SMTP SSL Certificate Verification Failed When Sending Emails from Docker Sentry Instance

[houzp]

Self-Hosted Version

24.10

CPU Architecture

x86_64

Docker Version

Docker version 27.1.1, build 6312585

Docker Compose Version

Docker Compose version v2.29.1-desktop.1

Steps to Reproduce

Description:
I am running Sentry in Docker (v24.10.0) on Windows 11 through WSL2(ubuntu22.04 within root), and I configured an SMTP server that supports SSL on port 465. However, when attempting to send emails, Sentry throws an SSL certificate verification error related to a self-signed certificate in the certificate chain. I’ve tried various configurations to bypass or trust the certificate without success.

Problem:
Sentry fails to verify the SMTP server’s SSL certificate, displaying the following error:
SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1000)

Steps to Reproduce:

1. Configure sentry/config.yml and sentry.conf.py for an SMTP server with SSL on port 465.
2. Run Sentry in Docker using the provided configurations.
3. Attempt to send an email (e.g., email verification or notification).

Error Logs:
worker-1 | ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1000)

SMTP Configuration in sentry/config.yml:
mail.backend: 'smtp' mail.host: 'mail.<my_email_domain>' mail.port: 465 mail.username: '<my_email_account_name@my_email_domain>' mail.password: '*****' mail.use-ssl: true mail.from: '<my_email_account_name@my_email_domain>' mail.list-namespace: '<my_email_domain>'

Expected Result

new user could recive email from sentry via my_email_account

Actual Result

worker-1 | ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1000)

worker-1 | 07:20:43 [ERROR] celery.app.trace: Task sentry.tasks.email.send_email[ea75f781-5f85-43d1-be3c-b392894b9498] raised unexpected: SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1000)') (data={'hostname': 'celery@095deb9c2f53', 'id': 'ea75f781-5f85-43d1-be3c-b392894b9498', 'name': 'sentry.tasks.email.send_email', 'exc': "SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1000)')", 'traceback': 'Traceback (most recent call last):\n File "/.venv/lib/python3.12/site-packages/celery/app/trace.py", line 477, in trace_task\n R = retval = fun(*args, **kwargs)\n ^^^^^^^^^^^^^^^^^^^^\n File "/.venv/lib/python3.12/site-packages/sentry_sdk/utils.py", line 1786, in runner\n return sentry_patched_function(*args, **kwargs)\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File "/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/celery/__init__.py", line 416, in _inner\n reraise(*exc_info)\n File "/.venv/lib/python3.12/site-packages/sentry_sdk/utils.py", line 1715, in reraise\n raise value\n File "/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/celery/__init__.py", line 411, in _inner\n return f(*args, **kwargs)\n ^^^^^^^^^^^^^^^^^^\n File "/.venv/lib/python3.12/site-packages/celery/app/trace.py", line 760, in __protected_call__\n return self.run(*args, **kwargs)\n ^^^^^^^^^^^^^^^^^^^^^^^^^\n File "/usr/src/sentry/src/sentry/silo/base.py", line 158, in override\n return original_method(*args, **kwargs)\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File "/usr/src/sentry/src/sentry/tasks/base.py", line 128, in _wrapped\n result = func(*args, **kwargs)\n ^^^^^^^^^^^^^^^^^^^^^\n File "/usr/src/sentry/src/sentry/tasks/email.py", line 54, in send_email\n send_messages([message])\n File "/usr/src/sentry/src/sentry/utils/email/send.py", line 18, in send_messages\n sent = connection.send_messages(messages)\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File "/.venv/lib/python3.12/site-packages/django/core/mail/backends/smtp.py", line 128, in send_messages\n new_conn_created = self.open()\n ^^^^^^^^^^^\n File "/.venv/lib/python3.12/site-packages/django/core/mail/backends/smtp.py", line 86, in open\n self.connection = self.connection_class(\n ^^^^^^^^^^^^^^^^^^^^^^\n File "/usr/local/lib/python3.12/smtplib.py", line 1022, in __init__\n SMTP.__init__(self, host, port, local_hostname, timeout,\n File "/usr/local/lib/python3.12/smtplib.py", line 255, in __init__\n (code, msg) = self.connect(host, port)\n ^^^^^^^^^^^^^^^^^^^^^^^^\n File "/usr/local/lib/python3.12/smtplib.py", line 341, in connect\n self.sock = self._get_socket(host, port, self.timeout)\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File "/usr/local/lib/python3.12/smtplib.py", line 1029, in _get_socket\n new_socket = self.context.wrap_socket(new_socket,\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File "/usr/local/lib/python3.12/ssl.py", line 455, in wrap_socket\n return self.sslsocket_class._create(\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File "/usr/local/lib/python3.12/ssl.py", line 1041, in _create\n self.do_handshake()\n File "/usr/local/lib/python3.12/ssl.py", line 1319, in do_handshake\n self._sslobj.do_handshake()\nssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1000)\n', 'args': '()', 'kwargs': "{'message': <django.core.mail.message.EmailMultiAlternatives object at 0x7fe213dcf980>, '__start_time': 1730100043.217964}", 'description': 'raised unexpected', 'internal': False})

Event ID

No response

[bc-sentry]

Unable to reproduce locally. Can you please verify that your certificate is valid outside of Sentry?

[Tihomir01]

Hi, I encountered a similar issue, and I believe it’s caused by using a custom or untrusted Root CA. This happens when the system or application attempts to verify the authenticity of an SSL/TLS certificate, but the root CA is not included in the default trusted CA store.

To resolve this issue, you need to add the custom Root CA or self-signed certificate to the trusted CA store on your system or application. Doing so ensures the system can verify certificates issued by the root CA and avoids errors like CERTIFICATE_VERIFY_FAILED during SSL/TLS handshakes.

---

Steps to Resolve:

Step 1: Fetch the Certificate

Use openssl to extract the certificate from the SMTP server:

openssl s_client -starttls smtp -connect <your.smtp.domain>:<your-smtp-port> -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > server-cert.crt

---

Step 2: Upload the Certificate

Copy the server-cert.crt file to your Sentry server. Place it in a directory, such as /path/to/self-hosted-sentry/certificates/.

---

Step 3: Check is Certificated located at trusted CA directory

docker exec -it  sentry-self-hosted-web-1 bash
cd  /usr/local/share/ca-certificates
ls -la   # check  for server-cert.crt

---

Step 4: Update the CA Certificates

Update the system’s trusted certificates to include the new CA:

update-ca-certificates

You should see output like:

Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.

---

Step 5: Repeat for Worker (sentry-self-hosted-worker-1) or Restart Services. Repeat Step 3 and Step 4 on worker instance as well or just restart the containers:

 cd /path/to/your/self-hosted/sentry/
 docker-compose down && docker-compose up -d

This ensures all components of Sentry use the updated CA bundle.

---

Self-Hosted Custrom CA Roots - Sentry

[getsantry]

This issue has gone three weeks without activity. In another week, I will close it.

But! If you comment or otherwise update it, I will reset the clock, and if you remove the label Waiting for: Community, I will leave it alone ... forever!

---

"A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