Re: N-Way multimaster Replication with TLS and multiple server certificates

[Quanah Gibson-Mount <quanah@zimbra.com>]

--On Tuesday, December 09, 2014 7:14 PM +0100 coma <coma.inf@gmail.com> 
wrote:

> Dear List,
>
> i'm using N-Way multimaster replication with 2 servers (i will use it on
> 30 servers soon). Each server is using it's own certificate, so the
> content of TLSCertificateFile and TLSCertificateKeyFile is different in
> the cn=config of each of them.
>
> My problem is that cn=config is replicated on all servers, including
> TLSCertificateFile and TLSCertificateKeyFile... therefore the replication
> obviously not working (the certificate and key path of the first server
> are replicated on the second server).
>
> I know there is some solutions to workaround this "issue", like:
> - Don't replicate cn=config
> - Use the same certificate and key for all servers
> - Use the same certificate and key path in cn=config (ex:
> /etc/openldap/cert/common_cert_name.pem and
> /etc/openldap/cert/common_cert_name.key) and then make symlinks to the
> correct files on the local server
>
> but I would avoid this type of solutions if possible, so i would like to
> know if there is a solution to avoid to replicate TLSCertificateFile and
> TLSCertificateKeyFile, or other trick?

Every server must be able to validate the cert of the other MMR nodes.  For 
that, it would be easiest to use the CA path attribute (vs file attribute). 
For the cert setup for the servers themselves, generally yes, you can work 
around that by having the same path to the cert on each node.

--Quanah

--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration