Error: Unable to connect with TLS encryption

Steps to reproduce

  1. Configure working owncloud server, https, LDAP, import Cert
  2. Configure Email Server to connect to Exchange 2016 on prem, SMTP, STARTTLS, Auth required
  3. Confirmed ports and TLS working on exchange.

Expected behaviour

Owncloud relay mail through exchange 2016

Actual behaviour

A problem occurred while sending the email. Please revise your settings. (Error: Unable to connect with TLS encryption)

Server configuration

Operating system: Ubuntu 20.04

Web server: Apache2

Database: MariaDB

PHP version: v7.4.16

ownCloud version: 10.8.04

Updated from an older ownCloud or fresh install: Fresh Install

Where did you install ownCloud from: Install ownCloud on Ubuntu 20.04 :: ownCloud Documentation

Signing status (ownCloud 9.0 and above):

No errors have been found.

The content of config/config.php:

{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost",
            "10.111.2.8",
            "cloud.wweyecenters.com"
        ],
        "datadirectory": "\/mnt\/owncloud\/data",
        "files_external_allow_create_new_local": "true",
        "overwrite.cli.url": "http:\/\/localhost",
        "dbtype": "mysql",
        "version": "10.8.0.4",
        "dbname": "owncloud",
        "dbhost": "localhost",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "UTC",
        "apps_paths": [
            {
                "path": "\/var\/www\/owncloud\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/owncloud\/apps-external",
                "url": "\/apps-external",
                "writable": true
            }
        ],
        "installed": true,
        "instanceid": "ocqaiiqbmelv",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "127.0.0.1",
            "port": "6379"
        },
        "ldapIgnoreNamingRules": false,
        "maintenance": false,
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauth": 1,
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "25",
        "mail_smtpsecure": "tls",
        "mail_smtpauthtype": "LOGIN",
        "loglevel": 0
    }
}

List of activated apps:

Enabled:
  - comments:
    - Version: 0.3.0
    - Path: /var/www/owncloud/apps/comments
  - configreport:
    - Version: 0.2.0
    - Path: /var/www/owncloud/apps/configreport
  - dav:
    - Version: 0.6.0
    - Path: /var/www/owncloud/apps/dav
  - federatedfilesharing:
    - Version: 0.5.0
    - Path: /var/www/owncloud/apps/federatedfilesharing
  - federation:
    - Version: 0.1.0
    - Path: /var/www/owncloud/apps/federation
  - files:
    - Version: 1.5.2
    - Path: /var/www/owncloud/apps/files
  - files_external:
    - Version: 0.8.0
    - Path: /var/www/owncloud/apps/files_external
  - files_mediaviewer:
    - Version: 1.0.4
    - Path: /var/www/owncloud/apps/files_mediaviewer
  - files_sharing:
    - Version: 0.14.0
    - Path: /var/www/owncloud/apps/files_sharing
  - files_trashbin:
    - Version: 0.9.1
    - Path: /var/www/owncloud/apps/files_trashbin
  - files_versions:
    - Version: 1.3.0
    - Path: /var/www/owncloud/apps/files_versions
  - firstrunwizard:
    - Version: 1.2.0
    - Path: /var/www/owncloud/apps/firstrunwizard
  - guests:
    - Version: 0.9.3
    - Path: /var/www/owncloud/apps-external/guests
  - impersonate:
    - Version: 0.5.0
    - Path: /var/www/owncloud/apps-external/impersonate
  - market:
    - Version: 0.6.1
    - Path: /var/www/owncloud/apps/market
  - notifications:
    - Version: 0.5.4
    - Path: /var/www/owncloud/apps/notifications
  - provisioning_api:
    - Version: 0.5.0
    - Path: /var/www/owncloud/apps/provisioning_api
  - systemtags:
    - Version: 0.3.0
    - Path: /var/www/owncloud/apps/systemtags
  - updatenotification:
    - Version: 0.2.1
    - Path: /var/www/owncloud/apps/updatenotification
  - user_ldap:
    - Version: 0.15.4
    - Path: /var/www/owncloud/apps-external/user_ldap
Disabled:
  - encryption:
    - Path: /var/www/owncloud/apps/encryption
  - external:
    - Path: /var/www/owncloud/apps/external
  - user_external:
    - Path: /var/www/owncloud/apps/user_external
  - wallpaper:
    - Path: /var/www/owncloud/apps-external/wallpaper

