Smtp failed to set up because of certificate failure

Skye · June 4, 2022, 3:59pm

Logger: homeassistant.components.notify
Source: components/smtp/notify.py:144
Integration: Notifications (documentation, issues)
First occurred: 17:57:03 (1 occurrences)
Last logged: 17:57:03

Error setting up platform smtp
Traceback (most recent call last):
  File "/usr/src/homeassistant/homeassistant/components/notify/legacy.py", line 67, in async_setup_platform
    notify_service = await hass.async_add_executor_job(
  File "/usr/local/lib/python3.9/concurrent/futures/thread.py", line 58, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/usr/src/homeassistant/homeassistant/components/smtp/notify.py", line 92, in get_service
    if mail_service.connection_is_valid():
  File "/usr/src/homeassistant/homeassistant/components/smtp/notify.py", line 154, in connection_is_valid
    server = self.connect()
  File "/usr/src/homeassistant/homeassistant/components/smtp/notify.py", line 144, in connect
    mail.starttls(context=ssl_context)
  File "/usr/local/lib/python3.9/smtplib.py", line 790, in starttls
    self.sock = context.wrap_socket(self.sock,
  File "/usr/local/lib/python3.9/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/local/lib/python3.9/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/usr/local/lib/python3.9/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)

Any ideas how to fix this issue? It has worked for 1+ year, my ssd died and I used a backup on a new disk, after this swap, this issue started occuring.

Skye · June 5, 2022, 5:22am

For some reason I had to add
verify_ssl: False

Not sure why after so much time of working perfectly, but hey at least it works now.

nickrout · June 5, 2022, 6:13am

That would be down to a change in the source 9 days ago, which was marked as a breaking change, but not included in the release notes unless you click on the full changelog Full Changelog for Home Assistant Core 2022.6 - Home Assistant (see #72568 )

Skye · June 5, 2022, 9:59am

Ah OK so it’s a coincidence in this case. Too bad it wasn’t mentioned in the Breaking Changes though, I do tend to read those. Thanks for clearing it up @nickrout

sierra055 · June 30, 2022, 9:53am

Thanks, I also had the same issue and the same fix resolved it for me.
Indeed it’s an odd thing to not mention that in the breaking changes, which I also read each month prior to upgrading.

RuudvanMunster · July 8, 2022, 8:48pm

I have the same issue. With the same lines in my logbook, except for the last one. The fix (adding “verify_ssl : False” did not work for me.

I am not sure at what line I have to include the line “verify_ssl: False/True”. Is there an order is these statements?
A strange thing is, my SMTP stopped working since 2022.7. So I am not sure if I have to set verify_ssl to “False”. It has been working during 2022.6.
Could there be a second issue?

The message now in my logging is:
“ConnectionResetError: [Errno 104] Connection reset by peer” instead of “certificate verify failed”.
So I am afraid now that my provider has blacklisted my HA as a user.

rct · August 14, 2022, 5:27pm

I had added verify_ssl: false for 2022.6.x and it was working.

When upgrading to 2022.7.7 I’m still getting the Error setting up platform smtp even though I already have set verify_ssl to false.

Error setting up platform smtp

Traceback (most recent call last):
  File "/usr/src/homeassistant/homeassistant/components/notify/legacy.py", line 67, in async_setup_platform
    notify_service = await hass.async_add_executor_job(
  File "/usr/local/lib/python3.10/concurrent/futures/thread.py", line 58, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/usr/src/homeassistant/homeassistant/components/smtp/notify.py", line 92, in get_service
    if mail_service.connection_is_valid():
  File "/usr/src/homeassistant/homeassistant/components/smtp/notify.py", line 154, in connection_is_valid
    server = self.connect()
  File "/usr/src/homeassistant/homeassistant/components/smtp/notify.py", line 144, in connect
    mail.starttls(context=ssl_context)
  File "/usr/local/lib/python3.10/smtplib.py", line 790, in starttls
    self.sock = context.wrap_socket(self.sock,
  File "/usr/local/lib/python3.10/ssl.py", line 513, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/local/lib/python3.10/ssl.py", line 1071, in _create
    self.do_handshake()
  File "/usr/local/lib/python3.10/ssl.py", line 1342, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLEOFError: EOF occurred in violation of protocol (_ssl.c:997)

RuudvanMunster · August 14, 2022, 7:01pm

It stopped working here with 2022.7. (Exact same time as the update) So there must have been a change with that version as well. Maybe a minor bugfix with side effects? The strange thing is that this afternoon I got some tips from a Dutch HA Facebook group. It raised the idea to change:
“encryption: starttls” into “encryption: none”.
And now my SMTP is working again.

rct · August 14, 2022, 8:54pm

@RuudvanMunster - Thanks for sharing that. Disabling encryption as a work around is ok for me since my SMTP server is on the local network. It does have a self signed certificate, but something does appear to have changed with telling it not to try to verify the cert chain.

RuudvanMunster · August 15, 2022, 1:20pm

Still I think a bug has been introduced into 2022.7. In my HA configuration, the statement ‘verify_ssl: false|true’ makes no difference at all. The strange thing is that my system worked well after 2022.6 without that statement, but stopped working with 2022.7. In 2022.7 no changes in SMTP were announced. However, I think I have seen a change in the code at the Github site. But I can’t find that anymore.

rct · August 15, 2022, 2:15pm

Both of our experiences indicate something broke between 2022.6 and 2022.7.

