OpenSSL::SSL::SSLError (hostname was not match with the server certificate)
I got this error in one of my Rails apps that I migrated to 2.2. It occurs when you try and send mail with ActionMailer, which makes it especially annoying because the exception notifications I normally receive when there is a problem weren't being sent!
I wasn't able to track down the root cause of the problem - apparently something about an SSL certificate not being there or not being right, but here's the change that causes ActionMailer to fool around with SSL mail:
http://github.com/rails/rails/commit/732c724df61bc8b780dc42817625b25a321908e4
I was able to "correct" the problem (or at least get things working again) by commenting out this line of code:
smtp.enable_starttls_auto if smtp.respond_to?(:enable_starttls_auto)
Perhaps it should be a configuration option, or there should be better error detection with regards to the certificate. If anyone comes up with a nicer answer, leave a comment, but in the meantime, I thought I'd post my quick and dirty fix.
Update
I fixed the problem by running this as root:
make-ssl-cert generate-default-snakeoil --force-overwrite
Which regenerates the SSL certificates.
Trackbacks
Use the following link to trackback from your own site:
http://journal.dedasys.com/trackbacks?article_id=2117
about 1 hour later:
I don't know Ruby, but it seems like the line you commented out was trying to switch from plain text connection to TLS, and couldn't because the certificate the server returned did not match the hostname you tried to connect to. The way to debug this would be to fetch the certificate from the server and compare the commonName or subjectAltName fields to the address your application tried to connect to. To fix things, you may need to get new certificate, change the server address, or change the address your application tries to connect to. Just remember that that check is important, as it is one of the pieces that protects your connection from a man-in-the-middle attack.
In general, you really want to protect that connection with TLS. Cases where you might not care include situations where this all happens inside your company firewall, or where you use some authentication method which protects your password even without TLS.
about {{count}} hours later:
Heikki - sure, that makes sense. However, it's just on localhost, so it's not really that big a deal in terms of security. I'm curious what would be wrong with the cert though, as it's a stock Ubuntu 8.10 install. Maybe they bungled something themselves?