#34524 closed Bug (duplicate)
Error while sending TLS smtp email on "self-signed certificate" server
Reported by: | Buky | Owned by: | nobody |
---|---|---|---|
Component: | Core (Mail) | Version: | 4.2 |
Severity: | Normal | Keywords: | ssl |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description (last modified by )
The issue appears in Django 4.2 (tested with Python 3.11 and Python 3.9).
Correctly works with previous versions of Django: 3.2 and 4.1
Context: I use locally use the protonmail-bridge solution that locally bind an IMAP
and SMTP
ports with STARTTLS
. Then, I use in my project config the EmailBackend to connect to the solution and send emails.
Here is the traceback, when I try to send emails with Django 4.2:
Traceback (most recent call last): File "/home/user/my-project/manage.py", line 15, in <module> execute_from_command_line(sys.argv) File "/home/user/.virtualenvs/env/lib/python3.11/site-packages/django/core/management/__init__.py", line 442, in execute_from_command_line utility.execute() File "/home/user/.virtualenvs/env/lib/python3.11/site-packages/django/core/management/__init__.py", line 436, in execute self.fetch_command(subcommand).run_from_argv(self.argv) File "/home/user/.virtualenvs/env/lib/python3.11/site-packages/django/core/management/base.py", line 412, in run_from_argv self.execute(*args, **cmd_options) File "/home/user/.virtualenvs/env/lib/python3.11/site-packages/django/core/management/base.py", line 458, in execute output = self.handle(*args, **options) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/user/my-project/my-app/management/commands/send-mail.py", line 62, in handle send_mail(f"[My subject] {options['subject']}", File "/home/user/.virtualenvs/env/lib/python3.11/site-packages/django/core/mail/__init__.py", line 87, in send_mail return mail.send() ^^^^^^^^^^^ File "/home/user/.virtualenvs/env/lib/python3.11/site-packages/django/core/mail/message.py", line 298, in send return self.get_connection(fail_silently).send_messages([self]) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/user/.virtualenvs/env/lib/python3.11/site-packages/django/core/mail/backends/smtp.py", line 127, in send_messages new_conn_created = self.open() ^^^^^^^^^^^ File "/home/user/.virtualenvs/env/lib/python3.11/site-packages/django/core/mail/backends/smtp.py", line 92, in open self.connection.starttls(context=self.ssl_context) File "/usr/lib/python3.11/smtplib.py", line 790, in starttls self.sock = context.wrap_socket(self.sock, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/ssl.py", line 517, in wrap_socket return self.sslsocket_class._create( ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/ssl.py", line 1075, in _create self.do_handshake() File "/usr/lib/python3.11/ssl.py", line 1346, in do_handshake self._sslobj.do_handshake() ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:992)
I found another ticket recently created ticket related to SSL issue, but the issue doesn't exactly the same and the issue doesn't precisely mention when the patch will be merged: [4.2.x] Fixed
.
I have tried to export the TLS certificate and key of the solution and add them in my settings.py
like:
EMAIL_SSL_CERTFILE="/tmp/cert.pem" EMAIL_SSL_KEYFILE="/tmp/key.pem"
And to put them in the trust store of the system:
cp /tmp/cert.pem /usr/local/share/ca-certificates/protonmail-bridge.crt cp /tmp/key.pem /etc/ssl/private/protonmail-bridge.key update-ca-certificates
But both tests didn't work.
I suppose ssl lib need an extra argument to allow SSL context with self-signed certificate.
Change History (6)
comment:1 by , 20 months ago
Description: | modified (diff) |
---|
comment:2 by , 20 months ago
Description: | modified (diff) |
---|
comment:3 by , 20 months ago
Resolution: | → duplicate |
---|---|
Status: | new → closed |
comment:4 by , 20 months ago
Hello Mariusz and thank for the quick reply,
I looked at the patch note of the version 4.2.1 but I didn't see any mention of backward incompatibility for SSL.
So, it's a good idea to add it. Thank for the quick PR.
Could I recommend an example in the Django documentation for creating a proper subclass EmailBackend
and dealing with ssl_context
?
Because the documentation is quite poor on this topic.
follow-up: 6 comment:5 by , 19 months ago
I have the same error as yours. Have your figured out the solution instead of subclass EmailBackend?
comment:6 by , 19 months ago
Just figure it out without defining certfile and keyfile:
- Add the cert to trusted root CA
- Use the hostname as EMAIL_HOST instead of IP
Replying to aliceni81:
I have the same error as yours. Have your figured out the solution instead of subclass EmailBackend?
#34386 will be released in Django 4.2.1.
This is a duplicate of #34504. You can subclass
EmailBackend
and overridessl_context
to avoid host verification (but I would advise against it.)