Rt-mailgate ssl error

Petr_Hanousek · February 17, 2020, 6:54pm

Hi folks, I am trying to install brand new instance of RT 4.4.4 on the fresh Debian 10 machine with fresh configuration of everything. And unfortunatelly can not pass the mails through rt-mailgate. It produces the following error:

/opt/rt4/bin/rt-mailgate --queue support --action correspond --url http://localhost --debug < ./mail-test.txt
/opt/rt4/bin/rt-mailgate: temp file is '/tmp/yxST9F197x/fxjPiqZvg4'
/opt/rt4/bin/rt-mailgate: connecting to http://localhost/REST/1.0/NoAuth/mail-gateway
HTTP request failed: 500 Can't connect to localhost:443 (SSL connect attempt failed error:1408F10B:SSL routines:ssl3_get_record:wrong version number). Your webserver logs may have more information or there may be a network problem.
/opt/rt4/bin/rt-mailgate: undefined server error

Everything targeting the :80 port is redirected in apache to https port so that’s why the SSL complaint. The certificates of the server and authorities are maintained by certbot (Lets Encrypt authority) and normal RT GUI browsing through web browser goes well. When I try to access https://rt.mydomain.cz/REST/1.0/NoAuth/mail-gateway it produces output:

not ok - Couldn't parse or find sender's address

So I can see no problem with SSL when accessing the site from web but only from the localhost. Apache and RT logs shows only a line

myRTserver.cz:80 ::1 - - [17/Feb/2020:19:38:36 +0100] "\x16\x03\x01\x02" 400 0 "-" "-"

It’s a shared IP address with other webservers so I suspect SNI to be a trouble because of this thread. My system behaves the same as described. Although I don’t know why it complains for localhost call.

Have anybody solved the similar problem? How to disable the SNI for IO::Socket::SSL globally?
Thank you, Petr

GreenJimll · February 18, 2020, 10:13am

Just so I’m understanding this right, if you access https://rt.mydomain.cz/REST/1.0/NoAuth/mail-gateway from the server command line itself (using wget or curl for example) what output do you get? None and just the weird log line?

Petr_Hanousek · February 18, 2020, 10:15am

This was beacuse the names in the SSL certificate don’t include ‘localhost’. And it’s nonsense to have something like this in a certificate. To solve this issue is necessary one or both of these:

adjust /etc/hosts file and add your server to the line 127.0.0.1 like:
```
127.0.0.1       localhost rt.mydomain.cz
```
adjust sites-enabled in apache and put there also the name ‘localhost’ like this:
```
<VirtualHost 127.0.0.1 localhost>
```

In first example you use your redirection to https, the second example let’s you access your rt on localhost via http.

Petr_Hanousek · February 18, 2020, 10:37am

Thank you for the reply,
if I put back the faulty configuration of apache the wget https://rt.mydomain.cz/REST/1.0/NoAuth/mail-gateway command hangs on “connecting to …” and in logs is nothing. There is maybe wrong even something more

GreenJimll · February 18, 2020, 10:49am

You might want to try a traceroute on the server for the FQDN rt.mydomain.cz just to check that you’ve got an IP route at least from the server back to itself via that name. It should be instantaneous but if the routing is a bit broken it might wander off into your local network infrastructure.

hmoffatt · February 20, 2020, 4:53am

Why don’t you just put the external URL in your rt-mailgate command line instead?

Petr_Hanousek · February 20, 2020, 2:48pm

Yes, that was also a possibility. But I was used to deliver all to localhost and suddenly it didn’t work.