fts_solr and connection via https://
Hi,
I am trying to get fts_solr working and my index server is available via HTTPS only. Dovecot is running on a Debian Jessie system and the Solr server has a letsencrypt certificate.
My dovecot version is: 2.2.devel (a9ed8ae)
The current setup is:
10-mail.conf: mail_plugins = fts fts_solr
90-fts.conf: plugin { fts = solr fts_autoindex = yes fts_solr = url=https://foo.example.com/solr/dovecot/ }
When I try to index the mailboxes I am getting error messages like this: doveadm(user@host): Error: fts_solr: Lookup failed: 9002 Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) doveadm(user@host): Error: Mailbox INBOX: Status lookup failed: Internal error occurred. Refer to server log for more information. [2017-01-22 09:52:38] Segmentation fault
Contacting the index server via curl on the command line on the same host works, it returns HTTP 200:
user@host ~ $ curl -s -o /dev/null -w "%{http_code}" https://foo.example.com/solr/ 200 user@host ~ $
Currently I have the following ssl related settings: user@host ~ $ doveconf -n -P | grep -i ssl ssl_cert = </etc/ssl/certs/mail.example.org.crt ssl_cipher_list = ALL:!LOW:!SSLv2:ALL:!aNULL:!ADH:!eNULL:!EXP:RC4+RSA:+HIGH:+MEDIUM ssl_key = </etc/ssl/private/mail.example.org.key ssl_protocols = !SSLv2 !SSLv3
I tried adding the following settings but that didn't help: ssl_ca = < /etc/ssl/certs/ca-certificates.crt ssl_client_ca_dir = /etc/ssl/certs
Can you give me a hint how I can get the ssl certificate accepted?
Thanks in advance and have a nice day,
Jan :-)
Op 1/22/2017 om 10:01 AM schreef Jan Vonde:
I tried adding the following settings but that didn't help: ssl_ca = < /etc/ssl/certs/ca-certificates.crt ssl_client_ca_dir = /etc/ssl/certs
Can you give me a hint how I can get the ssl certificate accepted?
That should normally have done the trick. However, the sources tell me that no ssl_client settings are propagated to the http_client used by fts-solr, so SSL is not currently supported it seems.
I'll check how easy it is to add that.
Regards,
Stephan.
Op 1/22/2017 om 12:01 PM schreef Stephan Bosch:
Op 1/22/2017 om 10:01 AM schreef Jan Vonde:
I tried adding the following settings but that didn't help: ssl_ca = < /etc/ssl/certs/ca-certificates.crt ssl_client_ca_dir = /etc/ssl/certs
Can you give me a hint how I can get the ssl certificate accepted? That should normally have done the trick. However, the sources tell me that no ssl_client settings are propagated to the http_client used by fts-solr, so SSL is not currently supported it seems.
I'll check how easy it is to add that.
Just to keep you informed: I created a patch, but it is still being tested.
Regards,
Stephan.
Am 31.01.2017 um 00:04 schrieb Stephan Bosch:
Op 1/22/2017 om 12:01 PM schreef Stephan Bosch:
Op 1/22/2017 om 10:01 AM schreef Jan Vonde:
I tried adding the following settings but that didn't help: ssl_ca = < /etc/ssl/certs/ca-certificates.crt ssl_client_ca_dir = /etc/ssl/certs
Can you give me a hint how I can get the ssl certificate accepted? That should normally have done the trick. However, the sources tell me that no ssl_client settings are propagated to the http_client used by fts-solr, so SSL is not currently supported it seems.
I'll check how easy it is to add that.
Just to keep you informed: I created a patch, but it is still being tested.
Thanks for the update Stephan! Awesome! Looking forward to test it myself :-)
\Jan
-- Jan Vonde Hermann-Rein-Str. 6 37075 Göttingen
Tel: 0551 - 200 47 58 2 Mobil: 0176 - 83 110 775
Op 31-1-2017 om 6:33 schreef Jan Vonde:
Am 31.01.2017 um 00:04 schrieb Stephan Bosch:
Op 1/22/2017 om 12:01 PM schreef Stephan Bosch:
Op 1/22/2017 om 10:01 AM schreef Jan Vonde:
I tried adding the following settings but that didn't help: ssl_ca = < /etc/ssl/certs/ca-certificates.crt ssl_client_ca_dir = /etc/ssl/certs
Can you give me a hint how I can get the ssl certificate accepted? That should normally have done the trick. However, the sources tell me that no ssl_client settings are propagated to the http_client used by fts-solr, so SSL is not currently supported it seems.
I'll check how easy it is to add that.
Just to keep you informed: I created a patch, but it is still being tested.
Thanks for the update Stephan! Awesome! Looking forward to test it myself :-)
https://github.com/dovecot/core/commit/526631052ca3175357302af8fa7dcbf763b40...
Regards,
Stephan.