We shouldn’t have to disable encryption because of a self signed certificate.

My guess is that most likely a change was introduced in whatever python module is used for sending messages via SMTP. I suppose given that 2022.7 switched to Python 3.10 it could also be a change in the standard library.

We should open an issue on github.

RuudvanMunster · August 15, 2022, 2:57pm

I did: https://github.com/home-assistant/core/issues/74785

But there was no code owner assigned and the issue has not been taken into process. Than I mentioned the problem using “Notify” as the keyword. To that issue the bot assigned a code owner. But that issue was marked as identical issue and removed together with the code owner assignment.

I tried to connect Frenck about this, but until now without succes.

RuudvanMunster · August 15, 2022, 2:58pm

I contacted Frenck because he initiated the removal.

Maybe we should report a new issue: issue not taken into account…

rct · August 15, 2022, 5:35pm

I updated the GitHub issue. With my local SMTP server, which has a self-signed certificate, I get the same SSL EOF error using Python 3.10’s smtplib. With Python 3.9, smtplib connects just fine:

# Python 3.9.10 (main, Jan 20 2022, 21:37:52)
>>> import smtplib
>>> e = smtplib.SMTP_SSL('local.example.com')
>>> e.noop()
(250, b'2.0.0 Ok')

# Python 3.10.4 (main, Apr 30 2022, 16:49:16) [GCC 11.2.1 20220219] on linux

>>> import smtplib
>>> e = smtplib.SMTP_SSL('local.example.com')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.10/smtplib.py", line 1050, in __init__
    SMTP.__init__(self, host, port, local_hostname, timeout,
  File "/usr/lib/python3.10/smtplib.py", line 255, in __init__
    (code, msg) = self.connect(host, port)
  File "/usr/lib/python3.10/smtplib.py", line 341, in connect
    self.sock = self._get_socket(host, port, self.timeout)
  File "/usr/lib/python3.10/smtplib.py", line 1057, in _get_socket
    new_socket = self.context.wrap_socket(new_socket,
  File "/usr/lib/python3.10/ssl.py", line 512, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.10/ssl.py", line 1070, in _create
    self.do_handshake()
  File "/usr/lib/python3.10/ssl.py", line 1341, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLEOFError: EOF occurred in violation of protocol (_ssl.c:997)

I’m not sure who is a code owner for the SMTP notification integration. Balloob was the last one to make a change.

rct · August 16, 2022, 3:53pm

After doing some Googling, I think I might have the wrong conclusion about self-signed certificates being the problem.

See SSLEOFError regression with certain servers in Python 3.10 · Issue #89650 · python/cpython · GitHub

From the Python 3.10 release notes

The ssl module now has more secure default settings. Ciphers without forward secrecy or SHA-1 MAC are disabled by default. Security level 2 prohibits weak RSA, DH, and ECC keys with less than 112 bits of security. SSLContext defaults to minimum protocol version TLS 1.2. Settings are based on Hynek Schlawack’s research. (Contributed by Christian Heimes in bpo-43998.)

The deprecated protocols SSL 3.0, TLS 1.0, and TLS 1.1 are no longer officially supported. Python does not block them actively. However OpenSSL build options, distro configurations, vendor patches, and cipher suites may prevent a successful handshake.

I’ve found mentions of this error starting with Python 3.10 in other open source projects like Django and MongoDB.

So I guess I need to dig into my SMTP server’s SSL/TLS/Cert configuration.

RuudvanMunster · August 17, 2022, 8:50am

I am not sure about that. I still think that at least the creator of the add-on should have a close look at it.

leccyrob · August 29, 2022, 11:15pm

I think RuudvanMunster is right, there looks to be a bug here and the fella who manages the SMTP stuff should be in control of this…
My personal workaround here in Australia using an internode account was to set encryption to ‘none’, verify_ssl to ‘false’ and then to use port 25 .
This has got automatic email notifications running once more but is apparently not very secure. I looked into the possible threat of using these settings and the worst case scenario appears to be that someone may be able to intercept mail server logins and then use those settings to send spam which would appear to come from our address. The data we send is not sensitive and if the account is compromised we’ll be able to delete it so we should hopefully be able to live with this until it’s resolved (the issue with python3.10/ssl certificates).
Anyone out there reckon the world will come crashing down as a result of my reckless port25/unencrypted approach to SMTP here? Am no expert so it would be good to hear from those who are…
(would be even better for the experts to fix SMTP in HA!!!).
All in all HA is a really amazing piece of software, the price is certainly right! I’ve been using it for a good few years now.
Thanks a lot to all involved.

RuudvanMunster · September 12, 2022, 8:33pm

Did you try encryption set to ‘none’ and use port 587? That worked for me.

RuudvanMunster · September 12, 2022, 8:37pm

Does anybody know how we can get attention for this issue? I have posted an issue at the Github site: SMTP Integration, encryption no longer works since 2022.7 · Issue #74785 · home-assistant/core · GitHub.
When posting another issue, the bot assigned a code owner to it and asked for attention. Due to one reason or another, for this issue no code owner was assigned. So it did not get attention, as far as I understood,

nickrout · September 13, 2022, 5:36am

There is no codeowner.