[Date Prev][Date Next]
Re: Syncrepl can't start ssl session because of refused 'client' certificate
- To: Thibault Le Meur <Thibault.LeMeur@supelec.fr>
- Subject: Re: Syncrepl can't start ssl session because of refused 'client' certificate
- From: Rich Megginson <firstname.lastname@example.org>
- Date: Mon, 11 Jul 2011 09:30:25 -0600
- Cc: email@example.com
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:reply-to:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=Eir+S/vVYM4TNoKGahVqAqAZnoCwFJoG6wk5KVn4f6E=; b=qsVgeLdgf3POHqAiqQqfiOiWRyhj1CO2HTOODABvslppMDMxivOnEJj9VTsTOi6jc+ AkyaJr+rB9Z2F6oVv5Sdnl22+egElbs2jTof6Kn0TV1swLEjo9r9OIta51TIWgB3EINU 4xlnEr6rHhQ42UsffBolF/D/Ij3fmrkcjEdWY=
- In-reply-to: <D4B9EC2B02471B6C6D9A8E3C@[192.168.1.2]>
- References: <4E1AB51F.firstname.lastname@example.org> <D4B9EC2B02471B6C6D9A8E3C@[192.168.1.2]>
- User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:188.8.131.52) Gecko/20110617 Red Hat/3.1.11-2.el6_1 Lightning/1.0b3pre Thunderbird/3.1.11
On 07/11/2011 09:21 AM, Quanah Gibson-Mount wrote:
--On Monday, July 11, 2011 10:32 AM +0200 Thibault Le Meur
I'm trying to upgrade an openLdap server from Fedora Core 13
(openldap-servers-2.4.21-11) to Redhat Enterprise 6
In this new setup, my local bdb backend works: I can query the LDAP
server on this backend using an "ldaps://" connection (it is using a
However, the Syncrepl replication process fails to establish the
"ldaps://" session to my syncrepl-providers.
Indeed, the TLS layer complains that my _server's certificate_ isn't a
valid _client certificate_ (with error 8101 -
SEC_ERROR_INADEQUATE_CERT_TYPE): but I don't want client-side
In the past syncrepl didn't try to use the server certificate as a
certificate, and I haven't seen any reference to this in the
I first thought it could have been related to ITS#6791 but I don't think
so anymore because it only affects Syncrepl.
Do you think I've missed something in the setup?
Thanks in advance,
Here is an excerpt of slapd startup log in debug-mode:
ldap_connect_to_host: Trying 10.10.10.10:636
ldap_pvt_connect: fd: 21 tm: -1 async: 0
TLS: loaded CA certificate file /etc/ssl/cacerts/cacert.pem.
[CN=myldap.mydom.fr,OU=myou,O=myorg,L=myloc,ST=myst,C=FR] is not valid -
error -8101:Unknown code ___f 91.
Can you do
openssl x509 -in /path/to/cert.pem -text
and paste the output here? /path/to/cert.pem is the file containing the
cert which has the Subject DN:
Is this the server cert of the remote server (i.e. not the syncrepl client).
Be sure to obscure any sensitive data in the -text output before sending.
This looks like a bug with MozNSS. You will need to contact RedHat
Sr. Member of Technical Staff
A Division of VMware, Inc.
Zimbra :: the leader in open source messaging and collaboration