[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Single-master replication over TLS fails in 2.4.15



Hi Howard,

I actually thought that my certificate was bad, until I went back to 2.3
with the same certificate and configuration and it worked fine.  Quanah
pointed out the new TLS related syncrepl options which, when I added
them to my config, fixed the problem.  Thing is, I pointed the syncrepl
options to the same certificate I am using for the TLS* server
certificate directives. I am using a compound certificate, so my TLS
related config looks like this:

...
TLSCertificateFile 0.pem
TLSCACertificateFile 0.pem
TLSCertificateKeyFile 0.pem
...
syncrepl rid=983
 provider=ldaps://myhost.nortel.com:10636
 type=refreshAndPersist
 searchbase=dc=nortel,dc=com
 bindmethod=simple
 binddn=cn=someaccount,dc=nortel,dc=com
 credentials=secret
 retry="30 +"
 tls_cert=0.pem
 tls_cacert=0.pem
 tls_key=0.pem

In 2.4, if you configure syncrepl over TLS and omit the new options,
does OpenLDAP use the values that are configured for the server
certificate settings (TLS*), if any?  If so, I'm confused as to why it
failed for me originally.

Cheers,

Craig  

-----Original Message-----
From: openldap-software-bounces+worganc=nortel.com@openldap.org
[mailto:openldap-software-bounces+worganc=nortel.com@openldap.org] On
Behalf Of Howard Chu
Sent: Thursday, February 26, 2009 4:30 PM
To: Worgan, Craig (BVW:9T16)
Cc: openldap-software@openldap.org
Subject: Re: Single-master replication over TLS fails in 2.4.15

Craig Worgan wrote:
> Hi,
>
> I am trying to upgrade from 2.3.42 to 2.4.15 and my setup uses 
> single-master replication over TLS. When I do the upgrade I have 
> noticed that replication fails. I have reproduced the problem in my 
> lab, using a single server and multiple slapd instances, and I get the

> following error on the slave:
>
>       [root@otm-hp11 cnd]# ./slapd -f slapdSlave.conf -d sync -h
>       "ldap://47.11.48.221:20389 ldaps://47.11.48.221:20636"
>       @(#) $OpenLDAP: slapd 2.4.15 (Feb 25 2009 22:27:30) $
>       
> worganc@otm-hp11:/home/worganc/openldap_build/openldap-2.4.15/servers/
> slapd
>
>       bdb_db_open: warning - no DB_CONFIG file found in directory
>       /opt/nortel/cnd/slave-data: (2).
>       Expect poor performance for suffix "dc=Nortel,dc=com".
>       slapd starting
>       TLS certificate verification: Error, self signed certificate in
>       certificate chain
>       TLS: can't connect: error:14090086:SSL
>       routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.
>       slap_client_connect: URI=ldaps://47.11.48.221:10636
>       DN="cn=replicationagent,ou=replication,dc=nortel,dc=com"
>       ldap_sasl_bind_s failed (-1)
>
>       do_syncrepl: rid=983 retrying (4 retries left)
>
> The corresponding trace on the master is:
>
>       TLS: can't accept: error:14094418:SSL
>       routines:SSL3_READ_BYTES:tlsv1 alert unknown ca.

Sounds like you didn't configure a TLSCACertificateFile on the consumer.
>
> Based on the error messages, I thought that there was a problem with 
> the certificates I am using, but when I revert the slapd executable to

> the old 2.3.42 version, replication succeeds. Were more stringent CA 
> checks added between 2.3.42 and 2.4.15? Note that the same OpenSSL 
> version was used to build both slapd executables (0.9.8b). Also, the 
> same configuration options were used to build both versions.
>
> Cheers,
>
> Craig
>


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/