Rt-mailgate problem - certificate verify failure?

RT Users
1

Hello,

The rt-mailgate program acts differently between v 3.8.8 and v 4.0.6. The v 3.8.8 version works
fine using https, and even when I have v 4.0.6 running with the /etc/aliases point to the v 3.8.8 version of rtmailgate, email
get sent to the queue. But the v 4.0.6 version fails with certificate verify failed, output from mailq:

(temporary failure. Command output: An Error Occurred ================= 500 Can’t connect to testrt.rc.fas.harvard.edu:443 (certificate verify failed))
rt@testrt.rc.fas.harvard.edu

Any ideas as to the verification of my RT/ssl setup, on how to fix this ? Apparently the RT 4.0.6 is less forgiving about the ssl setup and config.
I ran RT configure with the --enable-ssl-mailgate option and installed all perl modules required with “make fixdeps” in RT 4.0.6.

Thanks,
Mike

This is in /etc/aliases:

rt3

rt: “|/opt/rt-3.8.8/bin/rt-mailgate --queue ‘General’ --action correspond --url https://testrt.rc.fas.harvard.edu/
rt-comment: “|/opt/rt-3.8.8/bin/rt-mailgate --queue ‘General’ --action comment --url https://testrt.rc.fas.harvard.edu/

rt4

#rt: “|/opt/rt4/bin/rt-mailgate --queue ‘General’ --ca-file /etc/pki/tls/certs/ca-bundle.crt --action correspond --url https://testrt.rc.fas.harvard.edu/
#rt-comment: “|/opt/rt4/bin/rt-mailgate --queue ‘General’ --ca-file /etc/pki/tls/certs/ca-bundle.crt --action comment --url https://testrt.rc.fas.harvard.edu/

2

Hello,

The rt-mailgate program acts differently between v 3.8.8 and v 4.0.6.
The v 3.8.8 version works

fine using https, and even when I have v 4.0.6 running with the
/etc/aliases point to the v 3.8.8 version of rtmailgate, email

get sent to the queue. But the v 4.0.6 version fails with certificate
verify failed, output from mailq:

(temporary failure. Command output: An Error Occurred =================
500 Can’t connect to testrt.rc.fas.harvard.edu:443 (certificate verify
failed))

                                     rt@testrt.rc.fas.harvard.edu

Any ideas as to the verification of my RT/ssl setup, on how to fix this
? Apparently the RT 4.0.6 is less forgiving about the ssl setup and config.

I ran RT configure with the --enable-ssl-mailgate option and installed
all perl modules required with �make fixdeps� in RT 4.0.6.

Thanks,

Mike

This is in /etc/aliases:

rt3

rt: “|/opt/rt-3.8.8/bin/rt-mailgate --queue ‘General’ --action
correspond --url https://testrt.rc.fas.harvard.edu/

rt-comment: “|/opt/rt-3.8.8/bin/rt-mailgate --queue ‘General’ --action
comment --url https://testrt.rc.fas.harvard.edu/

rt4

#rt: “|/opt/rt4/bin/rt-mailgate --queue ‘General’ --ca-file
/etc/pki/tls/certs/ca-bundle.crt --action correspond --url
https://testrt.rc.fas.harvard.edu/

#rt-comment: “|/opt/rt4/bin/rt-mailgate --queue ‘General’ --ca-file
/etc/pki/tls/certs/ca-bundle.crt --action comment --url
https://testrt.rc.fas.harvard.edu/

Hi Mike,

add this option to your aliases if you want to bypass certificate
validation: --no-verify-ssl

So your rt entry in /etc/aliases would look like this:

#rt: “|/opt/rt4/bin/rt-mailgate --queue ‘General’ --ca-file
/etc/pki/tls/certs/ca-bundle.crt --action correspond --url
https://testrt.rc.fas.harvard.edu/ --no-verify-ssl”

Martin

3

Hi Martin,

Thanks for the suggestion but if I enable --no-ssl I will be creating a security
vulnerability no ?

Thanks,
Mike-----Original Message-----
From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Martin Drasar
Sent: Tuesday, August 21, 2012 10:11 AM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] rt-mailgate problem - certificate verify failure ?

On 21.8.2012 15:59, Ethier, Michael wrote:

Hello,

The rt-mailgate program acts differently between v 3.8.8 and v 4.0.6.
The v 3.8.8 version works

fine using https, and even when I have v 4.0.6 running with the
/etc/aliases point to the v 3.8.8 version of rtmailgate, email

get sent to the queue. But the v 4.0.6 version fails with certificate
verify failed, output from mailq:

(temporary failure. Command output: An Error Occurred

500 Can’t connect to testrt.rc.fas.harvard.edu:443 (certificate verify
failed))

                                     rt@testrt.rc.fas.harvard.edu

Any ideas as to the verification of my RT/ssl setup, on how to fix
this ? Apparently the RT 4.0.6 is less forgiving about the ssl setup and config.

I ran RT configure with the --enable-ssl-mailgate option and installed
all perl modules required with “make fixdeps” in RT 4.0.6.

Thanks,

Mike

This is in /etc/aliases:

rt3

rt: “|/opt/rt-3.8.8/bin/rt-mailgate --queue ‘General’ --action
correspond --url https://testrt.rc.fas.harvard.edu/

rt-comment: “|/opt/rt-3.8.8/bin/rt-mailgate --queue ‘General’ --action
comment --url https://testrt.rc.fas.harvard.edu/

rt4

#rt: “|/opt/rt4/bin/rt-mailgate --queue ‘General’ --ca-file
/etc/pki/tls/certs/ca-bundle.crt --action correspond --url
https://testrt.rc.fas.harvard.edu/

#rt-comment: “|/opt/rt4/bin/rt-mailgate --queue ‘General’ --ca-file
/etc/pki/tls/certs/ca-bundle.crt --action comment --url
https://testrt.rc.fas.harvard.edu/

Hi Mike,

add this option to your aliases if you want to bypass certificate
validation: --no-verify-ssl

So your rt entry in /etc/aliases would look like this:

#rt: “|/opt/rt4/bin/rt-mailgate --queue ‘General’ --ca-file /etc/pki/tls/certs/ca-bundle.crt --action correspond --url https://testrt.rc.fas.harvard.edu/ --no-verify-ssl”

Martin

4

Hi Martin,

Thanks for the suggestion but if I enable --no-ssl I will be creating a security
vulnerability no ?

Thanks,
Mike

Hi,

that’s for sure. This was a suggestion for a development machine (the
name testrt.rc.fas.harvard.edu suggest that it is).

If you want to avoid this step then you have to have a valid certificate
for testrt.rc.fas.harvard.edu signed by a certificate authority that is
in the ca bundle you are passing to rt-mailgate.

Martin

5

If you want to avoid this step then you have to have a valid certificate
for testrt.rc.fas.harvard.edu signed by a certificate authority that is
in the ca bundle you are passing to rt-mailgate.

Martin’s referring to the --ca-file argument you can pass.

You can also simply make sure to put your CA root cert used for signing
into /etc/ssl/certs/ or your system’s equivalent.

See perldoc bin/rt-mailgate for more info.