PHPJunkyard support forum

Hi everyone, I did tried to link my email that will be used for Hesk

Nothing work...imap always return me an error
Certificate failure for imap.gmail.com: self signed certificate: /OU=No SNI provided; please fix your client./CN=invalid2.invalid

I also tried in POP3
POP 3 error, servr greeting was not found
Connecting to pop.gmail.com ...
Closing connection.

My email account is also enabled for less secured app and no changes...someone have an idea why ?

Thanks

Like the error says, the problem is on your server - the server probably has outdated root certificates installed, ask your host to update root server certificates.

If you have access to php.ini, you can manually download the new cacert.pem file, set it in openssl.cafile then restart apache. Here's an example (your paths will likely be different)
https://wpquark.com/kb/misc/server-mana ... e-php-ini/

You can also try IMAP with the "Do not validate server certificates" checked, but this is not good practice.

Did it with no changes
I am using XAMPP

Downloaded cacert.pem to (example /support/htdocs/ssl/cacert.pem)
Edited php.ini to add these lines
curl.cainfo="/support/htdocs/ssl/cacert.pem"
openssl.cafile="/support/htdocs/ssl/cacert.pem"

Restarted xampp and still the same error

Perhaps /support/htdocs/ssl/cacert.pem isn't the correct path on your computer?

I presume it's a Windows box, so probably something like 'C:\path-to-folder\cacert.pem' ?

It is ubuntu 18.04 on a vps

I made the install of XAMPP wich is by default installed to /opt/lampp

I downloaded new certificate "cacert.pem" in one new directory within the xampp /opt/lampp/htdocs/support/ssl/cacert.pem

/opt/lampp/htdocs/support is the absolute path to my "hesk"

I also tried to do a restart of the vps still the same.

With "Do not valide certificate, it is working"

Also validated with phpinfo
(Directive) (Local value) (Master value)
curl.cainfo /opt/lampp/htdocs/support/ssl/cacert.pem /opt/lampp/htdocs/support/ssl/cacert.pem

So it indicates me that the config seem okay

If it works with no certificate validation, then it can't be anything else but PHP or OpenSSL misconfiguration. This is not something that can be solved from within Hesk.

You can try running this from your ssh command line and see if it gives you any clues:

Here is a copy paste of what it returned

I guess maybe it would be "No client certificate CA names sent"


CONNECTED(00000005)
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = imap.gm ail.com
verify return:1
---
Certificate chain
0 s:C = US, ST = California, L = Mountain View, O = Google LLC, CN = imap.gmail .com
i:C = US, O = Google Trust Services, CN = GTS CA 1O1
1 s:C = US, O = Google Trust Services, CN = GTS CA 1O1
i:OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEyjCCA7KgAwIBAgIRAMFtS71FGKiZAwAAAADLxnwwDQYJKoZIhvcNAQELBQAw
QjELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczET
MBEGA1UEAxMKR1RTIENBIDFPMTAeFw0yMTAzMTExNDU4NDVaFw0yMTA2MDMxNDU4
NDRaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
Ew1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgTExDMRcwFQYDVQQDEw5p
bWFwLmdtYWlsLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFfdIcdI4rHY
htJLSjudFhnX7A6VrrGvZw7T1h8pGEfwyOGy2EhUw5RZwJhAyUvjOkMO2XT0lEB9
NPb0tk/3i76jggJeMIICWjAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYB
BQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUgQTHhWd2z733WNv24i+0GYRw
CpMwHwYDVR0jBBgwFoAUmNH4bhDrz5vsYJ8YkBug630J/SswaAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzABhh9odHRwOi8vb2NzcC5wa2kuZ29vZy9ndHMxbzFjb3Jl
MCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2cvZ3NyMi9HVFMxTzEuY3J0MBkG
A1UdEQQSMBCCDmltYXAuZ21haWwuY29tMCEGA1UdIAQaMBgwCAYGZ4EMAQICMAwG
CisGAQQB1nkCBQMwMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5wa2kuZ29v
Zy9HVFMxTzFjb3JlLmNybDCCAQYGCisGAQQB1nkCBAIEgfcEgfQA8gB3APZclC/R
dzAiFFQYCDCUVo7jTRMZM7/fDC8gC8xO8WTjAAABeCIDAX8AAAQDAEgwRgIhANoF
P+hjY/NW31UMUHKyHaljTbgTDVejnXSZIurXcEnpAiEA3LxR//p+EYfc1YH8ERP1
cszHQpf/ss9ipYQ5sU15Je0AdwDuwJXujXJkD5Ljw7kbxxKjaWoJe0tqGhQ45key
y+3F+QAAAXgiAwGVAAAEAwBIMEYCIQDJXJFAJfDE4M0mu3teC+YvD2EJBPHXwxzU
0IG08MpVcQIhAMIeGA+uxLBkaf0LVyK7D48tdEuA/pt1Isd43W3s+mtnMA0GCSqG
SIb3DQEBCwUAA4IBAQCInc5rb28u9zMQyYEcVn7c6BByaCrib9dQ4f+cwMQ1uoso
HUKdr6DkVoxIS5N7vthTsK0ReEZeih92EnrZNf7ubL5oahrc9MN4M1tvXTG9t6ve
HUPO2JhKHdBJkmBhyobZp6Wb1eztqQ1WZDKm9QVn7GGJ92Wo5a3855tERsSjr6l9
5J8lliSyKoyohISRumarOt1YISo5aXKWiEKvCUBYDPPmYLG1fPhnwFQnGnVWxP95
pslzAPBWAGjIVFNcly5cYO4/XGlp3fGlo6p95uNdkvnAz1lWAPyhfr3hwBn9Iqjs
/Lfiya7W4uKu40BV8G8y05Gq/HbMsT4xpm7nLCpH
-----END CERTIFICATE-----
subject=C = US, ST = California, L = Mountain View, O = Google LLC, CN = imap.gm ail.com

