error enabling StartTLS: x509: certificate is valid for 127.0.0.1, not <ip/hostname>

[camps7ee]

Whenever I'm trying to connect an external service through protonmail-bridge smtp, this seems to be what's generated.

If I change the starttls value of whatever service I'm connecting the error message changes to "error authenticating: unencrypted connection".

I've tried setting connection to ExplicitTLS the same error message remains, and if I change it to ImplicitTLS I get

error getting SMTP client: error connecting to server: tls: first record does not look like a TLS handshake

I also tried confirming the smtp connectivity in combination with Plain Auth and this is what I got:

454 4.7.0 Invalid response

I'm suspecting that STARTTLS and Plain Auth don't play nicely together? If this is the case, is there any workaround ?

[lbrunkho]

Also been running in to this issue and I am gong to see if I can figure out how to pass a docker env variable through to the container so we can generate a cert with the correct common name / ip address. I am trying to use this as a LAN only email notification service and I am finding that a lot of services do not support disabling certificate verification.

[RafaelSchridi]

Has anyone been able to figure this out?

[caseyWebb]

I was able to workaround this part of my issue by generating a certificate, and then using import-tls-cert.

openssl req -x509 -newkey rsa:4096 -keyout /tmp/protoncerts/key.pem -out /tmp/protoncerts/cert.pem -sha256 -days 3650 -nodes -subj "/CN=protonmail-bridge"

docker run --rm -it -v /tmp/protoncerts:/root shenxn/protonmail-bridge init

import-tls-cert

# enter /root/cert.pem and /root/key.pem

Note the "/CN=protonmail-bridge" when generating the cert. You want that to be the hostname you're using.

---

Addendum: I got this working with linuxserver/swag generated certs (using ZeroSSL, but presumably works with LetsEncrypt).

Use -v ./my_swag_volume/etc/letsencrypt:/certs, then use /certs/live/<my_domain>/fullchain.pem and /certs/live/<my_domain>/key.pem. Note, use fullchain.pem not cert.pem or you will get the same untrusted cert authority error.

[ads103]

I was able to workaround this part of my issue by generating a certificate, and then using import-tls-cert.

I'm having difficulty following your instructions - could I ask you to clarify, please?
From where should import-tls-cert be run? In my copy of the container, after generating my certificate and placing it and the key in /root, I see:

root@3400c8f21cf0:~# import-tls-cert
bash: import-tls-cert: command not found

I'm on unraid, and import-tls-cert isn't a valid command inside our outside of the container.

Do we know the location of the self-signed cert? If I can just overwrite it, that'd be nice, too.

[DanteMS]

@ads103 I had to use cert import instead.
You can also use help to see all available commands.