Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SSL/TLS Option Breaks My SMTP Notifications

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    27 Posts 4 Posters 11.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      NOYB
      last edited by

      It doesn't matter what any thing else thinks of the cert.  pfSense has to trust it.

      1 Reply Last reply Reply Quote 0
      • ghostshellG
        ghostshell
        last edited by

        @NOYB:

        It doesn't matter what any thing else thinks of the cert.  pfSense has to trust it.

        Ok, then how will I know as the cert and postfix settings have not changed since my last alert email, i see nothing in the logs showing cert issues with pfsense 192.168.1.1

        pfsense logs show this error over and over

        php-fpm /system_advanced_notifications.php: Could not send the message to gmail.com – Error: could not start TLS connection encryption protocol

        1 Reply Last reply Reply Quote 0
        • N
          NOYB
          last edited by

          The two places I know of for the CA to be located in pfSense are:

          1. System / Certificate Manager / CAs
          2. /usr/local/share/certs/ca-root-nss.crt

          This is not to say there couldn't be some other location.  These are just the two I'm aware of.
          I am also not sure in which of the locations it is required to be for notifications.  Mine is in both.  But I'm thinking it probably has to be in ca-root-nss.crt.

          1 Reply Last reply Reply Quote 0
          • dennypageD
            dennypage
            last edited by

            Did you have to hand edit ca-root-nss.crt to add the CA?

            @NOYB:

            The two places I know of for the CA to be located in pfSense are:

            1. System / Certificate Manager / CAs
            2. /usr/local/share/certs/ca-root-nss.crt

            This is not to say there couldn't be some other location.  These are just the two I'm aware of.
            I am also not sure in which of the locations it is required to be for notifications.  Mine is in both.  But I'm thinking it probably has to be in ca-root-nss.crt.

            1 Reply Last reply Reply Quote 0
            • N
              NOYB
              last edited by

              Yes, I just added it below all the other CA's and incremented the number of certificates.

              Mine is a self signed, so I have to added it.  I wish PHP curl could use it from the one that is in config (System / Certificate Manager / CAs) so it would survive upgrades and I wouldn't have to remember to add it to the file.

              Here are the results of notification test message with and without and with my CA added to the ca-root-nss.crt file.

              
              Aug 2 23:47:48  php-fpm  42511  /system_advanced_notifications.php: Message sent to xxx@yyy.com OK  
              Aug 2 23:47:06  php-fpm  11699  /system_advanced_notifications.php: Could not send the message to xxx@yyy.com -- Error: could not start TLS connection encryption protocol  
              
              
              1 Reply Last reply Reply Quote 0
              • N
                NOYB
                last edited by

                According to a kdiff comparison it appears this certificate was present in 2.3 but is absent in 2.3.2.  If that is the CA for your cert then that would likely be why it quit working.

