[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS/SSL-ceritificate & Replication v2.1.3



A short time ago, at a computer terminal not so far away, Harry Rüter wrote:
>Replication with 2.1.3.
>
>I always get the same error with slurpd :
>
>---snipp---
>TLS certificate verification: Error, self signed certificate in 
>certificate chain
>TLS trace: SSL3 alert write:fatal:unknown CA
>---snipp---
>
>So, i see what's the problem, slurpd doesn't like 
>selfsigned certificates.

>---schnipp---
>TLSCertificateFile      /etc/certificates/486dx66.crt
>TLSCertificateKeyFile   /etc/certificates/486dx66.key
>TLSCACertificateFile    /etc/certificates/CA.crt
>---schnipp---

We ran into something similar recently upgrading from 2.0.x to 2.1.3.

Our master and replica each have an SSL cert signed by a local CA.  For
slurpd to be able to connect via SSL to the replica, it needs to know that
it can trust the CA that signed the replica's server cert.

We have this specified in slapd.conf, but it looks like slurpd doesn't read
this info from slapd.conf.  Instead, we had to specify this in ldap.conf on
our master server, ie:

   TLS_CACERTDIR   /usr/local/ssl/certs

You can also specify just the filename for the CA cert with "TLS_CACERT".

We didn't have this in ldap.conf when using 2.0.x, and replication seemed
to work, so I'm guessing this is something that changed with 2.1.x.

-- 
Will Day                  Those who would give up essential Liberty, to 
@rom.oit.gatech.edu       purchase a little temporary Safety, deserve neither 
O&E / Tech Support        Liberty nor Safety.
UNIX System Programmer      - Benjamin Franklin, Penn. Assembly, Nov. 11, 1755
  -> Opinions expressed are mine alone and do not reflect OIT policy <-

Attachment: pgphNkh3VqvFo.pgp
Description: PGP signature