Gitlab and sslerror in sending mails

There was a gitlab (10.4) and everything was fine, but one day, mails stopped coming. I opened the console (sudo gitlab-ctl tail) and found a sore – OpenSSL::SSL::SSLError: SSL_connect returned = 1 errno = 0 state = error: certificate verify failed . Without thinking for a long time i ran to the admins.

They changed the certificate to globalsign on the server. Ok, I went into the ruby ​​console – checked the configuration (the commands were taken from here ):

# sudo gitlab-rails console production
irb(main):002:0> ActionMailer::Base.smtp_settings
=> {:authentication =>:login,:address => "X.X.ru",:port => 587,:user_name => "X@X.ru",: password => "XXX",: domain => "X.X.ru",:enable_starttls_auto => true,:openssl_verify_mode =>"peer",: ca_file =>"/opt/gitlab/embedded/ssl/certs/cacert.pem"}

It looks good, the admin gave the updated file cacert.pem, i replaced. Of course, did not forget to run sudo gitlab-ctl reconfigure .
Then i tried the test sending:

# sudo gitlab-rails console production
irb(main):002:0> Notify.test_email('youremail@email.com','Hello World','This is a test message'). deliver_now
=> OpenSSL::SSL::SSLError:SSL_connect returned = 1 errno = 0 state = error: certificate verify failed ...

Unclear. Okay, I got here and decided to test the certificate:

# /opt/gitlab/embedded/bin/openssl x509 -in /opt/gitlab/embedded/ssl/certs/cacert.pem -text -noout

No, it’s okay, readed successfully.
To hell, put gitlab_rails [‘smtp_openssl_verify_mode’] = ‘none’ in /etc/gitlab/gitlab.rb, rerun sudo gitlab-ctl reconfigure . And the test mail was sent! As it turned out, I was happy too early. All other mails still caught the error. For some reason, this configuration worked only for test sending?
Then the admin suggested simply to restart the server, and I found that ubuntu really wants it:

Welcome to Ubuntu 16.04.1 LTS (GNU / Linux 4.4.0-83-generic x86_64)

83 packages can be updated.
1 updates are security updates.

*** System restart required ***

Looked who wants reboot:

# more /var/run/reboot-required.pkgs
ssl1.0.0

Just like our guy! Legs in hand – sudo reboot and the mails again learned to fly like before!

0 0 vote
Рейтинг статьи
guest
0 комментариев
Inline Feedbacks
View all comments