Log spam: "Authenticity is not established by certificate path validation" #344

New issue

Closed

opened 2022-12-05 22:49:52 +00:00 by SuperDicq · 8 comments

SuperDicq commented 2022-12-05 22:49:52 +00:00

Copy link

My logs are being spammed with this message. Does anyone have any idea what causes this?

My logs are being spammed with this message. Does anyone have any idea what causes this?

2022-12-05 23-32-47 1-web.png

140 KiB

floatingghost commented 2022-12-05 23:27:04 +00:00

Owner

Copy link

probably an old HTTP adapter

check that you haven't got any special options under :pleroma, :http or under Tesla

probably an old HTTP adapter check that you haven't got any special options under :pleroma, :http or under Tesla

paulyd commented 2022-12-06 00:55:40 +00:00

Contributor

Copy link

I also see this error about 3-4 times per hour using the OTP release deployment method (I migrated from Pleroma to Akkoma).

I have no special settings under pleroma/http/tesla, and am on Debian 5-10-149.2 with ca-certificates installed.

I wonder if the OTP release is getting build in an environment without that dependency, we had this issue with a project at work a while back and it was the elixir-socket library not playing nice, but I don't see that in the dependencies here.

Edit:

Even more confusingly, on the instance the pemfiles exist for both CA Cert libraries and they both have certs.

iex(pleroma@127.0.0.1)1> CAStore.file_path()
"/opt/pleroma/lib/castore-0.1.18/priv/cacerts.pem"
iex(pleroma@127.0.0.1)2> :certifi.cacertfile()
'/opt/pleroma/lib/certifi-2.9.0/priv/cacerts.pem'

So I think I'm leaning closer to agree that there's a config issue somewhere with an adapter.

I also see this error about 3-4 times per hour using the OTP release deployment method (I migrated from Pleroma to Akkoma). I have no special settings under pleroma/http/tesla, and am on Debian 5-10-149.2 with ca-certificates installed. ~~I wonder if the OTP release is getting build in an environment without that dependency, we had this issue with a project at work a while back and it was the `elixir-socket` library not playing nice, but I don't see that in the dependencies here.~~ Edit: Even more confusingly, on the instance the pemfiles exist for both CA Cert libraries and they both have certs. ``` iex(pleroma@127.0.0.1)1> CAStore.file_path() "/opt/pleroma/lib/castore-0.1.18/priv/cacerts.pem" iex(pleroma@127.0.0.1)2> :certifi.cacertfile() '/opt/pleroma/lib/certifi-2.9.0/priv/cacerts.pem' ``` So I think I'm leaning closer to agree that there's a config issue somewhere with an adapter.

SuperDicq commented 2022-12-06 12:41:29 +00:00

Author

Copy link

probably an old HTTP adapter

check that you haven't got any special options under :pleroma, :http or under Tesla

In my config I have the following:

config :pleroma, :http_security,
  sts: true

Could this be the cause?

> probably an old HTTP adapter > > check that you haven't got any special options under :pleroma, :http or under Tesla In my config I have the following: ``` config :pleroma, :http_security, sts: true ``` Could this be the cause?

Ghost commented 2022-12-06 13:42:55 +00:00

Copy link

No it wouldn't. HSTS doesn't mess with that.

No it wouldn't. HSTS doesn't mess with that.

SuperDicq commented 2022-12-06 13:44:30 +00:00

Author

Copy link

No it wouldn't. HSTS doesn't mess with that.

I also noticed this is enabled:

config :tesla, adapter: Tesla.Adapter.Gun

Could it be this? Just remove this line?

> No it wouldn't. HSTS doesn't mess with that. I also noticed this is enabled: ``` config :tesla, adapter: Tesla.Adapter.Gun ``` Could it be this? Just remove this line?

paulyd commented 2022-12-06 15:01:39 +00:00

Contributor

Copy link

I am not sure if this applies to @SuperDicq's case but:

I am able to reproduce this by using the pleroma_ctl email test --to=... utility using the SMTP email adapter and ssl: true option.

I tried passing [tls_options: [certfile: CAStore.file_path()]] (as defined here) manually into the Swoosh config, and verified it is passed to the :gen_smtp_client and eventually to :socket, but it didn't seem to help.

Setting ssl: false also didn't seem to help.

I think this is because the version of gen-smtp that is bundled with Swoosh is not recent and does not include this commit and thus is filtering any addtional options from getting passed to the underlying socket.
3cfd421be0

If I get some time later today I'll try forcing an update of that dependency.

I also noticed in the reverse proxy hackney client ssl_options is also getting manually set. Generally anywhere ssl_options or tls_options is configured is a place I would start looking as it can potentially clobber default socket configurations.

