Re: fts_solr and connection via https://
Am 04.03.2017 um 15:32 schrieb Stephan Bosch: > Op 3/4/2017 om 2:39 PM schreef Jan Vonde: >> Am 17.02.2017 um 17:27 schrieb Jan Vonde: >>> Am 17.02.2017 um 11:45 schrieb Stephan Bosch: >>>> Op 8-2-2017 om 21:07 schreef Jan Vonde: >>>> We seem to have found another issue there. More on this will follow. >>>> >>> Thanks for the update and have a nice weekend, >>> >> I don't want to push, am just interested: any news on this? >> >> >> Thanks, Jan :-) > > Oh, good point. We added a few fixes, but unfortunately the last of > those was too late for 2.2.28: > > https://git.dovecot.net/dovecot/core/commit/8f251da1b6dfe6dc3d86ae71b377d99afe2d4bd2 > > So, currently, may not yet work for you. I will be in 2.2.29. You can > try the master branch of course if you want to test it early. > > > Regards, > > Stephan. > It's working. Awesome! Thanks a lot! \Jan :-)
Re: fts_solr and connection via https://
Am 17.02.2017 um 17:27 schrieb Jan Vonde: > Am 17.02.2017 um 11:45 schrieb Stephan Bosch: >> Op 8-2-2017 om 21:07 schreef Jan Vonde: >>> Am 07.02.2017 um 12:29 schrieb Stephan Bosch: >>>> Op 31-1-2017 om 6:33 schreef Jan Vonde: >>>>> Am 31.01.2017 um 00:04 schrieb Stephan Bosch: >>>>>> Op 1/22/2017 om 12:01 PM schreef Stephan Bosch: >>>>>>> Op 1/22/2017 om 10:01 AM schreef Jan Vonde: >>>>>>>> I tried adding the following settings but that didn't help: >>>>>>>>ssl_ca = < /etc/ssl/certs/ca-certificates.crt >>>>>>>>ssl_client_ca_dir = /etc/ssl/certs >>>>>>>> >>>>>>>> Can you give me a hint how I can get the ssl certificate accepted? >>>>>>> That should normally have done the trick. However, the sources >>>>>>> tell me >>>>>>> that no ssl_client settings are propagated to the http_client >>>>>>> used by >>>>>>> fts-solr, so SSL is not currently supported it seems. >>>>>>> >>>>>>> I'll check how easy it is to add that. >>>>>> Just to keep you informed: I created a patch, but it is still being >>>>>> tested. >>>>>> >>>>> Thanks for the update Stephan! Awesome! Looking forward to test it >>>>> myself :-) >>>> https://github.com/dovecot/core/commit/526631052ca3175357302af8fa7dcbf763b40c53 >>>> >>>> >>>> >>> Thank you. I am using now the following version: >>>2.3.0.alpha0 (2eeea57) [XI:2:2.3.0~alpha0-1~auto+650] >>> >>> The error messages I am getting now are like this: >>> >>> doveadm(user@host): Info: Received invalid SSL certificate: unable to >>> get local issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt >>> Authority X3 >>> doveadm(user@host): Error: fts_solr: Lookup failed: 9002 SSL handshaking >>> with 5.45.106.248:443 failed: read(SSL 5.45.106.248:443) failed: >>> Received invalid SSL certificate: unable to get local issuer >>> certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 >>> >>> >>> You can connect to 5.45.106.248:443 and IMHO everything is correct with >>> the chain. >>> >>> >>> I am no SSL expert, but I am reading it as "doveadm and its ssl part >>> cannot verify the Let's Encrypt certificate". It would need the DST Root >>> CA X3 and this is in the local trust store (ssl_client_ca_dir...) >>> >>> >>> Do you have another hint maybe? >> >> We seem to have found another issue there. More on this will follow. >> > Thanks for the update and have a nice weekend, > I don't want to push, am just interested: any news on this? Thanks, Jan :-)
Re: fts_solr and connection via https://
Am 17.02.2017 um 11:45 schrieb Stephan Bosch: Op 8-2-2017 om 21:07 schreef Jan Vonde: Am 07.02.2017 um 12:29 schrieb Stephan Bosch: Op 31-1-2017 om 6:33 schreef Jan Vonde: Am 31.01.2017 um 00:04 schrieb Stephan Bosch: Op 1/22/2017 om 12:01 PM schreef Stephan Bosch: Op 1/22/2017 om 10:01 AM schreef Jan Vonde: I tried adding the following settings but that didn't help: ssl_ca = < /etc/ssl/certs/ca-certificates.crt ssl_client_ca_dir = /etc/ssl/certs Can you give me a hint how I can get the ssl certificate accepted? That should normally have done the trick. However, the sources tell me that no ssl_client settings are propagated to the http_client used by fts-solr, so SSL is not currently supported it seems. I'll check how easy it is to add that. Just to keep you informed: I created a patch, but it is still being tested. Thanks for the update Stephan! Awesome! Looking forward to test it myself :-) https://github.com/dovecot/core/commit/526631052ca3175357302af8fa7dcbf763b40c53 Thank you. I am using now the following version: 2.3.0.alpha0 (2eeea57) [XI:2:2.3.0~alpha0-1~auto+650] The error messages I am getting now are like this: doveadm(user@host): Info: Received invalid SSL certificate: unable to get local issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 doveadm(user@host): Error: fts_solr: Lookup failed: 9002 SSL handshaking with 5.45.106.248:443 failed: read(SSL 5.45.106.248:443) failed: Received invalid SSL certificate: unable to get local issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 You can connect to 5.45.106.248:443 and IMHO everything is correct with the chain. I am no SSL expert, but I am reading it as "doveadm and its ssl part cannot verify the Let's Encrypt certificate". It would need the DST Root CA X3 and this is in the local trust store (ssl_client_ca_dir...) Do you have another hint maybe? We seem to have found another issue there. More on this will follow. Thanks for the update and have a nice weekend, Jan :-)
