[rt-users] rt-mailgate problem - certificate verify failure ?

Ethier, Michael methier at CGR.Harvard.edu
Tue Aug 21 10:16:39 EDT 2012 

Hi Martin,

Thanks for the suggestion but if I enable --no-ssl I will be creating a security
vulnerability no ?

Thanks,
Mike

-----Original Message-----
From: rt-users-bounces at lists.bestpractical.com [mailto:rt-users-bounces at lists.bestpractical.com] On Behalf Of Martin Drasar
Sent: Tuesday, August 21, 2012 10:11 AM
To: rt-users at lists.bestpractical.com
Subject: Re: [rt-users] rt-mailgate problem - certificate verify failure ?

On 21.8.2012 15:59, Ethier, Michael wrote:
> Hello,
> 
>  
> 
> The rt-mailgate program acts differently between v 3.8.8 and v 4.0.6.
> The v 3.8.8 version works
> 
> fine using https, and even when I have v 4.0.6 running with the 
> /etc/aliases point to the v 3.8.8 version of rtmailgate, email
> 
> get sent to the queue. But the v 4.0.6 version fails with certificate 
> verify failed, output from mailq:
> 
>  
> 
> (temporary failure. Command output: An Error Occurred 
> =================
> 500 Can't connect to testrt.rc.fas.harvard.edu:443 (certificate verify
> failed))
> 
>                                          rt at testrt.rc.fas.harvard.edu
> 
>  
> 
> Any ideas as to the verification of my RT/ssl setup,  on how to fix 
> this ? Apparently the RT 4.0.6 is less forgiving about the ssl setup and config.
> 
> I ran RT configure with the --enable-ssl-mailgate option and installed 
> all perl modules required with "make fixdeps" in RT 4.0.6.
> 
>  
> 
> Thanks,
> 
> Mike
> 
>  
> 
> This is in /etc/aliases:
> 
> # rt3
> 
> rt: "|/opt/rt-3.8.8/bin/rt-mailgate --queue 'General' --action 
> correspond --url https://testrt.rc.fas.harvard.edu/"
> 
> rt-comment: "|/opt/rt-3.8.8/bin/rt-mailgate --queue 'General' --action 
> comment --url https://testrt.rc.fas.harvard.edu/"
> 
>  
> 
> # rt4
> 
> #rt: "|/opt/rt4/bin/rt-mailgate --queue 'General' --ca-file 
> /etc/pki/tls/certs/ca-bundle.crt --action correspond --url 
> https://testrt.rc.fas.harvard.edu/"
> 
> #rt-comment: "|/opt/rt4/bin/rt-mailgate --queue 'General' --ca-file 
> /etc/pki/tls/certs/ca-bundle.crt --action comment --url 
> https://testrt.rc.fas.harvard.edu/"
> 

Hi Mike,

add this option to your aliases if you want to bypass certificate
validation: --no-verify-ssl

So your rt entry in /etc/aliases would look like this:

#rt: "|/opt/rt4/bin/rt-mailgate --queue 'General' --ca-file /etc/pki/tls/certs/ca-bundle.crt --action correspond --url https://testrt.rc.fas.harvard.edu/ --no-verify-ssl"

Martin

More information about the rt-users mailing list