Joseph Ward writes:> I'm aware of at least a couple of fallback options: > ??? -have a self-signed cert for replication and use the Let's Encrypt > one for IMAP/POP > ??? - create firewall rules allowing them to connect to each other over > the public internet so that it can validate the proper cert > ? > These are both much less palatable than simply disabling the cert > validation if it's possible.Maybe instead of disabling the check, appease it by supplying (in /etc/hosts) an alternate mapping of the FQDN subject of your certificate to your internal IP: 10.x.x.x your.sync.target Joseph Tam <jtam.home at gmail.com>
I'd considered doing it at the internal DNS server level which I wasn't a fan of because it's a separate server's config that I'd have to rely on to make sure this server was working.? The thought of the local hosts file slipped my mind.? That is a good idea; it meets my needs, and keeps everything in the same "create mail server" ansible file. Thank you! -Joseph On 12/20/2017 20:27, Joseph Tam wrote:> Joseph Ward writes: > >> I'm aware of at least a couple of fallback options: >> ??? -have a self-signed cert for replication and use the Let's Encrypt >> one for IMAP/POP >> ??? - create firewall rules allowing them to connect to each other over >> the public internet so that it can validate the proper cert >> ? >> These are both much less palatable than simply disabling the cert >> validation if it's possible. > > Maybe instead of disabling the check, appease it by supplying (in > /etc/hosts) an alternate mapping of the FQDN subject of your certificate > to your internal IP: > > ????10.x.x.x??????? your.sync.target > > Joseph Tam <jtam.home at gmail.com>
Thanks for letting us know, we'll check this. But, would it make sense to sign those certs with your own CA cert and distribute the CA cert to your systems? Aki> On December 21, 2017 at 4:56 PM Joseph Ward <jbwlists at hilltopgroup.com> wrote: > > > I'd considered doing it at the internal DNS server level which I wasn't > a fan of because it's a separate server's config that I'd have to rely > on to make sure this server was working.? The thought of the local hosts > file slipped my mind.? That is a good idea; it meets my needs, and keeps > everything in the same "create mail server" ansible file. > > Thank you! > > -Joseph > > > On 12/20/2017 20:27, Joseph Tam wrote: > > Joseph Ward writes: > > > >> I'm aware of at least a couple of fallback options: > >> ??? -have a self-signed cert for replication and use the Let's Encrypt > >> one for IMAP/POP > >> ??? - create firewall rules allowing them to connect to each other over > >> the public internet so that it can validate the proper cert > >> ? > >> These are both much less palatable than simply disabling the cert > >> validation if it's possible. > > > > Maybe instead of disabling the check, appease it by supplying (in > > /etc/hosts) an alternate mapping of the FQDN subject of your certificate > > to your internal IP: > > > > ????10.x.x.x??????? your.sync.target > > > > Joseph Tam <jtam.home at gmail.com> >