[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Syncrepl can't start ssl session because of refused 'client' certificate

On 07/11/2011 09:21 AM, Quanah Gibson-Mount wrote:
--On Monday, July 11, 2011 10:32 AM +0200 Thibault Le Meur <Thibault.LeMeur@supelec.fr> wrote:


I'm trying to upgrade an openLdap server from Fedora Core 13
(openldap-servers-2.4.21-11) to Redhat Enterprise 6
In this new setup,  my local bdb backend works: I can query the LDAP
server on this backend using an "ldaps://" connection (it is using a
server certificate).

However, the Syncrepl replication process fails to establish the
"ldaps://" session to my syncrepl-providers.
 Indeed, the TLS layer complains that my _server's certificate_ isn't a
valid _client certificate_ (with error 8101 -
SEC_ERROR_INADEQUATE_CERT_TYPE): but I don't want client-side

In the past syncrepl didn't try to use the server certificate as a client
certificate, and I haven't seen any reference to this in the
I first thought it could have been related to ITS#6791 but I don't think
so anymore because it only affects Syncrepl.

Do you think I've missed something in the setup?

Thanks in advance,

Here is an excerpt of slapd startup log in debug-mode:
ldap_connect_to_host: Trying
ldap_pvt_connect: fd: 21 tm: -1 async: 0
TLS: loaded CA certificate file /etc/ssl/cacerts/cacert.pem.
TLS: certificate
[CN=myldap.mydom.fr,OU=myou,O=myorg,L=myloc,ST=myst,C=FR] is not valid -
error -8101:Unknown code ___f 91.
Can you do
openssl x509 -in /path/to/cert.pem -text
and paste the output here? /path/to/cert.pem is the file containing the cert which has the Subject DN: CN=myldap.mydom.fr,OU=myou,O=myorg,L=myloc,ST=myst,C=FR

Is this the server cert of the remote server (i.e. not the syncrepl client).

Be sure to obscure any sensitive data in the -text output before sending.

This looks like a bug with MozNSS. You will need to contact RedHat for support.



Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
Zimbra ::  the leader in open source messaging and collaboration