Disable ssl validation for replication?
Andrew Sullivan
ajs at crankycanuck.ca
Thu Dec 21 03:24:08 EET 2017
I guess what I don't understand is why the IP address approach is more
attractive to you, and why you think the "public Internet" path is less good.
Best regards,
A
--
Please excuse my clumbsy thums
----------
On December 21, 2017 12:47:47 AM Joseph Ward <jbwlists at hilltopgroup.com> wrote:
> Hi,
>
> I have two servers (HA configuration) on which I'm attempting to get
> replication working over SSL. They're at two different sites, but
> connected via a site-site VPN.
>
> Everything seems to be fine, except that the certificates are not
> validating as I'm using IP addresses for the sync, as opposed to the
> public hostnames for which the certificates are valid, and so I get the
> following error:
>
> doveadm(user at domain): Error: doveadm server disconnected before
> handshake: SSL certificate doesn't match expected host name 10.x.x.x
>
> I'm on Dovecot 2.2.33.
>
> Is there any way to disable the certificate checking/validation for the
> sync engine?
>
> (
> I'm aware of at least a couple of fallback options:
> -have a self-signed cert for replication and use the Let's Encrypt
> one for IMAP/POP
> - create firewall rules allowing them to connect to each other over
> the public internet so that it can validate the proper cert
>
> These are both much less palatable than simply disabling the cert
> validation if it's possible.
> )
>
>
> Thank you in advance for any assistance,
> Joseph
More information about the dovecot
mailing list