[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Syncrepl can't start ssl session because of refused 'client' certificate



On 07/11/2011 09:21 AM, Quanah Gibson-Mount wrote:
--On Monday, July 11, 2011 10:32 AM +0200 Thibault Le Meur <Thibault.LeMeur@supelec.fr> wrote:


Hello,

I'm trying to upgrade an openLdap server from Fedora Core 13
(openldap-servers-2.4.21-11) to Redhat Enterprise 6
(openldap-servers-2.4.23-15.el6.x86_64).
In this new setup,  my local bdb backend works: I can query the LDAP
server on this backend using an "ldaps://" connection (it is using a
server certificate).

However, the Syncrepl replication process fails to establish the
"ldaps://" session to my syncrepl-providers.
 Indeed, the TLS layer complains that my _server's certificate_ isn't a
valid _client certificate_ (with error 8101 -
SEC_ERROR_INADEQUATE_CERT_TYPE): but I don't want client-side
authentication!

In the past syncrepl didn't try to use the server certificate as a client
certificate, and I haven't seen any reference to this in the
documentation.
I first thought it could have been related to ITS#6791 but I don't think
so anymore because it only affects Syncrepl.

Do you think I've missed something in the setup?

Thanks in advance,
Thibault

Here is an excerpt of slapd startup log in debug-mode:
----------------------------------------------------------
ldap_connect_to_host: Trying 10.10.10.10:636
ldap_pvt_connect: fd: 21 tm: -1 async: 0
TLS: loaded CA certificate file /etc/ssl/cacerts/cacert.pem.
TLS: certificate
[CN=myldap.mydom.fr,OU=myou,O=myorg,L=myloc,ST=myst,C=FR] is not valid -
error -8101:Unknown code ___f 91.
Can you do
openssl x509 -in /path/to/cert.pem -text
and paste the output here? /path/to/cert.pem is the file containing the cert which has the Subject DN: CN=myldap.mydom.fr,OU=myou,O=myorg,L=myloc,ST=myst,C=FR

Is this the server cert of the remote server (i.e. not the syncrepl client).

Be sure to obscure any sensitive data in the -text output before sending.

This looks like a bug with MozNSS. You will need to contact RedHat for support.

--Quanah



--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration