Re: Disable ssl validation for replication?
Joseph Ward writes:
I'm aware of at least a couple of fallback options: ??? -have a self-signed cert for replication and use the Let's Encrypt one for IMAP/POP ??? - create firewall rules allowing them to connect to each other over the public internet so that it can validate the proper cert ? These are both much less palatable than simply disabling the cert validation if it's possible.
Maybe instead of disabling the check, appease it by supplying (in /etc/hosts) an alternate mapping of the FQDN subject of your certificate to your internal IP:
10.x.x.x your.sync.target
Joseph Tam jtam.home@gmail.com
I'd considered doing it at the internal DNS server level which I wasn't a fan of because it's a separate server's config that I'd have to rely on to make sure this server was working. The thought of the local hosts file slipped my mind. That is a good idea; it meets my needs, and keeps everything in the same "create mail server" ansible file.
Thank you!
-Joseph
On 12/20/2017 20:27, Joseph Tam wrote:
Joseph Ward writes:
I'm aware of at least a couple of fallback options: ??? -have a self-signed cert for replication and use the Let's Encrypt one for IMAP/POP ??? - create firewall rules allowing them to connect to each other over the public internet so that it can validate the proper cert ? These are both much less palatable than simply disabling the cert validation if it's possible.
Maybe instead of disabling the check, appease it by supplying (in /etc/hosts) an alternate mapping of the FQDN subject of your certificate to your internal IP:
10.x.x.x your.sync.target
Joseph Tam jtam.home@gmail.com
Thanks for letting us know, we'll check this.
But, would it make sense to sign those certs with your own CA cert and distribute the CA cert to your systems?
Aki
On December 21, 2017 at 4:56 PM Joseph Ward jbwlists@hilltopgroup.com wrote:
I'd considered doing it at the internal DNS server level which I wasn't a fan of because it's a separate server's config that I'd have to rely on to make sure this server was working. The thought of the local hosts file slipped my mind. That is a good idea; it meets my needs, and keeps everything in the same "create mail server" ansible file.
Thank you!
-Joseph
On 12/20/2017 20:27, Joseph Tam wrote:
Joseph Ward writes:
I'm aware of at least a couple of fallback options: ??? -have a self-signed cert for replication and use the Let's Encrypt one for IMAP/POP ??? - create firewall rules allowing them to connect to each other over the public internet so that it can validate the proper cert ? These are both much less palatable than simply disabling the cert validation if it's possible.
Maybe instead of disabling the check, appease it by supplying (in /etc/hosts) an alternate mapping of the FQDN subject of your certificate to your internal IP:
10.x.x.x your.sync.target
Joseph Tam jtam.home@gmail.com
participants (3)
-
Aki Tuomi
-
Joseph Tam
-
Joseph Ward