Disable ssl validation for replication?
Sean Greenslade
sean at seangreenslade.com
Sun Dec 24 15:32:12 EET 2017
On December 20, 2017 6:46:24 PM EST, Joseph Ward <jbwlists at hilltopgroup.com> wrote:
>Hi,
>
>I have two servers (HA configuration) on which I'm attempting to get
>replication working over SSL. They're at two different sites, but
>connected via a site-site VPN.
>
>Everything seems to be fine, except that the certificates are not
>validating as I'm using IP addresses for the sync, as opposed to the
>public hostnames for which the certificates are valid, and so I get the
>following error:
>
>doveadm(user at domain): Error: doveadm server disconnected before
>handshake: SSL certificate doesn't match expected host name 10.x.x.x
>
>I'm on Dovecot 2.2.33.
>
>Is there any way to disable the certificate checking/validation for the
>sync engine?
>
>(
>I'm aware of at least a couple of fallback options:
> -have a self-signed cert for replication and use the Let's Encrypt
>one for IMAP/POP
> - create firewall rules allowing them to connect to each other over
>the public internet so that it can validate the proper cert
>
>These are both much less palatable than simply disabling the cert
>validation if it's possible.
You could add an entry in /etc/hosts (or in your internal DNS system if you have one) that gives the internal IP in response to the public hostname.
--Sean
More information about the dovecot
mailing list