当前位置：文江博客话题详情

Rails 3：OpenSSL::SSL::SSLError：主机名与服务器证书不匹配

发布于 2024-10-08 10:10:17 字数 1356 浏览 7 评论 0 原文

当尝试通过控制台发送电子邮件时，我收到此错误：

OpenSSL::SSL::SSLError: hostname was not match with the server certificate

问题是我真的不太了解证书等，或者真的不太了解如何开始解决此问题，我尝试使用 openssl 这是返回的证书。

我不知道是否是服务器上运行的 Postfix 或我的 Rails 应用程序的问题，非常感谢任何帮助或线索。

~% openssl s_client -connect mail.myhostname.com:25 -starttls smtp
CONNECTED(00000003)
depth=0 /CN=myhostname
verify error:num=18:self signed certificate
verify return:1
depth=0 /CN=myhostname
verify return:1
---
Certificate chain
 0 s:/CN=myhostname
   i:/CN=myhostname
---
Server certificate
-----BEGIN CERTIFICATE-----
[...redacted...]
-----END CERTIFICATE-----
subject=/CN=myhostname
issuer=/CN=myhostname
---
No client certificate CA names sent
---
SSL handshake has read 1203 bytes and written 360 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 1AA4B8BFAAA85DA9ED4755194C50311670E57C35B8C51F9C2749936DA11918E4
    Session-ID-ctx: 
    Master-Key: 9B432F1DE9F3580DCC6208C76F96631DC5A4BC517BDBADD5F514414DCF34AC526C30687B96C5C4742E9583555A118232
    Key-Arg   : None
    Start Time: 1292985376
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
250 DSN

原文

When trying to deliver an email via console I receive this error:

OpenSSL::SSL::SSLError: hostname was not match with the server certificate

The thing is I really don't know much about certificates and such, or really how to get started troubleshooting this, I tried to do some investigation with openssl and here is the certificate that is returned.

I don't know if its a problem with Postfix which is running on the server, or my rails app, any help or clues is really appreciated.

~% openssl s_client -connect mail.myhostname.com:25 -starttls smtp
CONNECTED(00000003)
depth=0 /CN=myhostname
verify error:num=18:self signed certificate
verify return:1
depth=0 /CN=myhostname
verify return:1
---
Certificate chain
 0 s:/CN=myhostname
   i:/CN=myhostname
---
Server certificate
-----BEGIN CERTIFICATE-----
[...redacted...]
-----END CERTIFICATE-----
subject=/CN=myhostname
issuer=/CN=myhostname
---
No client certificate CA names sent
---
SSL handshake has read 1203 bytes and written 360 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 1AA4B8BFAAA85DA9ED4755194C50311670E57C35B8C51F9C2749936DA11918E4
    Session-ID-ctx: 
    Master-Key: 9B432F1DE9F3580DCC6208C76F96631DC5A4BC517BDBADD5F514414DCF34AC526C30687B96C5C4742E9583555A118232
    Key-Arg   : None
    Start Time: 1292985376
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
250 DSN

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

生寂 2024-10-15 10:10:17

比接受的答案更好的解决方案（就安全性而言）是：

ActionMailer::Base.smtp_settings = {
  :address              => "mail.foo.com",
  :port                 => 587,
  :domain               => "foo.com",
  :user_name            => "[email protected]",
  :password             => "foofoo",
  :authentication       => "plain",
  :enable_starttls_auto => true,
  :openssl_verify_mode  => 'none'
}

这样您仍然可以使用加密，但证书的验证将被禁用（并且您不会收到任何错误）。

An infinitely better solution (in terms of security that is) than the accepted answer would be:

ActionMailer::Base.smtp_settings = {
  :address              => "mail.foo.com",
  :port                 => 587,
  :domain               => "foo.com",
  :user_name            => "[email protected]",
  :password             => "foofoo",
  :authentication       => "plain",
  :enable_starttls_auto => true,
  :openssl_verify_mode  => 'none'
}

This way you'll still be using encryption, but the validation of the certificate would be disabled (and you won't be getting any errors).