Re: fts_solr and connection via https://
Am 07.02.2017 um 12:29 schrieb Stephan Bosch: > > > Op 31-1-2017 om 6:33 schreef Jan Vonde: >> Am 31.01.2017 um 00:04 schrieb Stephan Bosch: >>> Op 1/22/2017 om 12:01 PM schreef Stephan Bosch: >>>> Op 1/22/2017 om 10:01 AM schreef Jan Vonde: >>>>> I tried adding the following settings but that didn't help: >>>>> ssl_ca = < /etc/ssl/certs/ca-certificates.crt >>>>> ssl_client_ca_dir = /etc/ssl/certs >>>>> >>>>> Can you give me a hint how I can get the ssl certificate accepted? >>>> That should normally have done the trick. However, the sources tell me >>>> that no ssl_client settings are propagated to the http_client used by >>>> fts-solr, so SSL is not currently supported it seems. >>>> >>>> I'll check how easy it is to add that. >>> >>> Just to keep you informed: I created a patch, but it is still being >>> tested. >>> >> >> Thanks for the update Stephan! Awesome! Looking forward to test it >> myself :-) > > https://github.com/dovecot/core/commit/526631052ca3175357302af8fa7dcbf763b40c53 > Thank you. I am using now the following version: 2.3.0.alpha0 (2eeea57) [XI:2:2.3.0~alpha0-1~auto+650] The error messages I am getting now are like this: doveadm(user@host): Info: Received invalid SSL certificate: unable to get local issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 doveadm(user@host): Error: fts_solr: Lookup failed: 9002 SSL handshaking with 5.45.106.248:443 failed: read(SSL 5.45.106.248:443) failed: Received invalid SSL certificate: unable to get local issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 You can connect to 5.45.106.248:443 and IMHO everything is correct with the chain. I am no SSL expert, but I am reading it as "doveadm and its ssl part cannot verify the Let's Encrypt certificate". It would need the DST Root CA X3 and this is in the local trust store (ssl_client_ca_dir...) Do you have another hint maybe? Thanks in advance and good night, Jan :-) -- Jan Vonde Hermann-Rein-Str. 6 37075 Göttingen Tel: 0551 - 200 47 58 2 Mobil: 0176 - 83 110 775 http://www.vonde.eu
Re: fts_solr and connection via https://
Am 31.01.2017 um 00:04 schrieb Stephan Bosch: Op 1/22/2017 om 12:01 PM schreef Stephan Bosch: Op 1/22/2017 om 10:01 AM schreef Jan Vonde: I tried adding the following settings but that didn't help: ssl_ca = < /etc/ssl/certs/ca-certificates.crt ssl_client_ca_dir = /etc/ssl/certs Can you give me a hint how I can get the ssl certificate accepted? That should normally have done the trick. However, the sources tell me that no ssl_client settings are propagated to the http_client used by fts-solr, so SSL is not currently supported it seems. I'll check how easy it is to add that. Just to keep you informed: I created a patch, but it is still being tested. Thanks for the update Stephan! Awesome! Looking forward to test it myself :-) \Jan -- Jan Vonde Hermann-Rein-Str. 6 37075 Göttingen Tel: 0551 - 200 47 58 2 Mobil: 0176 - 83 110 775 http://www.vonde.eu
fts_solr and connection via https://
Hi,
I am trying to get fts_solr working and my index server is available via
HTTPS only. Dovecot is running on a Debian Jessie system and the Solr
server has a letsencrypt certificate.
My dovecot version is:
2.2.devel (a9ed8ae)
The current setup is:
10-mail.conf:
mail_plugins = fts fts_solr
90-fts.conf:
plugin {
fts = solr
fts_autoindex = yes
fts_solr = url=https://foo.example.com/solr/dovecot/
}
When I try to index the mailboxes I am getting error messages like this:
doveadm(user@host): Error: fts_solr: Lookup failed: 9002 Couldn't
initialize SSL context: Can't verify remote server certs without trusted
CAs (ssl_client_ca_* settings)
doveadm(user@host): Error: Mailbox INBOX: Status lookup failed:
Internal error occurred. Refer to server log for more information.
[2017-01-22 09:52:38]
Segmentation fault
Contacting the index server via curl on the command line on the same
host works, it returns HTTP 200:
user@host ~ $ curl -s -o /dev/null -w "%{http_code}"
https://foo.example.com/solr/
200
user@host ~ $
Currently I have the following ssl related settings:
user@host ~ $ doveconf -n -P | grep -i ssl
ssl_cert =