Am 07.02.2017 um 12:29 schrieb Stephan Bosch:
Op 31-1-2017 om 6:33 schreef Jan Vonde:
Am 31.01.2017 um 00:04 schrieb Stephan Bosch:
Op 1/22/2017 om 12:01 PM schreef Stephan Bosch:
Op 1/22/2017 om 10:01 AM schreef Jan Vonde:
I tried adding the following settings but that didn't help: ssl_ca = < /etc/ssl/certs/ca-certificates.crt ssl_client_ca_dir = /etc/ssl/certs
Can you give me a hint how I can get the ssl certificate accepted? That should normally have done the trick. However, the sources tell me that no ssl_client settings are propagated to the http_client used by fts-solr, so SSL is not currently supported it seems.
I'll check how easy it is to add that.
Just to keep you informed: I created a patch, but it is still being tested.
Thanks for the update Stephan! Awesome! Looking forward to test it myself :-)
https://github.com/dovecot/core/commit/526631052ca3175357302af8fa7dcbf763b40...
Thank you. I am using now the following version: 2.3.0.alpha0 (2eeea57) [XI:2:2.3.0~alpha0-1~auto+650]
The error messages I am getting now are like this:
doveadm(user@host): Info: Received invalid SSL certificate: unable to get local issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 doveadm(user@host): Error: fts_solr: Lookup failed: 9002 SSL handshaking with 5.45.106.248:443 failed: read(SSL 5.45.106.248:443) failed: Received invalid SSL certificate: unable to get local issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
You can connect to 5.45.106.248:443 and IMHO everything is correct with the chain.
I am no SSL expert, but I am reading it as "doveadm and its ssl part cannot verify the Let's Encrypt certificate". It would need the DST Root CA X3 and this is in the local trust store (ssl_client_ca_dir...)
Do you have another hint maybe?
Thanks in advance and good night,
Jan :-)
-- Jan Vonde Hermann-Rein-Str. 6 37075 Göttingen
Tel: 0551 - 200 47 58 2 Mobil: 0176 - 83 110 775
Op 8-2-2017 om 21:07 schreef Jan Vonde:
Am 07.02.2017 um 12:29 schrieb Stephan Bosch:
Op 31-1-2017 om 6:33 schreef Jan Vonde:
Am 31.01.2017 um 00:04 schrieb Stephan Bosch:
Op 1/22/2017 om 12:01 PM schreef Stephan Bosch:
Op 1/22/2017 om 10:01 AM schreef Jan Vonde:
I tried adding the following settings but that didn't help: ssl_ca = < /etc/ssl/certs/ca-certificates.crt ssl_client_ca_dir = /etc/ssl/certs
Can you give me a hint how I can get the ssl certificate accepted? That should normally have done the trick. However, the sources tell me that no ssl_client settings are propagated to the http_client used by fts-solr, so SSL is not currently supported it seems.
I'll check how easy it is to add that. Just to keep you informed: I created a patch, but it is still being tested.
Thanks for the update Stephan! Awesome! Looking forward to test it myself :-) https://github.com/dovecot/core/commit/526631052ca3175357302af8fa7dcbf763b40...
Thank you. I am using now the following version: 2.3.0.alpha0 (2eeea57) [XI:2:2.3.0~alpha0-1~auto+650]
The error messages I am getting now are like this:
doveadm(user@host): Info: Received invalid SSL certificate: unable to get local issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 doveadm(user@host): Error: fts_solr: Lookup failed: 9002 SSL handshaking with 5.45.106.248:443 failed: read(SSL 5.45.106.248:443) failed: Received invalid SSL certificate: unable to get local issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
You can connect to 5.45.106.248:443 and IMHO everything is correct with the chain.
I am no SSL expert, but I am reading it as "doveadm and its ssl part cannot verify the Let's Encrypt certificate". It would need the DST Root CA X3 and this is in the local trust store (ssl_client_ca_dir...)
Do you have another hint maybe?
We seem to have found another issue there. More on this will follow.
Regards,
Stephan.
Am 17.02.2017 um 11:45 schrieb Stephan Bosch:
Op 8-2-2017 om 21:07 schreef Jan Vonde:
Am 07.02.2017 um 12:29 schrieb Stephan Bosch:
Op 31-1-2017 om 6:33 schreef Jan Vonde:
Am 31.01.2017 um 00:04 schrieb Stephan Bosch:
Op 1/22/2017 om 12:01 PM schreef Stephan Bosch:
Op 1/22/2017 om 10:01 AM schreef Jan Vonde: > I tried adding the following settings but that didn't help: > ssl_ca = < /etc/ssl/certs/ca-certificates.crt > ssl_client_ca_dir = /etc/ssl/certs > > Can you give me a hint how I can get the ssl certificate accepted? That should normally have done the trick. However, the sources tell me that no ssl_client settings are propagated to the http_client used by fts-solr, so SSL is not currently supported it seems.
I'll check how easy it is to add that. Just to keep you informed: I created a patch, but it is still being tested.
Thanks for the update Stephan! Awesome! Looking forward to test it myself :-) https://github.com/dovecot/core/commit/526631052ca3175357302af8fa7dcbf763b40...
