't get TLS working for SMTP - certificate verify failed
by Jarrad Gisk -
Hi Matteo,
I'm afraid I don't understand the relevance of the question. The issue wasn't related to an out-dated root certificate. The cert for the Google CA was up-to-date (as proven when I disabled cafile and could STARTTLS with smtp.gmail.com) and the self-signed cert was manually added to the Windows certificate store under 'Trusted Root Certification Authorities' (the former is entirely manual, as a self-signed cert is issued by the server itself, not a CA).
Both the Google and self-signed certs worked as long as I didn't enable cafile (once I worked out that openssl wouldn't verify against 'alternative subject names' and changed the SMTP host in Moodle to just the server name).
With cafile enabled, I had to include the Google CA in the pem cafile linked to, so that cert was clearly good. The self-signed cert wouldn't work via cafile when verify was on even though it was in the pem, but it did work when cafile was disabled, since it was in the Windows cert store.
So none of the issues were related to an out-dated root certificate, but instead because 1) I didn't realise at first that enabling cafile would disable php/openssl's use of the Windows cert store, 2) self-signed certs don't appear to be supported by cafile (at least on Windows), and 3) php/openssl apparently doesn't consider a certs 'alternative subject names' when verifying the server name against the cert (which seems to be a bug).
Regards,
Jarrad
In reply to Jarrad Gisk
Re: Can't get TLS working for SMTP - certificate verify failed
by Matteo Scaramuccia -
Hi Jarrad,
as a self-signed cert is issued by the server itself, not a CA
AFAIK the CA is the server itself in that case.
BTW I apologize since I didn't read your last post when replying: I've a 1-week backlog of unread posts from moodle.org and made some confusion with your thread (need more attention for the others in the backlog ).
TNX a ton for having taken the time to reply to my weird post
,
Matteo