Fts solr and https

Aki Tuomi aki.tuomi at dovecot.fi
Mon Mar 19 20:51:30 EET 2018 

It's possible, yes.

You can use stunnel or haproxy as workaround, maybe?

Aki

> On 19 March 2018 at 20:39 Alex <alex at jili.ga> wrote:
> 
> 
> Hello,
> 
> Excuse me,
> Is dovecot really unable to work with solr through https ?
> 
> I tried to change ssl_client_ca_dir and ssl_client_ca_file, but nothing.
> 
> 
> 
> 
> Alex 2018-03-05 21:56:
> > Hi,
> > 
> > Dovecot 2.2.32-34
> > FreeBSD 10.4
> > 
> > Solr 7.2.1(Centos 6)
> > 
> > 
> > When I try to use https to connect to solr, I get error when a
> > self-signed certificate:
> > 
> > Mar  3 05:15:47 server dovecot: indexer-worker(email at domain.com):
> > Received invalid SSL certificate: self signed certificate: /C=Country/
> > ST=State/L=Location/O=Organization/OU=Organizational 
> > Unit/CN=solr.domain.com
> > Mar  3 05:15:47 server dovecot: indexer-worker(email at domain.com):
> > Received invalid SSL certificate: self signed certificate: /C=Country/
> > ST=State/L=Location/O=Organization/OU=Organizational 
> > Unit/CN=solr.domain.com
> > Mar  3 05:15:47 server dovecot: indexer-worker(email at domain.com):
> > Error: fts_solr: Indexing failed: SSL handshaking with 1.1.1.1:
> > 8983 failed: read(SSL 1.1.1.1:8983) failed: Received invalid SSL
> > certificate: self signed certificate: /C=Country/ST=State/L=L
> > ocation/O=Organization/OU=Organizational Unit/CN=solr.domain.com (2
> > attempts in 0.043 secs)
> > Mar  3 05:15:47 server dovecot: indexer-worker(email at domain.com):
> > Received invalid SSL certificate: self signed certificate: /C=Country/
> > ST=State/L=Location/O=Organization/OU=Organizational 
> > Unit/CN=solr.domain.com
> > Mar  3 05:15:47 server dovecot: indexer-worker(email at domain.com):
> > Received invalid SSL certificate: self signed certificate: /C=Country/
> > ST=State/L=Location/O=Organization/OU=Organizational 
> > Unit/CN=solr.domain.com
> > Mar  3 05:15:47 server dovecot: indexer-worker(email at domain.com):
> > Error: fts_solr: Indexing failed: SSL handshaking with 1.1.1.1:
> > 8983 failed: read(SSL 1.1.1.1:8983) failed: Received invalid SSL
> > certificate: self signed certificate: /C=Country/ST=State/L=L
> > ocation/O=Organization/OU=Organizational Unit/CN=solr.domain.com (2
> > attempts in 0.430 secs)
> > Mar  3 05:15:47 server dovecot: indexer-worker(email at domain.com):
> > Error: Mailbox INBOX: Transaction commit failed: FTS transaction commi
> > t failed: backend deinit (attempted to index 1 messages (UIDs 
> > 799975..799975))
> > 
> > 
> > or error when letsencrypt:
> > 
> > 
> > Mar  3 01:26:31 server dovecot: indexer-worker(email at domain.com):
> > Received invalid SSL certificate: unable to get local issuer certifi
> > cate: /C=US/O=Let\\\\\\\'s Encrypt/CN=Let\\\\\\\'s Encrypt Authority X3
> > Mar  3 01:26:31 server dovecot: indexer-worker(email at domain.com):
> > Received invalid SSL certificate: unable to get local issuer certifi
> > cate: /C=US/O=Let\\\\\\\'s Encrypt/CN=Let\\\\\\\'s Encrypt Authority X3
> > Mar  3 01:26:31 server dovecot: indexer-worker(email at domain.com):
> > Error: fts_solr: Indexing failed: SSL handshaking with 1.1.1.1
> > 3:8983 failed: read(SSL 1.1.1.1:8983) failed: Received invalid SSL
> > certificate: unable to get local issuer certificate: /C=US/
> > O=Let\\\\\\\'s Encrypt/CN=Let\\\\\\\'s Encrypt Authority X3 (2 attempts 
> > in 0.085 secs)
> > Mar  3 01:26:31 server dovecot: indexer-worker(email at domain.com):
> > Received invalid SSL certificate: unable to get local issuer certifi
> > cate: /C=US/O=Let\\\\\\\'s Encrypt/CN=Let\\\\\\\'s Encrypt Authority X3
> > Mar  3 01:26:31 server dovecot: indexer-worker(email at domain.com):
> > Received invalid SSL certificate: unable to get local issuer certifi
> > cate: /C=US/O=Let\\\\\\\'s Encrypt/CN=Let\\\\\\\'s Encrypt Authority X3
> > Mar  3 01:26:31 server dovecot: indexer-worker(email at domain.com):
> > Error: fts_solr: Indexing failed: SSL handshaking with 1.1.1.1
> > 3:8983 failed: read(SSL 1.1.1.1:8983) failed: Received invalid SSL
> > certificate: unable to get local issuer certificate: /C=US/
> > O=Let\\\\\\\'s Encrypt/CN=Let\\\\\\\'s Encrypt Authority X3 (2 attempts 
> > in 0.112 secs)
> > Mar  3 01:26:31 server dovecot: indexer-worker(email at domain.com):
> > Error: Mailbox INBOX: Transaction commit failed: FTS transaction com
> > mit failed: backend deinit (attempted to index 1 messages (UIDs 
> > 104770..104770))
> > 
> > 
> > 90-plugins.conf:
> > fts_autoindex=yes
> > fts = solr
> > fts_solr = url=https://login:pass@solr.domain.com:8983/solr/dovecot/
> > break-imap-search debug
> > 
> > 
> > curl and other software connect to solr without errors in both cases.
> > 
> > Does dovecot have option to disable certificate validation (may be
> > ssl_verify = false etc.) ?
> > 
> > 
> > Thanks.

More information about the dovecot mailing list