回复收藏 0 原文

胡渣熟男 2024-10-15 10:10:17

编辑：此答案不再是最佳解决方案，并且可能不再有效。请参阅此答案，它更安全。

证书上的名称应与您运行应用程序的 URL 匹配

没有用...我在 dreamhost 上遇到此错误，我无法选择更改 ssl 证书。（嗯，我愿意，但需要付费。）

一种选择是禁用 tls。希望您的初始化程序中有类似的内容：

ActionMailer::Base.smtp_settings = {
  :address              => "mail.foo.com",
  :port                 => 587,
  :domain               => "foo.com",
  :user_name            => "[email protected]",
  :password             => "foofoo",
  :authentication       => "plain",
  :enable_starttls_auto => true
}

将启用 starttls auto 选项更改为 false（如果不存在则添加它）。

警告：这将禁用加密，这意味着您的用户名和密码将以纯文本形式遍历互联网

我看不到更好的方法来做到这一点，所以对任何答案都感兴趣。

EDIT: This answer is no longer the best solution, and may no longer work. See this answer which is more secure.

The name on certificate should match with the url on which you are running your application

Not useful... I get this error with dreamhost, where I have no option to change the ssl certificate. (well, I do, but it costs.)

One option is to disable tls. Hopefully you have something like this in your initializers:

ActionMailer::Base.smtp_settings = {
  :address              => "mail.foo.com",
  :port                 => 587,
  :domain               => "foo.com",
  :user_name            => "[email protected]",
  :password             => "foofoo",
  :authentication       => "plain",
  :enable_starttls_auto => true
}

Change the enable starttls auto option to false (or add it in if it isn't present).

Warning: this will disable encryption, meaning your username an password will traverse the internet in plain text

I can't see a better way of doing this, so would be interested in any answers.

回复收藏 0 原文

红颜悴 2024-10-15 10:10:17

如果你像我一样使用 ruby 邮件库，这里是 pop 的设置

pop = Net::POP3.new(mail_server, mail_port)
pop.enable_ssl(0) #(default is on, if you want turn it off set it to 0 )
pop.start(mail_username, mail_pwd)

If you are using the ruby mail library as I do,here is the setting for pop

pop = Net::POP3.new(mail_server, mail_port)
pop.enable_ssl(0) #(default is on, if you want turn it off set it to 0 )
pop.start(mail_username, mail_pwd)

回复收藏 0 原文

哎呦我呸! 2024-10-15 10:10:17

正如许多讨论这个问题的人都提到过dreamhost，对于这个问题有一个更好的特定于dreamhost的答案。

近年来，您的电子邮件软件可能开始对您在证书上使用不正确的服务器名称变得更加咄咄逼人。作为回应，Dreamhost 现在建议在设置电子邮件帐户时使用他们的域名，而不是您自己的域名。

您需要找出您的帐户分配到哪个邮件集群，然后您的配置将如下：

ActionMailer::Base.smtp_settings = {
  :address              => "mail.foo.com",
  :port                 => 587,
  :domain               => "subX.mail.dreamhost.com" # instead of "foo.com",
  :user_name            => "[email protected]",
  :password             => "foofoo",
  :authentication       => "plain",
  :enable_starttls_auto => true,
  # :openssl_verify_mode  => 'none' # hopefully, no longer needed
}

其中 subX 是您的电子邮件集群所在的子域。目前，您可以在 Dreamhost 面板的 Panel > 中找到此内容。支持>数据中心

更多详细信息可以在其电子邮件客户端配置页面上找到：https://help.dreamhost.com/hc/en-us/articles/214918038-Email-client-configuration-overview

As many people discussing this question have mentioned dreamhost, there is a better dreamhost-specific answer to this question.

Your email software, in recent years, has probably started getting more belligerent at you for using incorrect servernames on your certificates. As a response, Dreamhost now recommends using their domain name rather than your own when setting up your email account.

You need to find out which mail cluster your account is assigned to, then your config will be as follows:

ActionMailer::Base.smtp_settings = {
  :address              => "mail.foo.com",
  :port                 => 587,
  :domain               => "subX.mail.dreamhost.com" # instead of "foo.com",
  :user_name            => "[email protected]",
  :password             => "foofoo",
  :authentication       => "plain",
  :enable_starttls_auto => true,
  # :openssl_verify_mode  => 'none' # hopefully, no longer needed
}

where subX is the subdomain your email cluster is on. Currently this can be found on your Dreamhost panel at Panel > Support > Data Centers

More details can be found on their email client configuration page: https://help.dreamhost.com/hc/en-us/articles/214918038-Email-client-configuration-overview

回复收藏 0 原文

~没有更多了~