[rt-users] rt-mailgate problem - certificate verify failure ?
Ethier, Michael
methier at CGR.Harvard.edu
Tue Aug 21 10:16:39 EDT 2012
Hi Martin,
Thanks for the suggestion but if I enable --no-ssl I will be creating a security
vulnerability no ?
Thanks,
Mike
-----Original Message-----
From: rt-users-bounces at lists.bestpractical.com [mailto:rt-users-bounces at lists.bestpractical.com] On Behalf Of Martin Drasar
Sent: Tuesday, August 21, 2012 10:11 AM
To: rt-users at lists.bestpractical.com
Subject: Re: [rt-users] rt-mailgate problem - certificate verify failure ?
On 21.8.2012 15:59, Ethier, Michael wrote:
> Hello,
>
>
>
> The rt-mailgate program acts differently between v 3.8.8 and v 4.0.6.
> The v 3.8.8 version works
>
> fine using https, and even when I have v 4.0.6 running with the
> /etc/aliases point to the v 3.8.8 version of rtmailgate, email
>
> get sent to the queue. But the v 4.0.6 version fails with certificate
> verify failed, output from mailq:
>
>
>
> (temporary failure. Command output: An Error Occurred
> =================
> 500 Can't connect to testrt.rc.fas.harvard.edu:443 (certificate verify
> failed))
>
> rt at testrt.rc.fas.harvard.edu
>
>
>
> Any ideas as to the verification of my RT/ssl setup, on how to fix
> this ? Apparently the RT 4.0.6 is less forgiving about the ssl setup and config.
>
> I ran RT configure with the --enable-ssl-mailgate option and installed
> all perl modules required with "make fixdeps" in RT 4.0.6.
>
>
>
> Thanks,
>
> Mike
>
>
>
> This is in /etc/aliases:
>
> # rt3
>
> rt: "|/opt/rt-3.8.8/bin/rt-mailgate --queue 'General' --action
> correspond --url https://testrt.rc.fas.harvard.edu/"
>
> rt-comment: "|/opt/rt-3.8.8/bin/rt-mailgate --queue 'General' --action
> comment --url https://testrt.rc.fas.harvard.edu/"
>
>
>
> # rt4
>
> #rt: "|/opt/rt4/bin/rt-mailgate --queue 'General' --ca-file
> /etc/pki/tls/certs/ca-bundle.crt --action correspond --url
> https://testrt.rc.fas.harvard.edu/"
>
> #rt-comment: "|/opt/rt4/bin/rt-mailgate --queue 'General' --ca-file
> /etc/pki/tls/certs/ca-bundle.crt --action comment --url
> https://testrt.rc.fas.harvard.edu/"
>
Hi Mike,
add this option to your aliases if you want to bypass certificate
validation: --no-verify-ssl
So your rt entry in /etc/aliases would look like this:
#rt: "|/opt/rt4/bin/rt-mailgate --queue 'General' --ca-file /etc/pki/tls/certs/ca-bundle.crt --action correspond --url https://testrt.rc.fas.harvard.edu/ --no-verify-ssl"
Martin
More information about the rt-users
mailing list