Are you using external storage, if yes which one: No

Are you using encryption: NO

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory

+-------------------------------+----------------------------------------------------------------------------------------------------------------------------------------+
| Configuration                 |                                                                                                                                        |
+-------------------------------+----------------------------------------------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport      | 1                                                                                                                                      |
| hasPagedResultSupport         |                                                                                                                                        |
| homeFolderNamingRule          |                                                                                                                                        |
| lastJpegPhotoLookup           | 0                                                                                                                                      |
| ldapAgentName                 | cn=owncloud,cn=users,dc=domain,dc=local                                                                                          |
| ldapAgentPassword             | ***                                                                                                                                    |
| ldapAttributesForGroupSearch  |                                                                                                                                        |
| ldapAttributesForUserSearch   |                                                                                                                                        |
| ldapBackupHost                |                                                                                                                                        |
| ldapBackupPort                |                                                                                                                                        |
| ldapBase                      | dc=domain,dc=local                                                                                                               |
| ldapBaseGroups                | dc=domain,dc=local                                                                                                               |
| ldapBaseUsers                 | dc=domain,dc=local                                                                                                               |
| ldapCacheTTL                  | 600                                                                                                                                    |
| ldapConfigurationActive       | 1                                                                                                                                      |
| ldapDynamicGroupMemberURL     |                                                                                                                                        |
| ldapEmailAttribute            | mail                                                                                                                                   |
| ldapExperiencedAdmin          | 0                                                                                                                                      |
| ldapExpertUUIDGroupAttr       |                                                                                                                                        |
| ldapExpertUUIDUserAttr        | objectguid                                                                                                                             |
| ldapExpertUsernameAttr        |                                                                                                                                        |
| ldapGroupDisplayName          | cn                                                                                                                                     |
| ldapGroupFilter               | (|(cn=WWECCloud))                                                                                                                      |
| ldapGroupFilterGroups         | WWECCloud                                                                                                                              |
| ldapGroupFilterMode           | 0                                                                                                                                      |
| ldapGroupFilterObjectclass    |                                                                                                                                        |
| ldapGroupMemberAssocAttr      | uniqueMember                                                                                                                           |
| ldapHost                      | 10.xxx.x.xx                                                                                                                            |
| ldapIgnoreNamingRules         |                                                                                                                                        |
| ldapLoginFilter               | (&(&(|(objectclass=person))(|(|(memberof=CN=WWECCloud,CN=Users,DC=domain,DC=local)(primaryGroupID=4623))))(samaccountname=%uid)) |
| ldapLoginFilterAttributes     |                                                                                                                                        |
| ldapLoginFilterEmail          | 0                                                                                                                                      |
| ldapLoginFilterMode           | 0                                                                                                                                      |
| ldapLoginFilterUsername       | 1                                                                                                                                      |
| ldapNestedGroups              | 0                                                                                                                                      |
| ldapNetworkTimeout            | 2                                                                                                                                      |
| ldapOverrideMainServer        |                                                                                                                                        |
| ldapPagingSize                | 500                                                                                                                                    |
| ldapPort                      | 389                                                                                                                                    |
| ldapQuotaAttribute            |                                                                                                                                        |
| ldapQuotaDefault              |                                                                                                                                        |
| ldapTLS                       | 0                                                                                                                                      |
| ldapUserDisplayName           | displayName                                                                                                                            |
| ldapUserDisplayName2          |                                                                                                                                        |
| ldapUserFilter                | (&(|(objectclass=person))(|(|(memberof=CN=WWECCloud,CN=Users,DC=wweyecenters,DC=local)(primaryGroupID=4623))))                         |
| ldapUserFilterGroups          | WWECCloud                                                                                                                              |
| ldapUserFilterMode            | 0                                                                                                                                      |
| ldapUserFilterObjectclass     | person                                                                                                                                 |
| ldapUserName                  | samaccountname                                                                                                                         |
| ldapUuidGroupAttribute        | auto                                                                                                                                   |
| ldapUuidUserAttribute         | auto                                                                                                                                   |
| turnOffCertCheck              | 0                                                                                                                                      |
| useMemberOfToDetectMembership | 1                                                                                                                                      |
+-------------------------------+----------------------------------------------------------------------------------------------------------------------------------------+

ownCloud log (data/owncloud.log)

