[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Single-master replication over TLS fails in 2.4.15



Hi George,

They are both identically configured in all ways including their TLS
settings. Quanah has pointed out that TLS configuration syncrepl has
changed in 2.4. I am currently testing in my lab.

Thanks,

Craig

-----Original Message-----
From: openldap-software-bounces+worganc=nortel.com@openldap.org
[mailto:openldap-software-bounces+worganc=nortel.com@openldap.org] On
Behalf Of George Holbert
Sent: Thursday, February 26, 2009 1:35 PM
To: openldap-software@openldap.org
Subject: Re: Single-master replication over TLS fails in 2.4.15


Craig Worgan wrote:
>
> Hi,
>
> I am trying to upgrade from 2.3.42 to 2.4.15 and my setup uses 
> single-master replication over TLS.  When I do the upgrade I have 
> noticed that replication fails.  I have reproduced the problem in my 
> lab, using a single server and multiple slapd instances, and I get the

> following error on the slave:
>
>       [root@otm-hp11 cnd]# ./slapd -f slapdSlave.conf -d sync -h
>       "ldap://47.11.48.221:20389 ldaps://47.11.48.221:20636"
>       @(#) $OpenLDAP: slapd 2.4.15 (Feb 25 2009 22:27:30) $
>              
>       
> worganc@otm-hp11:/home/worganc/openldap_build/openldap-2.4.15/servers/
> slapd
>
>       bdb_db_open: warning - no DB_CONFIG file found in directory
>       /opt/nortel/cnd/slave-data: (2).
>       Expect poor performance for suffix "dc=Nortel,dc=com".
>       slapd starting
>       TLS certificate verification: Error, self signed certificate in
>       certificate chain
>       TLS: can't connect: error:14090086:SSL
>       routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.
>       slap_client_connect: URI=ldaps://47.11.48.221:10636
>       DN="cn=replicationagent,ou=replication,dc=nortel,dc=com"
>       ldap_sasl_bind_s failed (-1)
>
>       do_syncrepl: rid=983 retrying (4 retries left)
>
> The corresponding trace on the master is:
>
>       TLS: can't accept: error:14094418:SSL
>       routines:SSL3_READ_BYTES:tlsv1 alert unknown ca.
>
Are your 2.3.42 and your 2.4.15 instances both identically configured to
be aware of your CA's public certificate ?

> Based on the error messages, I thought that there was a problem with 
> the certificates I am using, but when I revert the slapd executable to

> the old 2.3.42 version, replication succeeds.  Were more stringent CA 
> checks added between 2.3.42 and 2.4.15?  Note that the same OpenSSL 
> version was used to build both slapd executables (0.9.8b).  Also, the 
> same configuration options were used to build both versions.
>
> Cheers,
>
> Craig
>