[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Single-master replication over TLS fails in 2.4.15

Craig Worgan wrote:

I am trying to upgrade from 2.3.42 to 2.4.15 and my setup uses
single-master replication over TLS. When I do the upgrade I have noticed
that replication fails. I have reproduced the problem in my lab, using a
single server and multiple slapd instances, and I get the following
error on the slave:

      [root@otm-hp11 cnd]# ./slapd -f slapdSlave.conf -d sync -h
      "ldap:// ldaps://"
      @(#) $OpenLDAP: slapd 2.4.15 (Feb 25 2009 22:27:30) $

      bdb_db_open: warning - no DB_CONFIG file found in directory
      /opt/nortel/cnd/slave-data: (2).
      Expect poor performance for suffix "dc=Nortel,dc=com".
      slapd starting
      TLS certificate verification: Error, self signed certificate in
      certificate chain
      TLS: can't connect: error:14090086:SSL
      routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.
      slap_client_connect: URI=ldaps://
      ldap_sasl_bind_s failed (-1)

      do_syncrepl: rid=983 retrying (4 retries left)

The corresponding trace on the master is:

      TLS: can't accept: error:14094418:SSL
      routines:SSL3_READ_BYTES:tlsv1 alert unknown ca.

Sounds like you didn't configure a TLSCACertificateFile on the consumer.

Based on the error messages, I thought that there was a problem with the certificates I am using, but when I revert the slapd executable to the old 2.3.42 version, replication succeeds. Were more stringent CA checks added between 2.3.42 and 2.4.15? Note that the same OpenSSL version was used to build both slapd executables (0.9.8b). Also, the same configuration options were used to build both versions.



  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/