[Date Prev][Date Next]
Re: Single-master replication over TLS fails in 2.4.15
Craig Worgan wrote:
Are your 2.3.42 and your 2.4.15 instances both identically configured to
be aware of your CA's public certificate ?
I am trying to upgrade from 2.3.42 to 2.4.15 and my setup uses
single-master replication over TLS. When I do the upgrade I have
noticed that replication fails. I have reproduced the problem in my
lab, using a single server and multiple slapd instances, and I get the
following error on the slave:
[root@otm-hp11 cnd]# ./slapd -f slapdSlave.conf -d sync -h
@(#) $OpenLDAP: slapd 2.4.15 (Feb 25 2009 22:27:30) $
bdb_db_open: warning - no DB_CONFIG file found in directory
Expect poor performance for suffix "dc=Nortel,dc=com".
TLS certificate verification: Error, self signed certificate in
TLS: can't connect: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.
ldap_sasl_bind_s failed (-1)
do_syncrepl: rid=983 retrying (4 retries left)
The corresponding trace on the master is:
TLS: can't accept: error:14094418:SSL
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca.
Based on the error messages, I thought that there was a problem with
the certificates I am using, but when I revert the slapd executable to
the old 2.3.42 version, replication succeeds. Were more stringent CA
checks added between 2.3.42 and 2.4.15? Note that the same OpenSSL
version was used to build both slapd executables (0.9.8b). Also, the
same configuration options were used to build both versions.