Op 31-1-2017 om 6:33 schreef Jan Vonde:> Am 31.01.2017 um 00:04 schrieb Stephan Bosch: >> Op 1/22/2017 om 12:01 PM schreef Stephan Bosch: >>> Op 1/22/2017 om 10:01 AM schreef Jan Vonde: >>>> I tried adding the following settings but that didn't help: >>>> ssl_ca = < /etc/ssl/certs/ca-certificates.crt >>>> ssl_client_ca_dir = /etc/ssl/certs >>>> >>>> Can you give me a hint how I can get the ssl certificate accepted? >>> That should normally have done the trick. However, the sources tell me >>> that no ssl_client settings are propagated to the http_client used by >>> fts-solr, so SSL is not currently supported it seems. >>> >>> I'll check how easy it is to add that. >> >> Just to keep you informed: I created a patch, but it is still being >> tested. >> > > Thanks for the update Stephan! Awesome! Looking forward to test it > myself :-)https://github.com/dovecot/core/commit/526631052ca3175357302af8fa7dcbf763b40c53 Regards, Stephan.
Am 07.02.2017 um 12:29 schrieb Stephan Bosch:> > > Op 31-1-2017 om 6:33 schreef Jan Vonde: >> Am 31.01.2017 um 00:04 schrieb Stephan Bosch: >>> Op 1/22/2017 om 12:01 PM schreef Stephan Bosch: >>>> Op 1/22/2017 om 10:01 AM schreef Jan Vonde: >>>>> I tried adding the following settings but that didn't help: >>>>> ssl_ca = < /etc/ssl/certs/ca-certificates.crt >>>>> ssl_client_ca_dir = /etc/ssl/certs >>>>> >>>>> Can you give me a hint how I can get the ssl certificate accepted? >>>> That should normally have done the trick. However, the sources tell me >>>> that no ssl_client settings are propagated to the http_client used by >>>> fts-solr, so SSL is not currently supported it seems. >>>> >>>> I'll check how easy it is to add that. >>> >>> Just to keep you informed: I created a patch, but it is still being >>> tested. >>> >> >> Thanks for the update Stephan! Awesome! Looking forward to test it >> myself :-) > > https://github.com/dovecot/core/commit/526631052ca3175357302af8fa7dcbf763b40c53 >Thank you. I am using now the following version: 2.3.0.alpha0 (2eeea57) [XI:2:2.3.0~alpha0-1~auto+650] The error messages I am getting now are like this: doveadm(user at host): Info: Received invalid SSL certificate: unable to get local issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 doveadm(user at host): Error: fts_solr: Lookup failed: 9002 SSL handshaking with 5.45.106.248:443 failed: read(SSL 5.45.106.248:443) failed: Received invalid SSL certificate: unable to get local issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 You can connect to 5.45.106.248:443 and IMHO everything is correct with the chain. I am no SSL expert, but I am reading it as "doveadm and its ssl part cannot verify the Let's Encrypt certificate". It would need the DST Root CA X3 and this is in the local trust store (ssl_client_ca_dir...) Do you have another hint maybe? Thanks in advance and good night, Jan :-) -- Jan Vonde Hermann-Rein-Str. 6 37075 G?ttingen Tel: 0551 - 200 47 58 2 Mobil: 0176 - 83 110 775 http://www.vonde.eu
Op 8-2-2017 om 21:07 schreef Jan Vonde:> Am 07.02.2017 um 12:29 schrieb Stephan Bosch: >> >> Op 31-1-2017 om 6:33 schreef Jan Vonde: >>> Am 31.01.2017 um 00:04 schrieb Stephan Bosch: >>>> Op 1/22/2017 om 12:01 PM schreef Stephan Bosch: >>>>> Op 1/22/2017 om 10:01 AM schreef Jan Vonde: >>>>>> I tried adding the following settings but that didn't help: >>>>>> ssl_ca = < /etc/ssl/certs/ca-certificates.crt >>>>>> ssl_client_ca_dir = /etc/ssl/certs >>>>>> >>>>>> Can you give me a hint how I can get the ssl certificate accepted? >>>>> That should normally have done the trick. However, the sources tell me >>>>> that no ssl_client settings are propagated to the http_client used by >>>>> fts-solr, so SSL is not currently supported it seems. >>>>> >>>>> I'll check how easy it is to add that. >>>> Just to keep you informed: I created a patch, but it is still being >>>> tested. >>>> >>> Thanks for the update Stephan! Awesome! Looking forward to test it >>> myself :-) >> https://github.com/dovecot/core/commit/526631052ca3175357302af8fa7dcbf763b40c53 >> > Thank you. I am using now the following version: > 2.3.0.alpha0 (2eeea57) [XI:2:2.3.0~alpha0-1~auto+650] > > The error messages I am getting now are like this: > > doveadm(user at host): Info: Received invalid SSL certificate: unable to > get local issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt > Authority X3 > doveadm(user at host): Error: fts_solr: Lookup failed: 9002 SSL handshaking > with 5.45.106.248:443 failed: read(SSL 5.45.106.248:443) failed: > Received invalid SSL certificate: unable to get local issuer > certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 > > > You can connect to 5.45.106.248:443 and IMHO everything is correct with > the chain. > > > I am no SSL expert, but I am reading it as "doveadm and its ssl part > cannot verify the Let's Encrypt certificate". It would need the DST Root > CA X3 and this is in the local trust store (ssl_client_ca_dir...) > > > Do you have another hint maybe?We seem to have found another issue there. More on this will follow. Regards, Stephan.