Error with rt-mailgate on new server

Old server (helpdesk, CentOS 7.5) was rt 4.4.4, created new server (rt-app-vp1, AlmaLinux 8.6) and installed rt 5.0.2. Copied DB to new DB server, ran upgrade-database, everything was looking great. Set up DNS to point helpdesk to rt-app-vp1, MX record for helpdesk resolves to rt-app-vp1. Wildcard SSL cert added, and the web UI came up fine. RT sends out emails successfully as well. Problem is with rt-mailgate. Emails are getting to the new server, and they’re in mailq, but rt-mailgate is erroring.

[root@rt-app-vp1 etc]# mailq
/var/spool/mqueue (2 requests)
-----Q-ID----- --Size-- -----Q-Time----- ------------Sender/Recipient-----------
26E6MiTl004581 248 Thu Jul 14 01:22
7BIT (Deferred: prog mailer (/usr/sbin/smrsh) exited with EX_TEMPF)
"| /etc/smrsh/rt-mailgate --queue Faci
26E4bOCN733341 248 Wed Jul 13 23:37
7BIT (Deferred: prog mailer (/usr/sbin/smrsh) exited with EX_TEMPF)
"| /etc/smrsh/rt-mailgate --queue Faci
Total requests: 2

I used this command to test rt-mailgate directly:
(echo Subject: test; echo; echo test) | /etc/smrsh/rt-mailgate –queue ‘Change Management’ --action correspond --url –debug

It gave a certificate error:
HTTP request failed: 500 Can’t connect to (certificate verify failed). Your webserver logs may have more information or there may be a network problem.

So I added the ‘–no-verify-ssl’ flag from the rt-mailgate documentation, but it gave the same error.

Here’s the entry from /var/log/maillog:
Jul 14 09:05:10 rt-app-vp1 sendmail[13199]: 26E4bOCN733341: to="| /etc/smrsh/rt-mailgate --queue Facilities --action correspond --url", (8/0), delay=09:27:46, xdelay=00:00:00, mailer=prog, pri=1111974, dsn=4.0.0, stat=Deferred: prog mailer (/usr/sbin/smrsh) exited with EX_TEMPFAIL

/var/log/httpd/access_log is a little more interesting, but it seems the same as it was on the old helpdesk server: - - [14/Jul/2022:10:05:10 -0500] “POST //REST/1.0/NoAuth/mail-gateway HTTP/1.1” 301 266 “-” “rt-mailgate/5.0.2 libwww-perl/6.34”

I’ve had to revert to the old server for folks to be productive (ugh), so I can’t test until our next maintenance window, but suggestions would be most appreciated.

One option is to use http://localhost instead of the URL and then you don’t need to worry about SSL

Good thought. I did try changing the URL in the command (helpdesk, rt-app-vp1, & localhost) – all gave the same error.

I’m assuming they all gave the same error because of the httpd Redirect config:
<VirtualHost *:80>
RedirectPermanent /

Solved it.
When I was setting up the wildcard cert on the new server, I failed to create the certificate-chain file, although the cert itself was okay (web UI gave no error/warning). Once I created the chain file and added it to /etc/httpd/conf.d/ssl.conf file, rt-mailgate testing went without a hitch.