{"reqId":"4ftxHQZ9nu0fEfOGfp7D","level":3,"time":"2021-10-01T12:30:31+00:00","remoteAddr":"10.111.2.186","user":"85788CA4-5F14-4CC9-8B62-799B8DF1D387","app":"PHP","method":"POST","url":"\/index.php\/settings\/admin\/mailtest","message":"stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:\nerror:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed at \/var\/www\/owncloud\/lib\/composer\/swiftmailer\/swiftmailer\/lib\/classes\/Swift\/Transport\/StreamBuffer.php#94"}

openssl s_client -connect 10.111.2.40:25 -starttls smtp

   CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN = VMExchSvr
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = VMExchSvr
verify return:1
---
Certificate chain
 0 s:CN = VMExchSvr
   i:CN = VMExchSvr
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDGzCCAgOgAwIBAgIQHF84IpOuCItI06f9XOD/JDANBgkqhkiG9w0BAQUFADAU
MRIwEAYDVQQDEwlWTUV4Y2hTdnIwHhcNMjEwNjE2MTQxMTM2WhcNMjYwNjE2MTQx
MTM2WjAUMRIwEAYDVQQDEwlWTUV4Y2hTdnIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDBfWFwRXDEUX13WU/qnGt+nduL1SVaBwm3/cxTpB/MXVj88AlA
LpZrqjlVdaHEYIVi9wjAlGHBILu31mzrmZ0ps8QzGUeW7UfK8lA26PN91M2NbzmC
SqOFnR9pLu38AdoS8XIwxsgBE+hA6XdFVLHst9o39bEwW/bQUcgUEYVTyz8y/+hI
rXWKMSV0K3QJkaU+3UfDqYXDmdiyO4B3P+tosKJTuLH2MKWgyRi/KelMVEd1DudP
lR8UU9F6JSiIwBuoZ89N/6kxvIEr2LCvMEHYM8kvF8ju68Q26S2ks2OrDkn5B0uV
J9EViPD/cHcoaSwIRy4ti+ZTITIje0c7Dds1AgMBAAGjaTBnMA4GA1UdDwEB/wQE
AwIFoDAyBgNVHREEKzApgglWTUV4Y2hTdnKCHFZNRXhjaFN2ci53d2V5ZWNlbnRl
cnMubG9jYWwwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADANBgkq
hkiG9w0BAQUFAAOCAQEAjSr+uY9V2r3nRhAAx97BzSxq3kIYvBMiJbdLoEvnx+Cd
IoDqRyxTtrHvqVaXpFVQ1PiP7TLAJhhw19CT8vqJwbPzddqm5/TYSn9YO+4B3N4H
OzIlGsz8/3nhP8nmToAWSYISG2ackfIFNBxktTwVGCW3uOf0CNmfSSbNCH3dGgH8
RJcZE6hEa3KJ6NU1uyOx/6xDSSD9JOrrrDG8h8rBY+Zy5aa+zCMvncCN1UeBYQYD
eBap0mN+wzzf6sQ5o4UA+yB2jfUjSlQUMcJMNRXCVo3VkRICw2Ics+QtzGA49dgn
8lmKHsTKbNC4cZxAYYGpTUmsNXQ9/QkUYBxav2E6PQ==
-----END CERTIFICATE-----
subject=CN = VMExchSvr

issuer=CN = VMExchSvr

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1670 bytes and written 442 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: C31900008F825B247AD6FE39E1676F4090ADF28201485ED8C482E610F16A703B
    Session-ID-ctx:
    Master-Key: 9930042F7075E3DFF3C1E5584BA249B089A9F04AD3FD0DC9C452B41A1050F140625F946332452128A9029B6BA308E689
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1633026634
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: yes
---
250 XRDST
451 4.7.0 Timeout waiting for client input
read:errno=0

000-default.conf

<VirtualHost *:443>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/owncloud

        #Enables Strict Transport Security to force HTTPS://
        <IfModule mod_headers.c>
          Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
        </IfModule>

        #Enables SSLEngine and defines the paths for the ceritificate from DigiCert
        SSLEngine on
        SSLCertificateFile /etc/ssl/certs/cloud_wweyecenters_com.crt
        SSLCertificateKeyFile /etc/ssl/certs/cloud_wweyecenters_com.key
        SSLCertificateChainFile /etc/ssl/certs/DigiCertCA.crt

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

I think my issue has something to do with a certificate error, but the certificate for OwnCloud and my Exchange 2016 server are valid.