                /usr/local/share/certs/ca-root-nss.crt

                
                Certificate:
                    Data:
                        Version: 3 (0x2)
                        Serial Number: 36 (0x24)
                    Signature Algorithm: sha1WithRSAEncryption
                        Issuer: C=FI, O=Sonera, CN=Sonera Class1 CA
                        Validity
                            Not Before: Apr  6 10:49:13 2001 GMT
                            Not After : Apr  6 10:49:13 2021 GMT
                        Subject: C=FI, O=Sonera, CN=Sonera Class1 CA
                        Subject Public Key Info:
                            Public Key Algorithm: rsaEncryption
                                Public-Key: (2048 bit)
                                Modulus:
                                    00:b5:89:1f:2b:4f:67:0a:79:ff:c5:1e:f8:7f:3c:
                                    ed:d1:7e:da:b0:cd:6d:2f:36:ac:34:c6:db:d9:64:
                                    17:08:63:30:33:22:8a:4c:ee:8e:bb:0f:0d:42:55:
                                    c9:9d:2e:a5:ef:f7:a7:8c:c3:ab:b9:97:cb:8e:ef:
                                    3f:15:67:a8:82:72:63:53:0f:41:8c:7d:10:95:24:
                                    a1:5a:a5:06:fa:92:57:9d:fa:a5:01:f2:75:e9:1f:
                                    bc:56:26:52:4e:78:19:65:58:55:03:58:c0:14:ae:
                                    8c:7c:55:5f:70:5b:77:23:06:36:97:f3:24:b5:9a:
                                    46:95:e4:df:0d:0b:05:45:e5:d1:f2:1d:82:bb:c6:
                                    13:e0:fe:aa:7a:fd:69:30:94:f3:d2:45:85:fc:f2:
                                    32:5b:32:de:e8:6c:5d:1f:cb:a4:22:74:b0:80:8e:
                                    5d:94:f7:06:00:4b:a9:d4:5e:2e:35:50:09:f3:80:
                                    97:f4:0c:17:ae:39:d8:5f:cd:33:c1:1c:ca:89:c2:
                                    22:f7:45:12:ed:5e:12:93:9d:63:ab:82:2e:b9:eb:
                                    42:41:44:cb:4a:1a:00:82:0d:9e:f9:8b:57:3e:4c:
                                    c7:17:ed:2c:8b:72:33:5f:72:7a:38:56:d5:e6:d9:
                                    ae:05:1a:1d:75:45:b1:cb:a5:25:1c:12:57:36:fd:
                                    22:37
                                Exponent: 65537 (0x10001)
                        X509v3 extensions:
                            X509v3 Basic Constraints: critical
                                CA:TRUE
                            X509v3 Subject Key Identifier: 
                                47:E2:0C:8B:F6:53:88:52
                            X509v3 Key Usage: 
                                Certificate Sign, CRL Sign
                    Signature Algorithm: sha1WithRSAEncryption
                         8b:1a:b2:c9:5d:61:b4:e1:b9:2b:b9:53:d1:b2:85:9d:77:8e:
                         16:ee:11:3d:db:c2:63:d9:5b:97:65:fb:12:67:d8:2a:5c:b6:
                         ab:e5:5e:c3:b7:16:2f:c8:e8:ab:1d:8a:fd:ab:1a:7c:d5:5f:
                         63:cf:dc:b0:dd:77:b9:a8:e6:d2:22:38:87:07:14:d9:ff:be:
                         56:b5:fd:07:0e:3c:55:ca:16:cc:a7:a6:77:37:fb:db:5c:1f:
                         4e:59:06:87:a3:03:43:f5:16:ab:b7:84:bd:4e:ef:9f:31:37:
                         f0:46:f1:40:b6:d1:0c:a5:64:f8:63:5e:21:db:55:4e:4f:31:
                         76:9c:10:61:8e:b6:53:3a:a3:11:be:af:6d:7c:1e:bd:ae:2d:
                         e2:0c:69:c7:85:53:68:a2:61:ba:c5:3e:b4:79:54:78:9e:0a:
                         c7:02:be:62:d1:11:82:4b:65:2f:91:5a:c2:a8:87:b1:56:68:
                         94:79:f9:25:f7:c1:d5:ae:1a:b8:bb:3d:8f:a9:8a:38:15:f7:
                         73:d0:5a:60:d1:80:b0:f0:dc:d5:50:cd:4e:ee:92:48:69:ed:
                         b2:23:1e:30:cc:c8:94:c8:b6:f5:3b:86:7f:3f:a6:2e:9f:f6:
                         3e:2c:b5:92:96:3e:df:2c:93:8a:ff:81:8c:0f:0f:59:21:19:
                         57:bd:55:9a
                SHA1 Fingerprint=07:47:22:01:99:CE:74:B9:7C:B0:3D:79:B2:64:A2:C8:55:E9:33:FF
                -----BEGIN CERTIFICATE-----
                MIIDIDCCAgigAwIBAgIBJDANBgkqhkiG9w0BAQUFADA5MQswCQYDVQQGEwJGSTEP
                MA0GA1UEChMGU29uZXJhMRkwFwYDVQQDExBTb25lcmEgQ2xhc3MxIENBMB4XDTAx
                MDQwNjEwNDkxM1oXDTIxMDQwNjEwNDkxM1owOTELMAkGA1UEBhMCRkkxDzANBgNV
                BAoTBlNvbmVyYTEZMBcGA1UEAxMQU29uZXJhIENsYXNzMSBDQTCCASIwDQYJKoZI
                hvcNAQEBBQADggEPADCCAQoCggEBALWJHytPZwp5/8Ue+H887dF+2rDNbS82rDTG
                29lkFwhjMDMiikzujrsPDUJVyZ0upe/3p4zDq7mXy47vPxVnqIJyY1MPQYx9EJUk
                oVqlBvqSV536pQHydekfvFYmUk54GWVYVQNYwBSujHxVX3BbdyMGNpfzJLWaRpXk
                3w0LBUXl0fIdgrvGE+D+qnr9aTCU89JFhfzyMlsy3uhsXR/LpCJ0sICOXZT3BgBL
                qdReLjVQCfOAl/QMF6452F/NM8EcyonCIvdFEu1eEpOdY6uCLrnrQkFEy0oaAIIN
                nvmLVz5MxxftLItyM19yejhW1ebZrgUaHXVFsculJRwSVzb9IjcCAwEAAaMzMDEw
                DwYDVR0TAQH/BAUwAwEB/zARBgNVHQ4ECgQIR+IMi/ZTiFIwCwYDVR0PBAQDAgEG
                MA0GCSqGSIb3DQEBBQUAA4IBAQCLGrLJXWG04bkruVPRsoWdd44W7hE928Jj2VuX
                ZfsSZ9gqXLar5V7DtxYvyOirHYr9qxp81V9jz9yw3Xe5qObSIjiHBxTZ/75Wtf0H
                DjxVyhbMp6Z3N/vbXB9OWQaHowND9Rart4S9Tu+fMTfwRvFAttEMpWT4Y14h21VO
                TzF2nBBhjrZTOqMRvq9tfB69ri3iDGnHhVNoomG6xT60eVR4ngrHAr5i0RGCS2Uv
                kVrCqIexVmiUefkl98HVrhq4uz2PqYo4Ffdz0Fpg0YCw8NzVUM1O7pJIae2yIx4w
                zMiUyLb1O4Z/P6Yun/Y+LLWSlj7fLJOK/4GMDw9ZIRlXvVWa
                -----END CERTIFICATE-----
                