Thank you. I am using now the following version: 2.3.0.alpha0 (2eeea57) [XI:2:2.3.0~alpha0-1~auto+650]
The error messages I am getting now are like this:
doveadm(user@host): Info: Received invalid SSL certificate: unable to get local issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 doveadm(user@host): Error: fts_solr: Lookup failed: 9002 SSL handshaking with 5.45.106.248:443 failed: read(SSL 5.45.106.248:443) failed: Received invalid SSL certificate: unable to get local issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
You can connect to 5.45.106.248:443 and IMHO everything is correct with the chain.
I am no SSL expert, but I am reading it as "doveadm and its ssl part cannot verify the Let's Encrypt certificate". It would need the DST Root CA X3 and this is in the local trust store (ssl_client_ca_dir...)
Do you have another hint maybe?
We seem to have found another issue there. More on this will follow.
Thanks for the update and have a nice weekend,
Jan :-)
Am 17.02.2017 um 17:27 schrieb Jan Vonde:
Am 17.02.2017 um 11:45 schrieb Stephan Bosch:
Op 8-2-2017 om 21:07 schreef Jan Vonde:
Am 07.02.2017 um 12:29 schrieb Stephan Bosch:
Op 31-1-2017 om 6:33 schreef Jan Vonde:
Am 31.01.2017 um 00:04 schrieb Stephan Bosch:
Op 1/22/2017 om 12:01 PM schreef Stephan Bosch: > Op 1/22/2017 om 10:01 AM schreef Jan Vonde: >> I tried adding the following settings but that didn't help: >> ssl_ca = < /etc/ssl/certs/ca-certificates.crt >> ssl_client_ca_dir = /etc/ssl/certs >> >> Can you give me a hint how I can get the ssl certificate accepted? > That should normally have done the trick. However, the sources > tell me > that no ssl_client settings are propagated to the http_client > used by > fts-solr, so SSL is not currently supported it seems. > > I'll check how easy it is to add that. Just to keep you informed: I created a patch, but it is still being tested.
Thanks for the update Stephan! Awesome! Looking forward to test it myself :-) https://github.com/dovecot/core/commit/526631052ca3175357302af8fa7dcbf763b40...
Thank you. I am using now the following version: 2.3.0.alpha0 (2eeea57) [XI:2:2.3.0~alpha0-1~auto+650]
The error messages I am getting now are like this:
doveadm(user@host): Info: Received invalid SSL certificate: unable to get local issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 doveadm(user@host): Error: fts_solr: Lookup failed: 9002 SSL handshaking with 5.45.106.248:443 failed: read(SSL 5.45.106.248:443) failed: Received invalid SSL certificate: unable to get local issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
You can connect to 5.45.106.248:443 and IMHO everything is correct with the chain.
I am no SSL expert, but I am reading it as "doveadm and its ssl part cannot verify the Let's Encrypt certificate". It would need the DST Root CA X3 and this is in the local trust store (ssl_client_ca_dir...)
Do you have another hint maybe?
We seem to have found another issue there. More on this will follow.
Thanks for the update and have a nice weekend,
I don't want to push, am just interested: any news on this?
Thanks, Jan :-)
Op 3/4/2017 om 2:39 PM schreef Jan Vonde:
Am 17.02.2017 um 17:27 schrieb Jan Vonde:
Am 17.02.2017 um 11:45 schrieb Stephan Bosch:
Op 8-2-2017 om 21:07 schreef Jan Vonde: We seem to have found another issue there. More on this will follow.
Thanks for the update and have a nice weekend,
I don't want to push, am just interested: any news on this?
Thanks, Jan :-)
Oh, good point. We added a few fixes, but unfortunately the last of those was too late for 2.2.28:
https://git.dovecot.net/dovecot/core/commit/8f251da1b6dfe6dc3d86ae71b377d99a...
So, currently, may not yet work for you. I will be in 2.2.29. You can try the master branch of course if you want to test it early.
Regards,
Stephan.
Am 04.03.2017 um 15:32 schrieb Stephan Bosch:
Op 3/4/2017 om 2:39 PM schreef Jan Vonde:
Am 17.02.2017 um 17:27 schrieb Jan Vonde:
Am 17.02.2017 um 11:45 schrieb Stephan Bosch:
Op 8-2-2017 om 21:07 schreef Jan Vonde: We seem to have found another issue there. More on this will follow.
Thanks for the update and have a nice weekend,
I don't want to push, am just interested: any news on this?
Thanks, Jan :-)
Oh, good point. We added a few fixes, but unfortunately the last of those was too late for 2.2.28:
https://git.dovecot.net/dovecot/core/commit/8f251da1b6dfe6dc3d86ae71b377d99a...
So, currently, may not yet work for you. I will be in 2.2.29. You can try the master branch of course if you want to test it early.
Regards,
Stephan.
It's working. Awesome! Thanks a lot!
\Jan :-)
participants (2)
-
Jan Vonde
-
Stephan Bosch