SMIME Decryption does not work

Infos:

• Used Zammad version: latest
• Used Zammad installation type: (source, package, docker-compose, …) package
• Operating system: Ubuntu
• Browser + version: FF latest

Expected behavior:

• Incoming encrypted mails will be decrypted

Actual behavior:

• Decryption does not work: “Private key cant be found” error is displayed if we click “Re-Run security process” inside the ticket.
• We upgraded to latest Zammad last week. Worked for a few days after that. Stopped working over night…
• All of the certificates are valid.
• Time is in sync.
• Readded key chain and cert two times.

Are there any logfiles we can provide for further investigation?

Best regards,
Jan

maybe regression of Improve S/MIME integration by adding meta information · Issue #4503 · zammad/zammad · GitHub ?

/cc @fliebe92

@Turbobommel maybe is there something interesting in the production log?

cd /opt/zammad
cat log/production.log | grep ERROR -A20

There are a lot of changes to the S/MIME integration, hm, hard to say without any information…

Hey,

I took a look and re-send some encrypted mails.

Some errors are shown:
"ERROR -- : No route matches [GET] /Attachment/Y2lkOjE1MzI2LjQ4YWJiYWVkLTU5MTEtNGUzMy1hOTUwLTA5YmxxxXXXXxxx5MGVmZkB6YW1tYWQuZGF0YW5ldGl4LmRl (ActionController::RoutingError)"

and Errors while connecting to ElasticSearch (on the same server)

ERROR -- : Unable to process GET request to elasticsearch URL 'http://localhost:9200/zammad_production_user/_search'. Check the response and payload for detailed information:

Is this important to SMIME integration?

@fliebe92
I am not that deep into Linux and SMIME to post the needed information. If you could post more details where to search for what, that would be nice.

Is only the decryption not working or also some other stuff?
E.g. the encryption, signing or the verify signing?

We did sign our outgoing mails and decrypt incoming mails if encrypted.
Both does not work at the moment.

Some additional information: If I disable signing in the smime settings, zammad ignores the „no“. It only stops signing if I remove the cert at all.

This is normally only the default behavior for the relevant group. It should not sign by default, but you can click on sign in the UI.
When this is different, it looks like a bug.

About the problem, it’s very difficult why the private certificate will not be found.

@tschaefer Do you have some idea of debugging?

Hi there,

@Turbobommel I’m wondering about the following statement of yours.

• We upgraded to latest Zammad last week. Worked for a few days after that. Stopped working over night…

By reading this I expect S/MIME security to work BEFORE the upgrade and also AFTER the upgrade. This makes it a little bit suspicious that the issue is triggered by the code changes mentioned by @rolfschmidt.

@Turbobommel Did you compare the email addresses (sender, receiver) and the related addresses in the certificate?

Cheers,

Tobias

We did not change SMIME settings or certs at all since Oktober 2022 where we implemented the signing and encryption. It worked perfectly since recently.

Can you please check if said certificates are still valid?

Jep. Valid until next year.
What we changed after upgrading Zammad to the latest version: We enabled 2FA and had to change the ntp server on the zammad host.

I have no idea to be frank.

This topic was automatically closed 360 days after the last reply. New replies are no longer allowed.