Announcement

Collapse
No announcement yet.

Could not send email: Could not convert socket to TLS

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Could not send email: Could not convert socket to TLS

    I'm running on CentOS and everything is up to date according to the updated (ubersvn core = 12.03.9420-2)

    I get this error on the logs:
    ERROR (?) - Could not send email: Could not convert socket to TLS

    My settings are:

    SSL Off
    SMTP Auth On
    Username <set>
    Password <set>

    This configuration worked fine and was not updated or modified in anyway for the past 3 months.

    I see this on my mailserver logs when I click on test on the mail server configuration page:

    Mar 28 13:04:52 server sendmail[20388]: STARTTLS=server, error: accept failed=0, SSL_error=1, timedout=0, errno=0
    Mar 28 13:04:52 server sendmail[20388]: STARTTLS=server: 20388:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1052:SSL alert number 46
    Mar 28 13:04:52 server sendmail[20388]: q2SJ4q4h020388: xx.xx.xx.xx [nn.nn.nn.nn] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

    Any ideas to help debug this problem?

    Is there a way to force it not to use TLS to see if that works?

    Thanks!

  • #2
    Before this update, uberSVN did not use encryption even if the mail server advertised itself as supporting TLS. (Your server is advertising TLS encryption by use of the STARTTLS keyword.)

    After the update, if the mail server advertises itself as supporting TLS uberSVN tries to upgrade the socket from unencrypted to TLS encypted, which is what is happening here.

    A Could not convert socket to TLS error may happen if the mail server's certificate is invalid, the most probable cause is that the certificate is self-signed or has expired.

    So you have a few options, in order of most to least preferred:

    1 Configure your mail server with a real certificate.
    2 If your certificate is self-signed, add that to a trust store and configure uberSVN to use the trust store. (I can show you how to do this.)
    3 Disable TLS advertisement on your mail server and go back to unencrypted communications.

    Comment


    • #3
      Originally posted by mbooth View Post
      Before this update, uberSVN did not use encryption even if the mail server advertised itself as supporting TLS. (Your server is advertising TLS encryption by use of the STARTTLS keyword.)

      After the update, if the mail server advertises itself as supporting TLS uberSVN tries to upgrade the socket from unencrypted to TLS encypted, which is what is happening here.

      A Could not convert socket to TLS error may happen if the mail server's certificate is invalid, the most probable cause is that the certificate is self-signed or has expired.

      So you have a few options, in order of most to least preferred:

      1 Configure your mail server with a real certificate.
      2 If your certificate is self-signed, add that to a trust store and configure uberSVN to use the trust store. (I can show you how to do this.)
      3 Disable TLS advertisement on your mail server and go back to unencrypted communications.
      In the environment I'm current working a real certificate is not an option for this mail server. I'll have to go with option #2 which is to trust that self-signed certificate.

      Can you please show me how to do that?

      Thanks!

      Comment


      • #4
        Sure.

        You need to download the server's certificate or get the admin to send you a copy of it, whichever is easier, then create a keystore:

        Code:
        $ /opt/ubersvn/jre/bin/keytool -importcert -alias MailServer -file MailServer.crt -keystore /opt/ubersvn/conf/uber_keystore
        Then add -Djavax.net.ssl.trustStore=/opt/ubersvn/conf/uber_keystore to the JAVA_OPTS variable in the /opt/ubersvn/bin/ubersvncontrol file and restart.

        Sorry this isn't easier, in the future it will be possible to configure this from the web interface.

        Comment


        • #5
          After getting the correct certificate and following your instructions everything worked correctly.

          Thanks!

          Comment


          • #6
            Glad you got it working. Thanks for trying the beta

            Comment


            • #7
              Hy,

              i have the same problem like emartinez. Since approximately 2 weeks our UberSVN-Server is not able to send a mail ("Could not send email: Could not convert socket to TLS"). The setup was never change and had always worked well.

              I tried to reproduce the step from post 03-29-2012, 06:12 PM in this thread but i have some troubles.
              -) I have only a *.cer file from the email-server (from the admin) and not a *.crt like in the sample above => is that a problem?
              -) I can not find the /opt/ubersvn/bin/ubersvncontrol file to add -Djavax.net.ssl.trustStore=/opt/ubersvn/conf/uber_keystore to the JAVA_OPTS variable

              My UberSVN-system:
              OS: Win 2008 R2 Server x64
              UberSVN-Version:12.4-9777 - SVN 1.7

              So can anybody help me?

              Thanks in advance
              Greetings
              Mike

              Comment


              • #8
                Originally posted by mbooth View Post
                Sure.

                You need to download the server's certificate or get the admin to send you a copy of it, whichever is easier, then create a keystore:

                Code:
                $ /opt/ubersvn/jre/bin/keytool -importcert -alias MailServer -file MailServer.crt -keystore /opt/ubersvn/conf/uber_keystore
                Then add -Djavax.net.ssl.trustStore=/opt/ubersvn/conf/uber_keystore to the JAVA_OPTS variable in the /opt/ubersvn/bin/ubersvncontrol file and restart.

                Sorry this isn't easier, in the future it will be possible to configure this from the web interface.
                Hi,

                I am waiting with impatience this feature, thinking that the two last updates corrected it.
                Not yet it seems, do you work on it ?

                Thanks,
                Guillaume.

                Comment


                • #9
                  Originally posted by gbarrelet View Post
                  Hi,

                  I am waiting with impatience this feature, thinking that the two last updates corrected it.
                  Not yet it seems, do you work on it ?

                  Thanks,
                  Guillaume.
                  It was added in the last update. As shown in this screenshot:



                  You still need to create the truststore.
                  Last edited by mbooth; 09-03-2012, 04:21 PM.

                  Comment


                  • #10
                    The -trustcacerts option appears to have solved the "Could not convert socket to TLS" error. I can now send email!! Thanks a lot for the help!

                    Comment


                    • #11
                      I'm so sorry to resurrect such an old post, but I'm still stuck here.

                      I'm on version 13.02.3008-1, currently running the server on a spare Win7 laptop we had. We are trying this out to see if we like it, then we'll put it on a VM.

                      I asked the email admin for a copy of the certificate, and sent him the link to this post. He said we don't have a self generated cert, and that it's a real one that's signed by a certificate authority.

                      However, I still get the "Could not convert socket to TLS" error.

                      Is there anything else I can check that might lead to helping solve this issue?

                      I appreciate any assistance,
                      Chris

                      Comment

                      Working...
                      X