[rt-users] rt-mailgate problem - certificate verify failure ?
Hello, The rt-mailgate program acts differently between v 3.8.8 and v 4.0.6. The v 3.8.8 version works fine using https, and even when I have v 4.0.6 running with the /etc/aliases point to the v 3.8.8 version of rtmailgate, email get sent to the queue. But the v 4.0.6 version fails with certificate verify failed, output from mailq: (temporary failure. Command output: An Error Occurred = 500 Can't connect to testrt.rc.fas.harvard.edu:443 (certificate verify failed)) r...@testrt.rc.fas.harvard.edu Any ideas as to the verification of my RT/ssl setup, on how to fix this ? Apparently the RT 4.0.6 is less forgiving about the ssl setup and config. I ran RT configure with the --enable-ssl-mailgate option and installed all perl modules required with make fixdeps in RT 4.0.6. Thanks, Mike This is in /etc/aliases: # rt3 rt: |/opt/rt-3.8.8/bin/rt-mailgate --queue 'General' --action correspond --url https://testrt.rc.fas.harvard.edu/; rt-comment: |/opt/rt-3.8.8/bin/rt-mailgate --queue 'General' --action comment --url https://testrt.rc.fas.harvard.edu/; # rt4 #rt: |/opt/rt4/bin/rt-mailgate --queue 'General' --ca-file /etc/pki/tls/certs/ca-bundle.crt --action correspond --url https://testrt.rc.fas.harvard.edu/; #rt-comment: |/opt/rt4/bin/rt-mailgate --queue 'General' --ca-file /etc/pki/tls/certs/ca-bundle.crt --action comment --url https://testrt.rc.fas.harvard.edu/;
Re: [rt-users] rt-mailgate problem - certificate verify failure ?
On 21.8.2012 15:59, Ethier, Michael wrote: Hello, The rt-mailgate program acts differently between v 3.8.8 and v 4.0.6. The v 3.8.8 version works fine using https, and even when I have v 4.0.6 running with the /etc/aliases point to the v 3.8.8 version of rtmailgate, email get sent to the queue. But the v 4.0.6 version fails with certificate verify failed, output from mailq: (temporary failure. Command output: An Error Occurred = 500 Can't connect to testrt.rc.fas.harvard.edu:443 (certificate verify failed)) r...@testrt.rc.fas.harvard.edu Any ideas as to the verification of my RT/ssl setup, on how to fix this ? Apparently the RT 4.0.6 is less forgiving about the ssl setup and config. I ran RT configure with the --enable-ssl-mailgate option and installed all perl modules required with “make fixdeps” in RT 4.0.6. Thanks, Mike This is in /etc/aliases: # rt3 rt: |/opt/rt-3.8.8/bin/rt-mailgate --queue 'General' --action correspond --url https://testrt.rc.fas.harvard.edu/; rt-comment: |/opt/rt-3.8.8/bin/rt-mailgate --queue 'General' --action comment --url https://testrt.rc.fas.harvard.edu/; # rt4 #rt: |/opt/rt4/bin/rt-mailgate --queue 'General' --ca-file /etc/pki/tls/certs/ca-bundle.crt --action correspond --url https://testrt.rc.fas.harvard.edu/; #rt-comment: |/opt/rt4/bin/rt-mailgate --queue 'General' --ca-file /etc/pki/tls/certs/ca-bundle.crt --action comment --url https://testrt.rc.fas.harvard.edu/; Hi Mike, add this option to your aliases if you want to bypass certificate validation: --no-verify-ssl So your rt entry in /etc/aliases would look like this: #rt: |/opt/rt4/bin/rt-mailgate --queue 'General' --ca-file /etc/pki/tls/certs/ca-bundle.crt --action correspond --url https://testrt.rc.fas.harvard.edu/ --no-verify-ssl Martin
Re: [rt-users] rt-mailgate problem - certificate verify failure ?
Hi Martin, Thanks for the suggestion but if I enable --no-ssl I will be creating a security vulnerability no ? Thanks, Mike -Original Message- From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Martin Drasar Sent: Tuesday, August 21, 2012 10:11 AM To: rt-users@lists.bestpractical.com Subject: Re: [rt-users] rt-mailgate problem - certificate verify failure ? On 21.8.2012 15:59, Ethier, Michael wrote: Hello, The rt-mailgate program acts differently between v 3.8.8 and v 4.0.6. The v 3.8.8 version works fine using https, and even when I have v 4.0.6 running with the /etc/aliases point to the v 3.8.8 version of rtmailgate, email get sent to the queue. But the v 4.0.6 version fails with certificate verify failed, output from mailq: (temporary failure. Command output: An Error Occurred = 500 Can't connect to testrt.rc.fas.harvard.edu:443 (certificate verify failed)) r...@testrt.rc.fas.harvard.edu Any ideas as to the verification of my RT/ssl setup, on how to fix this ? Apparently the RT 4.0.6 is less forgiving about the ssl setup and config. I ran RT configure with the --enable-ssl-mailgate option and installed all perl modules required with make fixdeps in RT 4.0.6. Thanks, Mike This is in /etc/aliases: # rt3 rt: |/opt/rt-3.8.8/bin/rt-mailgate --queue 'General' --action correspond --url https://testrt.rc.fas.harvard.edu/; rt-comment: |/opt/rt-3.8.8/bin/rt-mailgate --queue 'General' --action comment --url https://testrt.rc.fas.harvard.edu/; # rt4 #rt: |/opt/rt4/bin/rt-mailgate --queue 'General' --ca-file /etc/pki/tls/certs/ca-bundle.crt --action correspond --url https://testrt.rc.fas.harvard.edu/; #rt-comment: |/opt/rt4/bin/rt-mailgate --queue 'General' --ca-file /etc/pki/tls/certs/ca-bundle.crt --action comment --url https://testrt.rc.fas.harvard.edu/; Hi Mike, add this option to your aliases if you want to bypass certificate validation: --no-verify-ssl So your rt entry in /etc/aliases would look like this: #rt: |/opt/rt4/bin/rt-mailgate --queue 'General' --ca-file /etc/pki/tls/certs/ca-bundle.crt --action correspond --url https://testrt.rc.fas.harvard.edu/ --no-verify-ssl Martin
Re: [rt-users] rt-mailgate problem - certificate verify failure ?
On 21.8.2012 16:16, Ethier, Michael wrote: Hi Martin, Thanks for the suggestion but if I enable --no-ssl I will be creating a security vulnerability no ? Thanks, Mike Hi, that's for sure. This was a suggestion for a development machine (the name testrt.rc.fas.harvard.edu suggest that it is). If you want to avoid this step then you have to have a valid certificate for testrt.rc.fas.harvard.edu signed by a certificate authority that is in the ca bundle you are passing to rt-mailgate. Martin
Re: [rt-users] rt-mailgate problem - certificate verify failure ?
On 08/21/2012 08:03 AM, Martin Drasar wrote: If you want to avoid this step then you have to have a valid certificate for testrt.rc.fas.harvard.edu signed by a certificate authority that is in the ca bundle you are passing to rt-mailgate. Martin's referring to the --ca-file argument you can pass. You can also simply make sure to put your CA root cert used for signing into /etc/ssl/certs/ or your system's equivalent. See `perldoc bin/rt-mailgate` for more info.