Rails 3: OpenSSL::SSL::SSLError: hostname was not match with the server certificate
Ruby on-RailsRuby on-Rails-3OpensslSsl CertificateRuby on-Rails Problem Overview
When trying to deliver an email via console I receive this error:
OpenSSL::SSL::SSLError: hostname was not match with the server certificate
The thing is I really don't know much about certificates and such, or really how to get started troubleshooting this, I tried to do some investigation with openssl
and here is the certificate that is returned.
I don't know if its a problem with Postfix which is running on the server, or my rails app, any help or clues is really appreciated.
~% openssl s_client -connect mail.myhostname.com:25 -starttls smtp
CONNECTED(00000003)
depth=0 /CN=myhostname
verify error:num=18:self signed certificate
verify return:1
depth=0 /CN=myhostname
verify return:1
---
Certificate chain
0 s:/CN=myhostname
i:/CN=myhostname
---
Server certificate
-----BEGIN CERTIFICATE-----
[...redacted...]
-----END CERTIFICATE-----
subject=/CN=myhostname
issuer=/CN=myhostname
---
No client certificate CA names sent
---
SSL handshake has read 1203 bytes and written 360 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 1AA4B8BFAAA85DA9ED4755194C50311670E57C35B8C51F9C2749936DA11918E4
Session-ID-ctx:
Master-Key: 9B432F1DE9F3580DCC6208C76F96631DC5A4BC517BDBADD5F514414DCF34AC526C30687B96C5C4742E9583555A118232
Key-Arg : None
Start Time: 1292985376
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
250 DSN
Ruby on-Rails Solutions
Solution 1 - Ruby on-Rails
An infinitely better solution (in terms of security that is) than the accepted answer would be:
ActionMailer::Base.smtp_settings = {
:address => "mail.foo.com",
:port => 587,
:domain => "foo.com",
:user_name => "[email protected]",
:password => "foofoo",
:authentication => "plain",
:enable_starttls_auto => true,
:openssl_verify_mode => 'none'
}
This way you'll still be using encryption, but the validation of the certificate would be disabled (and you won't be getting any errors).
Solution 2 - Ruby on-Rails
EDIT: This answer is no longer the best solution, and may no longer work. See this answer which is more secure.
> The name on certificate should match with the url on which you are running your application
Not useful... I get this error with dreamhost, where I have no option to change the ssl certificate. (well, I do, but it costs.)
One option is to disable tls. Hopefully you have something like this in your initializers:
ActionMailer::Base.smtp_settings = {
:address => "mail.foo.com",
:port => 587,
:domain => "foo.com",
:user_name => "[email protected]",
:password => "foofoo",
:authentication => "plain",
:enable_starttls_auto => true
}
Change the enable starttls auto option to false (or add it in if it isn't present).
Warning: this will disable encryption, meaning your username an password will traverse the internet in plain text
I can't see a better way of doing this, so would be interested in any answers.
Solution 3 - Ruby on-Rails
If you are using the ruby mail library as I do,here is the setting for pop
pop = Net::POP3.new(mail_server, mail_port)
pop.enable_ssl(0) #(default is on, if you want turn it off set it to 0 )
pop.start(mail_username, mail_pwd)
Solution 4 - Ruby on-Rails
As many people discussing this question have mentioned dreamhost, there is a better dreamhost-specific answer to this question.
Your email software, in recent years, has probably started getting more belligerent at you for using incorrect servernames on your certificates. As a response, Dreamhost now recommends using their domain name rather than your own when setting up your email account.
You need to find out which mail cluster your account is assigned to, then your config will be as follows:
ActionMailer::Base.smtp_settings = {
:address => "mail.foo.com",
:port => 587,
:domain => "subX.mail.dreamhost.com" # instead of "foo.com",
:user_name => "[email protected]",
:password => "foofoo",
:authentication => "plain",
:enable_starttls_auto => true,
# :openssl_verify_mode => 'none' # hopefully, no longer needed
}
where subX
is the subdomain your email cluster is on. Currently this can be found on your Dreamhost panel at Panel > Support > Data Centers
More details can be found on their email client configuration page: https://help.dreamhost.com/hc/en-us/articles/214918038-Email-client-configuration-overview