XF 1.5 Error log entrys (SSL / Email / php5.6 trouble?)

[otto]

Hello, since a short time ago (since I have switched from php 5.3.x to php 5.6.x) I have this errorlog entrys in my XenForo 1.5.6 ACP:

ErrorException: Email to ronny.cz@web.de failed (after retry): stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed - library/Zend/Mail/Protocol/Smtp.php:206
Generated By: Unknown Account, 3 minutes ago

#0 [internal function]: XenForo_Application::handlePhpError(2, 'stream_socket_e...', '/var/www/vhosts...', 206, Array)
#1 /var/www/vhosts/zetor-forum.de/httpdocs/forum/library/Zend/Mail/Protocol/Smtp.php(206): stream_socket_enable_crypto(Resource id #69, true, 9)
#2 /var/www/vhosts/zetor-forum.de/httpdocs/forum/library/Zend/Mail/Transport/Smtp.php(217): Zend_Mail_Protocol_Smtp->helo('localhost')
#3 /var/www/vhosts/zetor-forum.de/httpdocs/forum/library/Zend/Mail/Transport/Abstract.php(348): Zend_Mail_Transport_Smtp->_sendMail()
#4 /var/www/vhosts/zetor-forum.de/httpdocs/forum/library/Zend/Mail.php(1194): Zend_Mail_Transport_Abstract->send(Object(Zend_Mail))
#5 /var/www/vhosts/zetor-forum.de/httpdocs/forum/library/XenForo/Model/MailQueue.php(91): Zend_Mail->send(Object(Zend_Mail_Transport_Smtp))
#6 /var/www/vhosts/zetor-forum.de/httpdocs/forum/library/XenForo/Deferred/MailQueue.php(10): XenForo_Model_MailQueue->runMailQueue(7.9999990463257)
#7 /var/www/vhosts/zetor-forum.de/httpdocs/forum/library/XenForo/Model/Deferred.php(295): XenForo_Deferred_MailQueue->execute(Array, Array, 7.9999990463257, '')
#8 /var/www/vhosts/zetor-forum.de/httpdocs/forum/library/XenForo/Model/Deferred.php(429): XenForo_Model_Deferred->runDeferred(Array, 7.9999990463257, '', false)
#9 /var/www/vhosts/zetor-forum.de/httpdocs/forum/library/XenForo/Model/Deferred.php(374): XenForo_Model_Deferred->_runInternal(Array, NULL, '', false)
#10 /var/www/vhosts/zetor-forum.de/httpdocs/forum/deferred.php(23): XenForo_Model_Deferred->run(false)
#11 {main}

array(3) {
  ["url"] => string(45) "https://www.zetor-forum.de/forum/deferred.php"
  ["_GET"] => array(0) {
  }
  ["_POST"] => array(4) {
    ["_xfRequestUri"] => string(103) "/forum/threads/hallo-zusammen-ich-bin-auf-der-suche-nach-einem-motor-fuer-meinen-zetor-5211.3607/page-3"
    ["_xfNoRedirect"] => string(1) "1"
    ["_xfToken"] => string(8) "********"
    ["_xfResponseType"] => string(4) "json"
  }
}

And:

ErrorException: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed - library/Zend/Mail/Protocol/Pop3.php:125
Generated By: Unknown Account, 22 minutes ago

#0 [internal function]: XenForo_Application::handlePhpError(2, 'stream_socket_e...', '/var/www/vhosts...', 125, Array)
#1 /var/www/vhosts/zetor-forum.de/httpdocs/forum/library/Zend/Mail/Protocol/Pop3.php(125): stream_socket_enable_crypto(Resource id #59, true, 9)
#2 /var/www/vhosts/zetor-forum.de/httpdocs/forum/library/Zend/Mail/Storage/Pop3.php(190): Zend_Mail_Protocol_Pop3->connect('zetor-forum.de', 110, 'TLS')
#3 /var/www/vhosts/zetor-forum.de/httpdocs/forum/library/XenForo/Model/EmailBounce.php(288): Zend_Mail_Storage_Pop3->__construct(Array)
#4 /var/www/vhosts/zetor-forum.de/httpdocs/forum/library/XenForo/Deferred/EmailBounce.php(19): XenForo_Model_EmailBounce->openBounceHandlerConnection()
#5 /var/www/vhosts/zetor-forum.de/httpdocs/forum/library/XenForo/Model/Deferred.php(295): XenForo_Deferred_EmailBounce->execute(Array, Array, 7.9999978542328, '')
#6 /var/www/vhosts/zetor-forum.de/httpdocs/forum/library/XenForo/Model/Deferred.php(429): XenForo_Model_Deferred->runDeferred(Array, 7.9999978542328, '', false)
#7 /var/www/vhosts/zetor-forum.de/httpdocs/forum/library/XenForo/Model/Deferred.php(374): XenForo_Model_Deferred->_runInternal(Array, NULL, '', false)
#8 /var/www/vhosts/zetor-forum.de/httpdocs/forum/deferred.php(23): XenForo_Model_Deferred->run(false)
#9 {main}

