Hi, I have two servers (HA configuration) on which I'm attempting to get replication working over SSL.? They're at two different sites, but connected via a site-site VPN. Everything seems to be fine, except that the certificates are not validating as I'm using IP addresses for the sync, as opposed to the public hostnames for which the certificates are valid, and so I get the following error:? doveadm(user at domain): Error: doveadm server disconnected before handshake: SSL certificate doesn't match expected host name 10.x.x.x I'm on Dovecot 2.2.33. Is there any way to disable the certificate checking/validation for the sync engine?? ( I'm aware of at least a couple of fallback options: ??? -have a self-signed cert for replication and use the Let's Encrypt one for IMAP/POP ??? - create firewall rules allowing them to connect to each other over the public internet so that it can validate the proper cert ? These are both much less palatable than simply disabling the cert validation if it's possible. ) Thank you in advance for any assistance, Joseph
I guess what I don't understand is why the IP address approach is more attractive to you, and why you think the "public Internet" path is less good. Best regards, A -- Please excuse my clumbsy thums ---------- On December 21, 2017 12:47:47 AM Joseph Ward <jbwlists at hilltopgroup.com> wrote:> Hi, > > I have two servers (HA configuration) on which I'm attempting to get > replication working over SSL.? They're at two different sites, but > connected via a site-site VPN. > > Everything seems to be fine, except that the certificates are not > validating as I'm using IP addresses for the sync, as opposed to the > public hostnames for which the certificates are valid, and so I get the > following error:? > > doveadm(user at domain): Error: doveadm server disconnected before > handshake: SSL certificate doesn't match expected host name 10.x.x.x > > I'm on Dovecot 2.2.33. > > Is there any way to disable the certificate checking/validation for the > sync engine?? > > ( > I'm aware of at least a couple of fallback options: > ??? -have a self-signed cert for replication and use the Let's Encrypt > one for IMAP/POP > ??? - create firewall rules allowing them to connect to each other over > the public internet so that it can validate the proper cert > ? > These are both much less palatable than simply disabling the cert > validation if it's possible. > ) > > > Thank you in advance for any assistance, > Joseph
I only have one public IP at each site, so having all internal services (and I have a lot of them) communicating over the internet to that single IP (on each side) would get pretty complex with a lot of rules and a lot of interesting port remapping and additional firewall rule complexity.? That additional complexity also involves more chances to make mistakes that introduce security problems.?? So in general, I'm eager to keep things going directly to the proper service internally.? Obviously I can work around that when it's necessary, but going outside the VPN is the last option I'm entertaining. Regards, Joseph Ward On 12/20/2017 20:24, Andrew Sullivan wrote:> I guess what I don't understand is why the IP address approach is more > attractive to you, and why you think the "public Internet" path is > less good. > > Best regards, > > A >
On December 20, 2017 6:46:24 PM EST, Joseph Ward <jbwlists at hilltopgroup.com> wrote:>Hi, > >I have two servers (HA configuration) on which I'm attempting to get >replication working over SSL.? They're at two different sites, but >connected via a site-site VPN. > >Everything seems to be fine, except that the certificates are not >validating as I'm using IP addresses for the sync, as opposed to the >public hostnames for which the certificates are valid, and so I get the >following error:? > >doveadm(user at domain): Error: doveadm server disconnected before >handshake: SSL certificate doesn't match expected host name 10.x.x.x > >I'm on Dovecot 2.2.33. > >Is there any way to disable the certificate checking/validation for the >sync engine?? > >( >I'm aware of at least a couple of fallback options: >??? -have a self-signed cert for replication and use the Let's Encrypt >one for IMAP/POP >??? - create firewall rules allowing them to connect to each other over >the public internet so that it can validate the proper cert >? >These are both much less palatable than simply disabling the cert >validation if it's possible.You could add an entry in /etc/hosts (or in your internal DNS system if you have one) that gives the internal IP in response to the public hostname. --Sean