[MM3-users] Re: Archive not working - Reg.

Now the following error occurs:-

root@list1:/var/log/mailman3# curl -v -H "X-Api-Key: XXXXXXXX"
https://list1.iitm.ac.in/hyperkitty/api/mailman/urls

• Trying 10.24.5.52:443...
• Connected to list1.iitm.ac.in (10.24.5.52) port 443 (#0)
• ALPN: offers h2,http/1.1
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• CAfile: /etc/ssl/certs/ca-certificates.crt
• CApath: /etc/ssl/certs
• TLSv1.3 (IN), TLS handshake, Server hello (2):
• TLSv1.2 (IN), TLS handshake, Certificate (11):
• TLSv1.2 (IN), TLS handshake, Server key exchange (12):
• TLSv1.2 (IN), TLS handshake, Server finished (14):
• TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
• TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
• TLSv1.2 (OUT), TLS handshake, Finished (20):
• TLSv1.2 (IN), TLS handshake, Finished (20):
• SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
• ALPN: server accepted h2
• Server certificate:
• subject: C=IN; ST=Tamil Nadu; O=Indian Institute of Technology Madras; CN=*.iitm.ac.in
• start date: Dec 6 00:00:00 2024 GMT
• expire date: Jan 6 23:59:59 2026 GMT
• subjectAltName: host "list1.iitm.ac.in" matched cert's "*.iitm.ac.in"
• issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Organization Validation Secure Server CA
• SSL certificate verify ok.
• using HTTP/2
• h2h3 [:method: GET]
• h2h3 [:path: /hyperkitty/api/mailman/urls]
• h2h3 [:scheme: https]
• h2h3 [:authority: list1.iitm.ac.in]
• h2h3 [user-agent: curl/7.88.1]
• h2h3 [accept: */*]
• h2h3 [x-api-key: xxxxxxxxxx]
• Using Stream ID: 1 (easy handle 0x559f80a4f7a0)

GET /hyperkitty/api/mailman/urls HTTP/2 Host: list1.iitm.ac.in user-agent: curl/7.88.1 accept: */* x-api-key: XXXXXXXXX

< HTTP/2 401 < server: nginx < date: Wed, 29 Oct 2025 10:06:58 GMT < content-type: text/html < content-length: 226 < strict-transport-security: max-age=31536000; includeSubDomains; preload < x-content-type-options: nosniff < referrer-policy: same-origin < x-frame-options: DENY < vary: Accept-Language, Cookie < content-language: en < strict-transport-security: max-age=31536000; includeSubDomains < <html><title>Auth required</title><body> <h1>Authorization Required</h1><p>Please check whether the MAILMAN_ARCHIVER_KEY is provided by you and it is correct.

• Connection #0 to host list1.iitm.ac.in left intact. Kindly help me to resolve

-----Original Message----- From: Stephen <steve@turnbull.jp> To: Nirmal <nirmal@iitm.ac.in> Cc: Stephen <steve@turnbull.jp>; mailman-users <mailman-users@mailman3.org> Date: Wednesday, 29 October 2025 1:54 PM IST Subject: [MM3-users] Re: Archive not working - Reg.

Nirmal J via Mailman-users writes:

While I am opening mailman.log.1 It is displaying this.

Everything up to this ACCEPT is irrelevant:

Oct 28 15:46:33 2025 (678430) ACCEPT: <176164659325.678449.14176354478536014912@list1.iitm.ac.in>

Looks like the Mailman configuration is correct, at least up to the point of contacting the HyperKitty archiving code:

Oct 28 15:46:34 2025 (678434) Exception in "hyperkitty" archiver

But your TLS is misconfigured (probably not configured at all?):

ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:992)

(Haven't we been here before?)

The most likely problem is that you did not configure the base_url in mailman-hyperkitty.cfg. If your SSL configuration is correct, then changing that line to something like

base_url: https://list1.iitm.ac.in/archives/

should do the trick (be careful, pretty sure it will be similar but the host part must match the SSL certificate used by the host).

In the most common installation, Mailman and HyperKitty are on the same host. If so, there's no point in using SSL. At least I cannot think of a scenario where an adversary can tap a local connection but doesn't have a dozen other ways to steal the same information. So if that is the case, an alternative to fixing the SSL configuration is to have a virtual host listening on port 80 that doesn't accept any requests except those reverse proxied to HyperKitty. Or even just going directly to http://localhost:8000/archive should work. (This has the possible disadvantage that accesses to HyperKitty from Mailman won't be logged by your webserver, but they will still normally be logged by HyperKitty itself I think.)

-- GNU Mailman consultant (installation, migration, customization) Sirius Open Source https://www.siriusopensource.com/ Software systems consulting in Europe, North America, and Japan