issuer=C = US, O = Google Trust Services, CN = GTS CA 1O1

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2642 bytes and written 396 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 5214D6DD9AAF5B1FCA8906FA66223865BE1226ABE4570082C16AEDB3DF073C50
Session-ID-ctx:
Resumption PSK: C874C0DC5D03EAAD255A7F2EF44DA39C9BB83BC18C811124F8F7827FDC1F BA4F14BF21E9DA55E79E2D59DF89967BDBE0
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 172800 (seconds)
TLS session ticket:
0000 - 01 8f cc 58 59 2c 8d a6-e2 59 c0 1a ea ad e9 69 ...XY,...Y.....i
0010 - bd d2 1d ca a4 95 b1 22-b8 47 97 6c 47 6e 29 27 .......".G.lGn)'
0020 - 81 4e da 04 89 06 f6 a6-bd 83 43 62 fc 5f c7 0e .N........Cb._..
0030 - ec a5 f3 f0 7d be 41 21-17 4c 31 d1 b3 68 92 cf ....}.A!.L1..h..
0040 - 5d 36 f6 60 5a 8a a2 1f-fd 45 2d 02 47 ce 63 72 ]6.`Z....E-.G.cr
0050 - 88 22 57 71 bb 11 df 49-92 03 25 b7 01 c3 28 43 ."Wq...I..%...(C
0060 - ea e4 37 03 4c eb 2b f7-1f cc e2 1b 29 bb fd 72 ..7.L.+.....)..r
0070 - ea 85 b9 d1 2e b9 13 ff-ee 38 e3 18 e8 af 77 9c .........8....w.
0080 - 46 20 68 b3 29 3e 80 3c-35 0f 95 09 2d 65 a6 ec F h.)>.<5...-e..
0090 - 62 62 c5 79 bb 8f d0 8f-1b cc 21 51 63 03 22 03 bb.y......!Qc.".
00a0 - e4 57 87 7b 28 9c 6a 0f-9c 07 ed df f5 97 f1 2a .W.{(.j........*
00b0 - 27 87 74 95 0d 13 fd 78-88 64 eb 7d 51 08 8e 83 '.t....x.d.}Q...
00c0 - c5 fa 94 d4 34 ba 81 a9-e0 6a ce 2f 79 0c f6 19 ....4....j./y...
00d0 - bc 96 47 e4 3c 5e 5a 0a-e9 b9 b9 4d 58 e6 de ad ..G.<^Z....MX...
00e0 - 30 a2 b8 f4 97 33 a9 31-a9 ad 7a b2 0....3.1..z.