I am not sure if this applies to @SuperDicq's case but: I am able to reproduce this by using the `pleroma_ctl email test --to=...` utility using the SMTP email adapter and `ssl: true` option. I tried passing `[tls_options: [certfile: CAStore.file_path()]]` [(as defined here)](https://www.erlang.org/doc/man/ssl.html#type-common_option) manually into the Swoosh config, and verified it is passed to the `:gen_smtp_client` and eventually to `:socket`, but it didn't seem to help. Setting `ssl: false` also didn't seem to help. I think this is because the version of gen-smtp that is bundled with Swoosh is not recent and does not include this commit and thus is filtering any addtional options from getting passed to the underlying socket. https://github.com/gen-smtp/gen_smtp/commit/3cfd421be0b6d317efe286f80e9ea9ea636a88f4 If I get some time later today I'll try forcing an update of that dependency. I also noticed in the reverse proxy hackney client `ssl_options` is also getting manually set. Generally anywhere `ssl_options` or `tls_options` is configured is a place I would start looking as it can potentially clobber default socket configurations.

floatingghost commented 2022-12-07 11:55:50 +00:00

Owner

Copy link

@SuperDicq yes, it's that one!

config :tesla, adapter: Tesla.Adapter.Gun

just remove the line and this will go away

iirc anything that uses hackney or gun gets this error, Finch seems more stable

@SuperDicq yes, it's that one! `config :tesla, adapter: Tesla.Adapter.Gun` just remove the line and this will go away iirc anything that uses hackney or gun gets this error, Finch seems more stable

SuperDicq closed this issue 2022-12-07 12:02:57 +00:00

SuperDicq commented 2022-12-07 12:03:10 +00:00

Author

Copy link

@SuperDicq yes, it's that one!

config :tesla, adapter: Tesla.Adapter.Gun

just remove the line and this will go away

iirc anything that uses hackney or gun gets this error, Finch seems more stable

That fixed it, thanks.

> @SuperDicq yes, it's that one! > > `config :tesla, adapter: Tesla.Adapter.Gun` > > just remove the line and this will go away > > iirc anything that uses hackney or gun gets this error, Finch seems more stable That fixed it, thanks.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

translations

customizable-docker-db

stable

static-adminfe

bad-uploader-config-warning

docker

user-expiry-backfill

config-db-keys

ensure-scrubbers-loaded

otp26

code-shaking-does-not-go-brr

elixir1.15

circleci

backup-fixes

mod-task

policy

mrf-coolness

frontend-switcher-9000

contentMap

language-on-posts

rabbit

credo-on-pr

unify-http

normalise-markup-by-default

buildx

v3.13.2

v2.6.3

v3.13.1

v3.13.0

snac-3.12.1.2

v3.12.2

snac-3.12.1.1

v3.12.1

v3.12.0

v3.11.0

v2.6.2

v2.6.1

2.6.1

v2.6.0

v2.5.5

v3.10.4

v3.10.3

v3.10.2

v3.10.1

v3.10.0

v2.5.4

v2.5.3

v3.9.3

v3.9.2

v3.9.1

V3.9.0

2023.05

v3.8.0

v3.7.1

v3.7.0

v3.6.0

v3.5.0

v2.4.5

v3.4.0

v3.3.1

v2.4.4

v3.3.0

v3.2.3

v3.2.2

v3.2.1

stable-202209

v3.2.0

v3.1.0

stable-2022.07

v3.0.0

v0.0.1

v2.5.2-6

v2.5.2-5

v2.5.2-4

v2.5.2-3

v2.5.2-2

v2.5.2-1

v2.5.2

v2.5.1

v2.5.0-8

v2.5.0-7

v2.5.0-6

v2.5.0-5

v2.5.0-4

v2.5.0-3

v2.5.0-2

v2.5.0-1

v2.5.0

v2.4.3

pre-rebase

v2.4.2

v2.4.1

v2.4.0

soapbox-v1.1.1

soapbox-v1.1.0

soapbox-v1.0.0

v2.3.0

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v1.1.9

v1.1.8

v1.1.7

v1.1.6

v1.1.5

v1.1.4

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.91

v1.0.90

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3

v1.0.2

v1.0.1

v1.0.0

v0.9.0

Labels

Clear labels   

approved, awaiting change

  

bug

Something is not working

  

configuration

This requires config changes

  

documentation

This is about human-readable docs

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

extremely low priority

  

feature request

Something new?

  

Fix it yourself

Support has been attempted

  

help wanted

Need some help

  

invalid

Something is wrong

  

mastodon_api

  

needs docs

  

needs tests

  

not a bug

  

planned

  

pleroma_api

  

privacy

  

question

More information is needed

  

static_fe

  

triage

  

wontfix

This won't be fixed

No labels

approved, awaiting change

bug

configuration

documentation

duplicate

enhancement

extremely low priority

feature request

Fix it yourself

help wanted

invalid

mastodon_api

needs docs

needs tests

not a bug

planned

pleroma_api

privacy

question

static_fe

triage

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

4 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: AkkomaGang/akkoma#344

No description provided.