SSL error when sending mail via SMTP

Hello everybody,

I have configured SMTP for my GitLab Instance, however the e-mail delivery fails. Here is an output of troubleshooting via rails-console:

➜  ~ gitlab-rails console
 Ruby:         ruby 3.0.6p216 (2023-03-30 revision 23a532679b) [x86_64-linux]
 GitLab:       16.0.1 (34d6370bacd) FOSS
 GitLab Shell: 14.20.0
 PostgreSQL:   13.8
------------------------------------------------------------[ booted in 45.67s ]
Loading production environment (Rails
irb(main):001:0> ActionMailer::Base.smtp_settings
=> {:user_name=>nil, :password=>nil, :address=>"[MASKED]", :port=>25, :ca_file=>"/opt/gitlab/embedded/ssl/certs/cacert.pem", :open_timeout=>30, :read_timeout=>60}
irb(main):002:0> Notify.test_email('[MASKED]', 'Hello World', 'This is a test message').deliver_now
Delivered mail 6475a8dc55a0a_177adb3174907fb@zhm-lm00.mail (85.7ms)
/opt/gitlab/embedded/lib/ruby/gems/3.0.0/gems/net-protocol-0.1.3/lib/net/protocol.rb:46:in `connect_nonblock': SSL_connect returned=1 errno=0 peeraddr= state=error: certificate verify failed (self signed certificate in certificate chain) (OpenSSL::SSL::SSLError)

As you can see, no TLS has been configured for SMTP, that’s why I am confused about the error. Does anybody know how to troubleshoot this further?

The error shows that you are using self-signed certificates. I’m guessing you configured gitlab.rb similar like the example config below?

# gitlab_rails['smtp_enable'] = true
# gitlab_rails['smtp_address'] = "smtp.server"
# gitlab_rails['smtp_port'] = 465
# gitlab_rails['smtp_user_name'] = "smtp user"
# gitlab_rails['smtp_password'] = "smtp password"
# gitlab_rails['smtp_domain'] = ""
# gitlab_rails['smtp_authentication'] = "login"
# gitlab_rails['smtp_enable_starttls_auto'] = true
# gitlab_rails['smtp_tls'] = false
# gitlab_rails['smtp_pool'] = false

If so, then what you need to do is also disable certificate verification because self-signed certs are unable to be verified:

# gitlab_rails['smtp_openssl_verify_mode'] = 'none'

uncomment that option and run reconfigure for Gitlab after this. Then check it again and it should work. Alternatively, on your email server use trusted commercial certificates that you purchase.

Amazing! It works like a charm!

However, I still don’t understand: did the default behavior change? My configuration used to work for months.

Also, my assumption was that commented-out lines show the default configuration but it turned out not to be the case.

1 Like

Yeah, it seems not all the options are treated like defaults. One or two other options I use (not related to email), required to be uncommented before they worked as they should.