array(3) {
  ["url"] => string(44) "http://www.zetor-forum.de/forum/deferred.php"
  ["_GET"] => array(0) {
  }
  ["_POST"] => array(4) {
    ["_xfRequestUri"] => string(70) "/forum/threads/land-und-forstwirtschaft-mit-und-ohne-zetor.948/page-14"
    ["_xfNoRedirect"] => string(1) "1"
    ["_xfToken"] => string(8) "********"
    ["_xfResponseType"] => string(4) "json"
  }
}

Can anybody tell me whats the problem and what I have to do to solve this?

Since today morning I have switched the forum also to SSL via Lets Encrypt certifikate, so the site/domain is using it and can browsed by https://www.zetor-forum.de But the error 2 was in the logs bevor SSL and certificate was active... So I think its a php (version?) problem. Help!

 

[Mike]

These indicate that your STMP and POP3 email servers don't have an SSL certificate that is signed by an authority (or the certificate trust store PHP is using is broken). You probably need to look at the SSL cert used by these servers to see what they're using and who it's signed by.

 

[otto]

Its the Lets Encrypt cert, genereted with the Plesk Lets Encrypt extension for Plesk 12.5 . Such I know, is Lets Encrypt at time not supporting mail-SSL..

No workaround to fix this without changing the certificate?

And again - the error logs come up with switch from php 5.3.x to 5.6.x and NOT with the installation of the certificate today.

 

[Snog]

Let's Encrypt doesn't handle the mail system in Plesk. You could give this a try...

https://github.com/Powie/plesk_mailcert

Also, read the comments from the user named Powie here..
https://ext.plesk.com/packages/f6847e61-33a7-4104-8dc9-d26a0183a8dd-letsencrypt

 

[Mike]

And again - the error logs come up with switch from php 5.3.x to 5.6.x and NOT with the installation of the certificate today.

Just to be clear, PHP 5.6 verifies SSL certificates by default. Below that, it didn't. So technically this happened before, but it wasn't a check that was run.

It's possible to disable verification of certs, though it would require direct code changes (in this case, within Zend Framework).

 

[otto]

@Snog
Oh, if that will work - that would be realy cool. I will give it a try. Mail SSL is now on the to do list.

@Mike
At this time I have made these changes into library/Zend/Mail/Protocol/Smtp.php:

Bevore: (around line 202 to 214)

        // If a TLS session is required, commence negotiation
        if ($this->_secure == 'tls') {
            $this->_send('STARTTLS');
            $this->_expect(220, 180);
            if (!stream_socket_enable_crypto($this->_socket, true, STREAM_CRYPTO_METHOD_TLS_CLIENT)) {
                /**
                 * @see Zend_Mail_Protocol_Exception
                 */
                require_once 'Zend/Mail/Protocol/Exception.php';
                throw new Zend_Mail_Protocol_Exception('Unable to connect via TLS');
            }
            $this->_ehlo($host);
        }

And change this to :

        // If a TLS session is required, commence negotiation
        if ($this->_secure == 'tls') {
            $this->_send('STARTTLS');
            $this->_expect(220, 180);
            stream_context_set_option($this->_socket, 'ssl', 'verify_peer_name', 'verify_peer', false);
            if (!stream_socket_enable_crypto($this->_socket, true, STREAM_CRYPTO_METHOD_TLS_CLIENT)) {
                /**
                 * @see Zend_Mail_Protocol_Exception
                 */
                require_once 'Zend/Mail/Protocol/Exception.php';
                throw new Zend_Mail_Protocol_Exception('Unable to connect via TLS');
            }
            $this->_ehlo($host);
        }

That should be a work around for a short time now (with these no new error logs are to see) and I'll take a look at your and Snogs hint to solve this the right way next days.

Thanks!