Hi rwest9,

in the openssl output it says your Exchange is using a self-signed certificate. I’d strongly recommend to create a “real” certificate for your Exchange, with e.g. letsencrypt.

If this is not an option for you, in the ownCloud docs at Email Configuration :: ownCloud Documentation it reads

When using self-signed certificates on the remote SMTP server the certificate must be imported into ownCloud.

This process is documented at Importing System-wide and Personal SSL Certificates :: ownCloud Documentation

I exported the self-signed exchange certificate as a pfx, but when I go to import it I get an error: Please upload an ASCII-encoded PEM certificate.

Do I need to covert the .pfx to a .pem file using openssl? I found these commands, but I’m not sure if this is the correct way.

Convert pfx file to pem file

Conversion to a combined PEM file

To convert a PFX file to a PEM file that contains both the certificate and private key, the following command needs to be used:
# openssl pkcs12 -in filename.pfx -out cert.pem -nodes

Conversion to separate PEM files

We can extract the private key form a PFX to a PEM file with this command:
# openssl pkcs12 -in filename.pfx -nocerts -out key.pem

Exporting the certificate only:
# openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem

Removing the password from the extracted private key:
# openssl rsa -in key.pem -out server.key

Again, if possible use letsencrypt instead of a self-signed certificate.
Then I’m sure you can export the certificate in pem format as well (sure there is something on google)

Those are the ways I’d perform.

Exchange has always used a self-signed certificate for the backend IIS communication. I do have a public front end cert installed on the server for external use(webmail, @domain.com). I’ll research into buying a signed certificate and how to apply it to the backend.

If you already have got the “public front end cert” I dont think you will have to buy another one. Your ownCloud is for sure not running on IIS, so we can neglect this part.

Is it possible you had set an internal address for the config value mail_smtphost in config.php?. Try to enter the external domain name (and make sure your routing addresses this correctly). This could do the trick.

Solution for anyone in the future that needs it. I resolved the issue by removing the self-signed back end certificate that exchange uses, and assigning the public cert to the default receive/send connectors in exchange.

Exchange:

ISS Manager:

  1. Select server then Server Certificates

  2. Right click the Exchange self-signed certificate and exported it just incase I need to restore it.

  3. After export I removed the cert from the server.

  4. Expand Sites and select Exchange Back End

  5. Under Actions, select Bindings. Edit the https port:444, and assign the public cert under “SSL certificate:”

Exchange Management Shell:

Some commands to gather information.

  1. Get-ExchangeCertificate

This lists the certificates installed on the server, copy the Thumbprint for your public cert

  1. Get-ReceiveConnector

This lists all the receive connectors for exchange. Copy all the identities for the ports that you need to re-assign the certificate for. i.e. 25, 465, 587

Some commands to create variables for assigning the cert.

  1. $cert = Get-ExchangeCertificate -Thumbprint %CertificateThumbprint you copied above%
  2. $tlscertificatename = “$($cert.Issuer)$($cert.Subject)”
  3. Set-ReceiveConnector “%ReceiveConnectorName%” -TlsCertificateName $tlscertificatename

Repeat step 3 for each receive connector you need to assign the cert.

You can check that certificate was assigned to the receive connector with command:

Get-ReceiveConnector | FL Identity,RemoteIPRanges,PermissionGroups,Auth*,TlsCertificateName

Finally restart ISS with:
IISRESET /NoForce

1 Like

rwest9,

I’m glad you got it working. Big thanks for sharing your solution, this will be big help for fellow users.

NB: you might mark your previous post as solution for this issue.

I appreciate the help on this issue.

Side question, why does my text above have a strike through?

1 Like

This is this forum’s (discourse) Markdown feature. When a string is enclosed with two tilde characters it is displayed strikethrough
Those characters are in the lines you had posted. You may escape this effect with a leading backslash before the first tilde so your post would ~~show up as expected~~

1 Like