                
                1 Reply Last reply Reply Quote 0
                • ghostshellG
                  ghostshell
                  last edited by

                  Great! Thank you all for your help! I will add the CA for the current cert from the mailserver and post if the issue is resolved.

                  @NOYB - another thing I noticed that the standard web interface cert is shown as OK in firefox while chrome throws the caution error, any way to correct this as I have not had any luck getting a cert for just the IP anymore, used to but have not be able to recently. Alt would be to use the domain name, but I find the IP more reliable.

                  1 Reply Last reply Reply Quote 0
                  • dennypageD
                    dennypage
                    last edited by

                    @NOYB:

                    Yes, I just added it below all the other CA's and incremented the number of certificates.

                    Mine is a self signed, so I have to added it.  I wish PHP curl could use it from the one that is in config (System / Certificate Manager / CAs) so it would survive upgrades and I wouldn't have to remember to add it to the file.

                    Here are the results of notification test message without and with my CA added to the ca-root-nss.crt file.

                    
                    Aug 2 23:47:48  php-fpm  42511  /system_advanced_notifications.php: Message sent to xxx@yyy.com OK  
                    Aug 2 23:47:06  php-fpm  11699  /system_advanced_notifications.php: Could not send the message to xxx@yyy.com -- Error: could not start TLS connection encryption protocol  
                    
                    

                    Thanks NOYB, this was very useful information for me.

                    1 Reply Last reply Reply Quote 0
                    • N
                      NOYB
                      last edited by

                      @ghostshell:

                      @NOYB - another thing I noticed that the standard web interface cert is shown as OK in firefox while chrome throws the caution error, any way to correct this as I have not had any luck getting a cert for just the IP anymore, used to but have not be able to recently. Alt would be to use the domain name, but I find the IP more reliable.

                      I imported my own self-signed cert and the CA for it  (System / Certificate Manager / …).  Then configured Admin Access to use that cert for SSL and installed the CA in my browsers trusted roots.

                      1 Reply Last reply Reply Quote 0
                      • dennypageD
                        dennypage
                        last edited by

                        I filed a ticket for this issue:

                        https://redmine.pfsense.org/issues/6687

                        1 Reply Last reply Reply Quote 0
                        • N
                          NOYB
                          last edited by

                          @dennypage:

                          I filed a ticket for this issue:

                          https://redmine.pfsense.org/issues/6687

                          Thank you.  Sure hope someone can fix that.  Sure would be a big help.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.