[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Trouble with SSL certs

--On Tuesday, October 17, 2006 2:29 PM -0700 "Josh M. Hurd" <JoshH@revenuescience.com> wrote:

I have created a set of self signed certs for my master and a slave.
Clients can connect to either with the cert installed on the client but I
am having trouble getting them to talk to each over TLS.
I want the master to replicate to the slave over TLS but can't get it to
work. Strangely I have it working the other way; the slave can bind to
the master over TLS but the master cannot bind to the slave.
I haveÂTLS_CACERTDIR set correctly with the certs installed in that
location (with symlinks being created) but I am still getting the self
signed cert error when trying to bind.

TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 18, subject: ........
TLS certificate verification: Error, self signed certificate
TLS trace: SSL3 alert write:fatal:unknown CA

Well, it can't find the CA that signed the cert. Have you configured ldap.conf properly for both systems?

I'll note that if the client binding to the master works over TLS, and assuming you are using a modern version of OpenLDAP (read 2.3.27 or later), then you could use syncrepl.


Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html