[Date Prev][Date Next]
RE: Single-master replication over TLS fails in 2.4.15
I actually thought that my certificate was bad, until I went back to 2.3
with the same certificate and configuration and it worked fine. Quanah
pointed out the new TLS related syncrepl options which, when I added
them to my config, fixed the problem. Thing is, I pointed the syncrepl
options to the same certificate I am using for the TLS* server
certificate directives. I am using a compound certificate, so my TLS
related config looks like this:
In 2.4, if you configure syncrepl over TLS and omit the new options,
does OpenLDAP use the values that are configured for the server
certificate settings (TLS*), if any? If so, I'm confused as to why it
failed for me originally.
Behalf Of Howard Chu
Sent: Thursday, February 26, 2009 4:30 PM
To: Worgan, Craig (BVW:9T16)
Subject: Re: Single-master replication over TLS fails in 2.4.15
Craig Worgan wrote:
> I am trying to upgrade from 2.3.42 to 2.4.15 and my setup uses
> single-master replication over TLS. When I do the upgrade I have
> noticed that replication fails. I have reproduced the problem in my
> lab, using a single server and multiple slapd instances, and I get the
> following error on the slave:
> [root@otm-hp11 cnd]# ./slapd -f slapdSlave.conf -d sync -h
> "ldap://188.8.131.52:20389 ldaps://184.108.40.206:20636"
> @(#) $OpenLDAP: slapd 2.4.15 (Feb 25 2009 22:27:30) $
> bdb_db_open: warning - no DB_CONFIG file found in directory
> /opt/nortel/cnd/slave-data: (2).
> Expect poor performance for suffix "dc=Nortel,dc=com".
> slapd starting
> TLS certificate verification: Error, self signed certificate in
> certificate chain
> TLS: can't connect: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.
> slap_client_connect: URI=ldaps://220.127.116.11:10636
> ldap_sasl_bind_s failed (-1)
> do_syncrepl: rid=983 retrying (4 retries left)
> The corresponding trace on the master is:
> TLS: can't accept: error:14094418:SSL
> routines:SSL3_READ_BYTES:tlsv1 alert unknown ca.
Sounds like you didn't configure a TLSCACertificateFile on the consumer.
> Based on the error messages, I thought that there was a problem with
> the certificates I am using, but when I revert the slapd executable to
> the old 2.3.42 version, replication succeeds. Were more stringent CA
> checks added between 2.3.42 and 2.4.15? Note that the same OpenSSL
> version was used to build both slapd executables (0.9.8b). Also, the
> same configuration options were used to build both versions.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/