[rt-users] rt-mailgate

Allen allen+rtlist at crystalfontz.com
Mon Jan 23 15:06:37 EST 2012 

I tried several things to get the cert path into the environment for LWP,
none worked:

1. Adding this to /etc/fetchmailrc

   mda "env PERL_LWP_SSL_CA_PATH=/etc/ssl/certs /usr/bin/rt-mailgate-4 ...

does NOT work to get the right cert to LWP through the environment:

root at web0:/etc# service fetchmail start
* Starting mail retriever agent:
                                                          fetchmail:
starting fetchmail 6.3.19 daemon

      [ OK ]
root at web0:/etc# fetchmail: 1 message for [email address] at
[imapmailserver] (folder Support).
An Error Occurred
=================

500 Can't connect to [RT webserver]:443
(certificate verify failed)


2. Adding this to fetchmailrc does not work either:

    mda "export PERL_LWP_SSL_CA_PATH=/etc/ssl/certs; /usr/bin/rt-mailgate-4
...


3. Adding this to /etc/default/fetchmail on Ubuntu where fetchmail runs
from an init script as a daemin does not work either:

    export PERL_LWP_SSL_CA_PATH=/etc/ssl/certs


I am stuck with having to edit the rt-mailgate-4 on line 151 file like this:

#    my $ua   = LWP::UserAgent->new();
    my $ua   = LWP::UserAgent->new(ssl_opts => {SSL_ca_file =>
'/etc/ssl/certs/7d3cd826.0'});

which I dont like because I will forget about it during upgrade.

A



On Mon, Jan 23, 2012 at 11:06 AM, Thomas Sibley <trs at bestpractical.com>
wrote:
> On 01/20/2012 02:38 PM, Robert Nesius wrote:
>> I figured out a work around for this issue.  I was suspicious that
>> LWP::UserAgent could not reach the cert for the CA that signed the cert
>> being presented by the web server.  I learned there are some environment
>> variables that I can leverage to influence where LWP::UserAgent looks
>> even though it's being invoked down inside a program I don't want to
>> touch.   Adding my /etc/ssl/certs directory to the list of directories
>> examined for certs solved the problem.
>
> For what it's worth, the next release of RT will include a --ca-file
> option you can use to specify the specific cert.  It's equivalent to
> setting PERL_LWP_SSL_CA_FILE.
>
>> *root at linux:/opt/rt4/bin# *export PERL_LWP_SSL_CA_PATH=/etc/ssl/certs
>
> If you'd like to submit a simple patch to rt-mailgate that also adds
> support for --ca-path, I'm sure we'd apply it.
>
> I do wonder why the OpenSSL library underlying the Perl library isn't
> finding your cert in /etc/ssl/certs like I'd expect it to.
>
> Thomas
> --------
> RT Training Sessions (http://bestpractical.com/services/training.html)
> * Boston  March 5 & 6, 2012
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20120123/3f4c3440/attachment.htm>

More information about the rt-users mailing list