SSL routines:ssl3_get_server_certificate:certificate verify failed(OpenSSL::SSL::Error)

Question

SSL routines:ssl3_get_server_certificate:certificate verify failed(OpenSSL::SSL::Error)

Closed this issue 7 years ago · 3 comments

I am testing to use it to send emails through smtp.gmail.com, but it does not work for me:

require "email"
EMail.send("smtp.gmail.com", 587,
  use_tls: true,
  auth: {"username@gmail.com", "password"}) do
  subject "Subject of the mail"
  from "username@gmail.com"
  to "username@gmail.com"
  message <<-EOM
   test email from crystal
   EOM
end

And I got the some SSL error:

2018/02/16 13:39:39 [crystal-email/20129] INFO [EMail_Client] Start TCP session to smtp.gmail.com:587
2018/02/16 13:39:40 [crystal-email/20129] FATAL [EMail_Client] SSL_connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed(OpenSSL::SSL::Error)
2018/02/16 13:39:40 [crystal-email/20129] INFO [EMail_Client] Close session to smtp.gmail.com:587

My testing platform is macOS 10 with Crystal 0.24.1 and openssl LibreSSL 2.2.7. I also tested it on a Centos7 with Crystal 0.24.1 and OpenSSL 1.0.2k-fips and got the same error.
Could anyone help me to solve this problem?

Answer 1 · 2018-02-22T01:53:32.000Z

I tried on following environment:

macOS 10.13.3
LibreSSL 2.2.7
Crystal 0.24.1 (2018-01-27) / LLVM: 5.0.1

I could connect to smtp.gmail.com normally.

2018/02/22 09:51:35 [crystal-email/1953] INFO [EMail_Client] Start TCP session to smtp.gmail.com:587
2018/02/22 09:51:36 [crystal-email/1953] INFO [EMail_Client] Start TLS session
2018/02/22 09:51:37 [crystal-email/1953] INFO [EMail_Client] Authentication success with _*_*_*_*_ / ********
2018/02/22 09:51:39 [crystal-email/1953] INFO [EMail_Client] Successfully sent a message from <_*_*_*_*_> to 2 recipient(s)
2018/02/22 09:51:39 [crystal-email/1953] INFO [EMail_Client] Close session to smtp.gmail.com:587

From the error message, It seems to be failed on server certificate validation with some reason.

Sorry, I don't know what is that reason.
I think the root of this error is not the Crystal, but the LibreSSL.

It might be:

your system doesn't have valid CA certificate for Gmail.
your CA certificate is expired.
the server certificate was replaced by firewall or IPS for SSL inspection.
or anything else.

Answer 2 · 2018-02-22T17:34:10.000Z

I found a commit that seems related to this issue:
crystal-lang/crystal@558a32a

Not sure if it is released or not. Since my Crystal was Crystal 0.24.1 (2017-12-26) on macOS 10.13.1, so I go ahead upgraded my Crystal to 0.24.1 (2018-01-27) by homebrew. But I still got the same error.

I think the issue should be either in Crystal or Openssl, instead of this email package, so I closed the issue here.

Answer 3 · 2020-07-10T23:02:08.000Z

If anyone comes here for help, this is solved by #37