fts_solr and connection via https://
Jan Vonde
mail at jan-von.de
Fri Feb 17 16:27:43 UTC 2017
Am 17.02.2017 um 11:45 schrieb Stephan Bosch:
> Op 8-2-2017 om 21:07 schreef Jan Vonde:
>> Am 07.02.2017 um 12:29 schrieb Stephan Bosch:
>>> Op 31-1-2017 om 6:33 schreef Jan Vonde:
>>>> Am 31.01.2017 um 00:04 schrieb Stephan Bosch:
>>>>> Op 1/22/2017 om 12:01 PM schreef Stephan Bosch:
>>>>>> Op 1/22/2017 om 10:01 AM schreef Jan Vonde:
>>>>>>> I tried adding the following settings but that didn't help:
>>>>>>> ssl_ca = < /etc/ssl/certs/ca-certificates.crt
>>>>>>> ssl_client_ca_dir = /etc/ssl/certs
>>>>>>>
>>>>>>> Can you give me a hint how I can get the ssl certificate accepted?
>>>>>> That should normally have done the trick. However, the sources
>>>>>> tell me
>>>>>> that no ssl_client settings are propagated to the http_client used by
>>>>>> fts-solr, so SSL is not currently supported it seems.
>>>>>>
>>>>>> I'll check how easy it is to add that.
>>>>> Just to keep you informed: I created a patch, but it is still being
>>>>> tested.
>>>>>
>>>> Thanks for the update Stephan! Awesome! Looking forward to test it
>>>> myself :-)
>>> https://github.com/dovecot/core/commit/526631052ca3175357302af8fa7dcbf763b40c53
>>>
>>>
>> Thank you. I am using now the following version:
>> 2.3.0.alpha0 (2eeea57) [XI:2:2.3.0~alpha0-1~auto+650]
>>
>> The error messages I am getting now are like this:
>>
>> doveadm(user at host): Info: Received invalid SSL certificate: unable to
>> get local issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt
>> Authority X3
>> doveadm(user at host): Error: fts_solr: Lookup failed: 9002 SSL handshaking
>> with 5.45.106.248:443 failed: read(SSL 5.45.106.248:443) failed:
>> Received invalid SSL certificate: unable to get local issuer
>> certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>>
>>
>> You can connect to 5.45.106.248:443 and IMHO everything is correct with
>> the chain.
>>
>>
>> I am no SSL expert, but I am reading it as "doveadm and its ssl part
>> cannot verify the Let's Encrypt certificate". It would need the DST Root
>> CA X3 and this is in the local trust store (ssl_client_ca_dir...)
>>
>>
>> Do you have another hint maybe?
>
> We seem to have found another issue there. More on this will follow.
>
Thanks for the update and have a nice weekend,
Jan :-)
More information about the dovecot
mailing list