#34524 closed Bug (duplicate)
Error while sending TLS smtp email on "self-signed certificate" server
| Reported by: | Buky | Owned by: | nobody |
|---|---|---|---|
| Component: | Core (Mail) | Version: | 4.2 |
| Severity: | Normal | Keywords: | ssl |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
The issue appears in Django 4.2 (tested with Python 3.11 and Python 3.9).
Correctly works with previous versions of Django: 3.2 and 4.1
Context: I use locally use the protonmail-bridge solution that locally bind an IMAP and SMTP ports with STARTTLS. Then, I use in my project config the EmailBackend to connect to the solution and send emails.
Here is the traceback, when I try to send emails with Django 4.2:
Traceback (most recent call last):
File "/home/user/my-project/manage.py", line 15, in <module>
execute_from_command_line(sys.argv)
File "/home/user/.virtualenvs/env/lib/python3.11/site-packages/django/core/management/__init__.py", line 442, in execute_from_command_line
utility.execute()
File "/home/user/.virtualenvs/env/lib/python3.11/site-packages/django/core/management/__init__.py", line 436, in execute
self.fetch_command(subcommand).run_from_argv(self.argv)
File "/home/user/.virtualenvs/env/lib/python3.11/site-packages/django/core/management/base.py", line 412, in run_from_argv
self.execute(*args, **cmd_options)
File "/home/user/.virtualenvs/env/lib/python3.11/site-packages/django/core/management/base.py", line 458, in execute
output = self.handle(*args, **options)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/user/my-project/my-app/management/commands/send-mail.py", line 62, in handle
send_mail(f"[My subject] {options['subject']}",
File "/home/user/.virtualenvs/env/lib/python3.11/site-packages/django/core/mail/__init__.py", line 87, in send_mail
return mail.send()
^^^^^^^^^^^
File "/home/user/.virtualenvs/env/lib/python3.11/site-packages/django/core/mail/message.py", line 298, in send
return self.get_connection(fail_silently).send_messages([self])
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/user/.virtualenvs/env/lib/python3.11/site-packages/django/core/mail/backends/smtp.py", line 127, in send_messages
new_conn_created = self.open()
^^^^^^^^^^^
File "/home/user/.virtualenvs/env/lib/python3.11/site-packages/django/core/mail/backends/smtp.py", line 92, in open
self.connection.starttls(context=self.ssl_context)
File "/usr/lib/python3.11/smtplib.py", line 790, in starttls
self.sock = context.wrap_socket(self.sock,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/ssl.py", line 517, in wrap_socket
return self.sslsocket_class._create(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/ssl.py", line 1075, in _create
self.do_handshake()
File "/usr/lib/python3.11/ssl.py", line 1346, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:992)
I found another ticket recently created ticket related to SSL issue, but the issue doesn't exactly the same and the issue doesn't precisely mention when the patch will be merged: [4.2.x] Fixed.
I have tried to export the TLS certificate and key of the solution and add them in my settings.py like:
EMAIL_SSL_CERTFILE="/tmp/cert.pem" EMAIL_SSL_KEYFILE="/tmp/key.pem"
And to put them in the trust store of the system:
cp /tmp/cert.pem /usr/local/share/ca-certificates/protonmail-bridge.crt cp /tmp/key.pem /etc/ssl/private/protonmail-bridge.key update-ca-certificates
But both tests didn't work.
I suppose ssl lib need an extra argument to allow SSL context with self-signed certificate.
Change History (6)
comment:1 by , 19 months ago
| Description: | modified (diff) |
|---|
comment:2 by , 19 months ago
| Description: | modified (diff) |
|---|
comment:3 by , 19 months ago
| Resolution: | → duplicate |
|---|---|
| Status: | new → closed |
comment:4 by , 19 months ago
Hello Mariusz and thank for the quick reply,
I looked at the patch note of the version 4.2.1 but I didn't see any mention of backward incompatibility for SSL.
So, it's a good idea to add it. Thank for the quick PR.
Could I recommend an example in the Django documentation for creating a proper subclass EmailBackend and dealing with ssl_context?
Because the documentation is quite poor on this topic.
follow-up: 6 comment:5 by , 18 months ago
I have the same error as yours. Have your figured out the solution instead of subclass EmailBackend?
comment:6 by , 18 months ago
Just figure it out without defining certfile and keyfile:
- Add the cert to trusted root CA
- Use the hostname as EMAIL_HOST instead of IP
Replying to aliceni81:
I have the same error as yours. Have your figured out the solution instead of subclass EmailBackend?
#34386 will be released in Django 4.2.1.
This is a duplicate of #34504. You can subclass
EmailBackendand overridessl_contextto avoid host verification (but I would advise against it.)