Re: Trouble with SSL certs

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Tuesday, October 17, 2006 2:29 PM -0700 "Josh M. Hurd" 
<JoshH@revenuescience.com> wrote:

> I have created a set of self signed certs for my master and a slave.
> Clients can connect to either with the cert installed on the client but I
> am having trouble getting them to talk to each over TLS.
> I want the master to replicate to the slave over TLS but can't get it to
> work. Strangely I have it working the other way; the slave can bind to
> the master over TLS but the master cannot bind to the slave.
> I haveÂTLS_CACERTDIR set correctly with the certs installed in that
> location (with symlinks being created) but I am still getting the self
> signed cert error when trying to bind.

> TLS trace: SSL_connect:before/connect initialization
> TLS trace: SSL_connect:SSLv2/v3 write client hello A
> TLS trace: SSL_connect:SSLv3 read server hello A
> TLS certificate verification: depth: 0, err: 18, subject: ........
> TLS certificate verification: Error, self signed certificate
> TLS trace: SSL3 alert write:fatal:unknown CA

Well, it can't find the CA that signed the cert.  Have you configured 
ldap.conf properly for both systems?

I'll note that if the client binding to the master works over TLS, and 
assuming you are using a modern version of OpenLDAP (read 2.3.27 or later), 
then you could use syncrepl.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html