Op 8-2-2017 om 21:07 schreef Jan Vonde:> Am 07.02.2017 um 12:29 schrieb Stephan Bosch: >> >> Op 31-1-2017 om 6:33 schreef Jan Vonde: >>> Am 31.01.2017 um 00:04 schrieb Stephan Bosch: >>>> Op 1/22/2017 om 12:01 PM schreef Stephan Bosch: >>>>> Op 1/22/2017 om 10:01 AM schreef Jan Vonde: >>>>>> I tried adding the following settings but that didn't help: >>>>>> ssl_ca = < /etc/ssl/certs/ca-certificates.crt >>>>>> ssl_client_ca_dir = /etc/ssl/certs >>>>>> >>>>>> Can you give me a hint how I can get the ssl certificate accepted? >>>>> That should normally have done the trick. However, the sources tell me >>>>> that no ssl_client settings are propagated to the http_client used by >>>>> fts-solr, so SSL is not currently supported it seems. >>>>> >>>>> I'll check how easy it is to add that. >>>> Just to keep you informed: I created a patch, but it is still being >>>> tested. >>>> >>> Thanks for the update Stephan! Awesome! Looking forward to test it >>> myself :-) >> https://github.com/dovecot/core/commit/526631052ca3175357302af8fa7dcbf763b40c53 >> > Thank you. I am using now the following version: > 2.3.0.alpha0 (2eeea57) [XI:2:2.3.0~alpha0-1~auto+650] > > The error messages I am getting now are like this: > > doveadm(user at host): Info: Received invalid SSL certificate: unable to > get local issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt > Authority X3 > doveadm(user at host): Error: fts_solr: Lookup failed: 9002 SSL handshaking > with 5.45.106.248:443 failed: read(SSL 5.45.106.248:443) failed: > Received invalid SSL certificate: unable to get local issuer > certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 > > > You can connect to 5.45.106.248:443 and IMHO everything is correct with > the chain. > > > I am no SSL expert, but I am reading it as "doveadm and its ssl part > cannot verify the Let's Encrypt certificate". It would need the DST Root > CA X3 and this is in the local trust store (ssl_client_ca_dir...) > > > Do you have another hint maybe?We seem to have found another issue there. More on this will follow. Regards, Stephan.
Am 17.02.2017 um 11:45 schrieb Stephan Bosch:> Op 8-2-2017 om 21:07 schreef Jan Vonde: >> Am 07.02.2017 um 12:29 schrieb Stephan Bosch: >>> Op 31-1-2017 om 6:33 schreef Jan Vonde: >>>> Am 31.01.2017 um 00:04 schrieb Stephan Bosch: >>>>> Op 1/22/2017 om 12:01 PM schreef Stephan Bosch: >>>>>> Op 1/22/2017 om 10:01 AM schreef Jan Vonde: >>>>>>> I tried adding the following settings but that didn't help: >>>>>>> ssl_ca = < /etc/ssl/certs/ca-certificates.crt >>>>>>> ssl_client_ca_dir = /etc/ssl/certs >>>>>>> >>>>>>> Can you give me a hint how I can get the ssl certificate accepted? >>>>>> That should normally have done the trick. However, the sources >>>>>> tell me >>>>>> that no ssl_client settings are propagated to the http_client used by >>>>>> fts-solr, so SSL is not currently supported it seems. >>>>>> >>>>>> I'll check how easy it is to add that. >>>>> Just to keep you informed: I created a patch, but it is still being >>>>> tested. >>>>> >>>> Thanks for the update Stephan! Awesome! Looking forward to test it >>>> myself :-) >>> https://github.com/dovecot/core/commit/526631052ca3175357302af8fa7dcbf763b40c53 >>> >>> >> Thank you. I am using now the following version: >> 2.3.0.alpha0 (2eeea57) [XI:2:2.3.0~alpha0-1~auto+650] >> >> The error messages I am getting now are like this: >> >> doveadm(user at host): Info: Received invalid SSL certificate: unable to >> get local issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt >> Authority X3 >> doveadm(user at host): Error: fts_solr: Lookup failed: 9002 SSL handshaking >> with 5.45.106.248:443 failed: read(SSL 5.45.106.248:443) failed: >> Received invalid SSL certificate: unable to get local issuer >> certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 >> >> >> You can connect to 5.45.106.248:443 and IMHO everything is correct with >> the chain. >> >> >> I am no SSL expert, but I am reading it as "doveadm and its ssl part >> cannot verify the Let's Encrypt certificate". It would need the DST Root >> CA X3 and this is in the local trust store (ssl_client_ca_dir...) >> >> >> Do you have another hint maybe? > > We seem to have found another issue there. More on this will follow. >Thanks for the update and have a nice weekend, Jan :-)
Am 17.02.2017 um 17:27 schrieb Jan Vonde:> Am 17.02.2017 um 11:45 schrieb Stephan Bosch: >> Op 8-2-2017 om 21:07 schreef Jan Vonde: >>> Am 07.02.2017 um 12:29 schrieb Stephan Bosch: >>>> Op 31-1-2017 om 6:33 schreef Jan Vonde: >>>>> Am 31.01.2017 um 00:04 schrieb Stephan Bosch: >>>>>> Op 1/22/2017 om 12:01 PM schreef Stephan Bosch: >>>>>>> Op 1/22/2017 om 10:01 AM schreef Jan Vonde: >>>>>>>> I tried adding the following settings but that didn't help: >>>>>>>> ssl_ca = < /etc/ssl/certs/ca-certificates.crt >>>>>>>> ssl_client_ca_dir = /etc/ssl/certs >>>>>>>> >>>>>>>> Can you give me a hint how I can get the ssl certificate accepted? >>>>>>> That should normally have done the trick. However, the sources >>>>>>> tell me >>>>>>> that no ssl_client settings are propagated to the http_client >>>>>>> used by >>>>>>> fts-solr, so SSL is not currently supported it seems. >>>>>>> >>>>>>> I'll check how easy it is to add that. >>>>>> Just to keep you informed: I created a patch, but it is still being >>>>>> tested. >>>>>> >>>>> Thanks for the update Stephan! Awesome! Looking forward to test it >>>>> myself :-) >>>> https://github.com/dovecot/core/commit/526631052ca3175357302af8fa7dcbf763b40c53 >>>> >>>> >>>> >>> Thank you. I am using now the following version: >>> 2.3.0.alpha0 (2eeea57) [XI:2:2.3.0~alpha0-1~auto+650] >>> >>> The error messages I am getting now are like this: >>> >>> doveadm(user at host): Info: Received invalid SSL certificate: unable to >>> get local issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt >>> Authority X3 >>> doveadm(user at host): Error: fts_solr: Lookup failed: 9002 SSL handshaking >>> with 5.45.106.248:443 failed: read(SSL 5.45.106.248:443) failed: >>> Received invalid SSL certificate: unable to get local issuer >>> certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 >>> >>> >>> You can connect to 5.45.106.248:443 and IMHO everything is correct with >>> the chain. >>> >>> >>> I am no SSL expert, but I am reading it as "doveadm and its ssl part >>> cannot verify the Let's Encrypt certificate". It would need the DST Root >>> CA X3 and this is in the local trust store (ssl_client_ca_dir...) >>> >>> >>> Do you have another hint maybe? >> >> We seem to have found another issue there. More on this will follow. >> > Thanks for the update and have a nice weekend, >I don't want to push, am just interested: any news on this? Thanks, Jan :-)