I am finding that after my upgrade to 4.4.2 and moving to an SSL website that rt-mailgate is unhappy with my certificate.
I am using certbot and the site is responding to port 443 and all the major browsers are happy with the cert as Apache delivers it when browsing to the site https://tracker-software.support however replies to tickets are not making it through for delivery. /var/log/mail.log says:
Oct 10 10:30:29 rt postfix/qmgr: EC23C2C1F85: firstname.lastname@example.org, size=16789, nrcpt=1 (queue active)
Oct 10 10:30:29 rt postfix/local: 6D2332C1F7B: email@example.com, relay=local, delay=1744, delays=1744/0.02/0/0.23, dsn=4.3.0, status=deferred (temporary failure. Command output: HTTP request failed: 500 Can’t connect to tracker-software.support:443 (certificate verify failed). Your webserver logs may have more information or there may be a network problem. )
Oct 10 10:30:29 rt postfix/local: using backwards-compatible default setting relay_domains=$mydestination to update fast-flush logfile for domain “tracker-software.support”
“certificate verify failed” - Apache config shows the following paths for the site’s certificates in it’s Virtual Host definition:
I tried adding the path to the cert file for mailgate in /etc/aliases:
support_comment: "|/opt/rt4/bin/rt-mailgate --queue Support --action comment --ca-file /etc/letsencrypt/live/tracker-software.support/fullchain.pem --url https://tracker-software.support/"
support_correspond: “|/opt/rt4/bin/rt-mailgate --queue Support --action correspond --ca-file /etc/letsencrypt/live/tracker-software.support/fullchain.pem --url https://tracker-software.support/”
but RT does not recognise it:
Oct 10 10:55:41 rt postfix/local: D96A92C1F86: firstname.lastname@example.org, relay=local, delay=0.57, delays=0.36/0/0/0.21, dsn=4.3.0, status=deferred (temporary failure. Command output: HTTP request failed: 500 SSL_ca_file /etc/letsencrypt/live/tracker-software.support/fullchain.pem does not exist. Your webserver logs may have more information or there may be a network problem. )
I am not seeing anything in the Apache logs about this. What format certificate is mailgate expecting to see and what should my --ca-file path point to?
I even tried clubbing it with –no-verify-ssl but it seemed to still be looking for one with the same error “certificate verify failed” - yes I did run newaliases when testing this
Please and thanks