Start Time: 1616711951
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 35F8045F4165B420A240E94838EAB6575E1BCE36282F5FAC9A5B72BBAC8B157A
Session-ID-ctx:
Resumption PSK: 25045CF0D28453908F242264D03C2DEF7B46A981193CD1F5916418554BB8 0B09B7C16D383EB78A776AB2B53B92B0BF30
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 172800 (seconds)
TLS session ticket:
0000 - 01 8f cc 58 59 2c 8d a6-e2 59 c0 1a ea ad e9 69 ...XY,...Y.....i
0010 - 35 d6 82 bd 1f 83 c6 1f-e0 24 52 fa 20 29 71 53 5........$R. )qS
0020 - 5f 4b 29 62 a6 a7 02 cf-a7 11 c1 20 f0 40 e7 6f _K)b....... .@.o
0030 - 0c 5d 5d 7c 6a e8 a6 62-27 69 58 9b f8 5d ce e9 .]]|j..b'iX..]..
0040 - 21 91 ea 5e 33 b4 b6 0a-d9 17 4e bc fd 82 f6 15 !..^3.....N.....
0050 - 91 21 0b 93 c2 5f 2f 3c-4a c7 67 42 4f f3 21 92 .!..._/<J.gBO.!.
0060 - 57 fb fb c4 ec 16 40 36-64 a0 9a d2 19 af 21 34 W.....@6d.....!4
0070 - 67 b1 c3 27 48 2e 23 c1-8a 95 2e c6 96 64 78 2c g..'H.#......dx,
0080 - 3d 53 0d 19 14 46 1c 37-0d 45 74 42 2b 9d bf b3 =S...F.7.EtB+...
0090 - aa 8a b4 52 14 22 37 b8-d4 62 15 ac 5b ac 66 ea ...R."7..b..[.f.
00a0 - 01 34 e6 30 07 dc 52 50-89 81 60 fe b5 68 61 2e .4.0..RP..`..ha.
00b0 - 82 76 1d 84 ad cf c7 9d-d2 a6 aa 7d bf ca e3 8c .v.........}....
00c0 - 1f d3 40 31 ca 86 90 20-4f ec 95 f7 a8 de ab 45 ..@1... O......E
00d0 - a5 c8 f0 07 a6 33 90 ac-38 7e e5 07 1f 15 ae d8 .....3..8~......
00e0 - 76 07 85 eb 16 e6 84 96-ec 2e 05 7e v..........~

Start Time: 1616711951
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
* OK Gimap ready for requests from 51.222.158.139 dh1mb292238289qvb

Not sure what to tell you, but it seems to be an underlying libraries issue in combination with TLS 1.3 where Gmail requires SNI.
https://bugs.php.net/bug.php?id=77108

Try updating your server software (the above link mentions bionic update and a fixed libc-client2007e package, but I never used Ubuntu so cannot help there) then see if you can run this code:

Hi klemen, just to keep you informed that I did resolved my issue. Now it connect to IMAP with success.

But strangely, there is no incoming answers in hesk.

I tried to create a new ticket and reply to it I never get the reply in HESK.
I tried to create a new ticket using email@techsupport and nothing too.

Any ideas why?

Thanks!

Glad to hear that. Do you have any specific solution/recommendation for anyone else having this problem?

As for IMAP, my guess is you didn't do steps 5 and beyond from the article?
https://www.hesk.com/knowledgebase/?article=91

Hi Klemen, I did the step #5

Here is what I get
http://<ipaddressofmysite>/hesk/inc/mail/hesk_imap.php?KEY=eVcPv.3kc1RehxVCvH3vMJK.xZuT

#!/usr/bin/php -q Error: to run this file via HTTP you must include your URL Access Key in the request. Example: /hesk/inc/mail/hesk_imap.php?key=XXXXXXXXXX

For IMAP (And pop3 I guess) you have to create a password application trough gmail account management

KEY and key are not the same as URL query strings are CaSe SeNSiTiVe.

Run the app with ?key= not ?KEY=

Working

My mistake haha, thanks again!