We just updated the cert from the default self signed cert to one from our
local CA. We have the web server side working via https but now incoming
email will not generate a new ticket or comment on an old one. Looking at
the mail log it shows a 500 error, Can’t connect to rt.x.x:443 (certificate
verify failed). We are using the --no-verify-ssl flag in the aliases file
for all the queues. Any suggestions on where to go from here?
Well we finally figured out that the mailgate did not like our local CA.
Went and bought a Thawte cert for RT and now everything is working as it
should. The lesson here is spend the money and get a real cert!
Well we finally figured out that the mailgate did not like our local CA.
Went and bought a Thawte cert for RT and now everything is working as it
should. The lesson here is spend the money and get a real cert!
I wish I had gotten to this earlier. There’s a better option in
rt-mailgate. What we’ve done is add --ca-file to the rt-mailgate
command in our postfix aliases.
Thanks for the response. We tried that and could not get it to work
either. Turns out our CA is pretty old and still running on a 2003 box.
We were going to roll out RT to our staff first who all use domain machines
that include our root CA cert already. The web portion worked fine. We
were going to let our students eventually start sending requests and
planned to get a commercial cert. This just pushed the time up a few
months. So now we have a new project, upgrade our CA.On Tue, Feb 3, 2015 at 3:26 PM, Tim Wiley tim@marchex.com wrote:
On 02/03/2015 12:09 PM, mkyser wrote:
Well we finally figured out that the mailgate did not like our local CA.
Went and bought a Thawte cert for RT and now everything is working as it
should. The lesson here is spend the money and get a real cert!
I wish I had gotten to this earlier. There’s a better option in
rt-mailgate. What we’ve done is add --ca-file to the rt-mailgate command
in our postfix aliases.
Thanks for the response. We tried that and could not get it to work
either. Turns out our CA is pretty old and still running on a 2003
box.
We were going to roll out RT to our staff first who all use domain
machines that include our root CA cert already. The web portion
worked fine. We were going to let our students eventually start
sending requests and planned to get a commercial cert. This just
pushed the time up a few months. So now we have a new project,
upgrade our CA.
Try upgrading the LWP::Protocol::https and the Net::SSLeay modules.
Microsoft had issues exporting all the parts of a root cert that was
needed for working on computers not in the AD domain in Server 2003.
I think they resolved this issue in Server 2008 and forward but we
ended up having multiple CAs (one for MS and one for everything else)
to resolve this back in the day.
On Tue, 3 Feb 2015 16:27:02 -0500 Mitch Kyser mkyser@albion.edu wrote:
Thanks for the response. We tried that and could not get it to work
either. Turns out our CA is pretty old and still running on a 2003
box.
We were going to roll out RT to our staff first who all use domain
machines that include our root CA cert already. The web portion
worked fine. We were going to let our students eventually start
sending requests and planned to get a commercial cert. This just
pushed the time up a few months. So now we have a new project,
upgrade our CA.
Try upgrading the LWP::Protocol::https and the Net::SSLeay modules.