error enabling StartTLS: x509: certificate is valid for 127.0.0.1, not <ip/hostname>

Question

error enabling StartTLS: x509: certificate is valid for 127.0.0.1, not <ip/hostname>

camps7ee opened this issue 3 years ago · 4 comments

Whenever I'm trying to connect an external service through protonmail-bridge smtp, this seems to be what's generated.

If I change the starttls value of whatever service I'm connecting the error message changes to "error authenticating: unencrypted connection".

I've tried setting connection to ExplicitTLS the same error message remains, and if I change it to ImplicitTLS I get

error getting SMTP client: error connecting to server: tls: first record does not look like a TLS handshake

I also tried confirming the smtp connectivity in combination with Plain Auth and this is what I got:

454 4.7.0 Invalid response

I'm suspecting that STARTTLS and Plain Auth don't play nicely together? If this is the case, is there any workaround ?

Answer 1 · 2022-05-11T06:41:09.000Z

Also been running in to this issue and I am gong to see if I can figure out how to pass a docker env variable through to the container so we can generate a cert with the correct common name / ip address. I am trying to use this as a LAN only email notification service and I am finding that a lot of services do not support disabling certificate verification.

Answer 2 · 2023-07-12T19:24:58.000Z

Has anyone been able to figure this out?

Answer 3 · 2023-07-26T23:53:59.000Z

I was able to workaround this part of my issue by generating a certificate, and then using import-tls-cert.

openssl req -x509 -newkey rsa:4096 -keyout /tmp/protoncerts/key.pem -out /tmp/protoncerts/cert.pem -sha256 -days 3650 -nodes -subj "/CN=protonmail-bridge"

docker run --rm -it -v /tmp/protoncerts:/root shenxn/protonmail-bridge init

import-tls-cert

# enter /root/cert.pem and /root/key.pem

Note the "/CN=protonmail-bridge" when generating the cert. You want that to be the hostname you're using.

Addendum: I got this working with linuxserver/swag generated certs (using ZeroSSL, but presumably works with LetsEncrypt).

Use -v ./my_swag_volume/etc/letsencrypt:/certs, then use /certs/live/<my_domain>/fullchain.pem and /certs/live/<my_domain>/key.pem. Note, use fullchain.pem not cert.pem or you will get the same untrusted cert authority error.