Disable ssl validation for replication?

Sean Greenslade sean at seangreenslade.com
Sun Dec 24 15:32:12 EET 2017


On December 20, 2017 6:46:24 PM EST, Joseph Ward <jbwlists at hilltopgroup.com> wrote:
>Hi,
>
>I have two servers (HA configuration) on which I'm attempting to get
>replication working over SSL.  They're at two different sites, but
>connected via a site-site VPN.
>
>Everything seems to be fine, except that the certificates are not
>validating as I'm using IP addresses for the sync, as opposed to the
>public hostnames for which the certificates are valid, and so I get the
>following error: 
>
>doveadm(user at domain): Error: doveadm server disconnected before
>handshake: SSL certificate doesn't match expected host name 10.x.x.x
>
>I'm on Dovecot 2.2.33.
>
>Is there any way to disable the certificate checking/validation for the
>sync engine? 
>
>(
>I'm aware of at least a couple of fallback options:
>    -have a self-signed cert for replication and use the Let's Encrypt
>one for IMAP/POP
>    - create firewall rules allowing them to connect to each other over
>the public internet so that it can validate the proper cert
> 
>These are both much less palatable than simply disabling the cert
>validation if it's possible.

You could add an entry in /etc/hosts (or in your internal DNS system if you have one) that gives the internal IP in response to the public hostname.

--Sean




More information about the dovecot mailing list