On December 20, 2017 6:46:24 PM EST, Joseph Ward <jbwli...@hilltopgroup.com> wrote: >Hi, > >I have two servers (HA configuration) on which I'm attempting to get >replication working over SSL. They're at two different sites, but >connected via a site-site VPN. > >Everything seems to be fine, except that the certificates are not >validating as I'm using IP addresses for the sync, as opposed to the >public hostnames for which the certificates are valid, and so I get the >following error: > >doveadm(user@domain): Error: doveadm server disconnected before >handshake: SSL certificate doesn't match expected host name 10.x.x.x > >I'm on Dovecot 2.2.33. > >Is there any way to disable the certificate checking/validation for the >sync engine? > >( >I'm aware of at least a couple of fallback options: > -have a self-signed cert for replication and use the Let's Encrypt >one for IMAP/POP > - create firewall rules allowing them to connect to each other over >the public internet so that it can validate the proper cert > >These are both much less palatable than simply disabling the cert >validation if it's possible.
You could add an entry in /etc/hosts (or in your internal DNS system if you have one) that gives the internal IP in response to the public hostname. --Sean
