[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Single-master replication over TLS fails in 2.4.15
Hi Howard,
I actually thought that my certificate was bad, until I went back to 2.3
with the same certificate and configuration and it worked fine. Quanah
pointed out the new TLS related syncrepl options which, when I added
them to my config, fixed the problem. Thing is, I pointed the syncrepl
options to the same certificate I am using for the TLS* server
certificate directives. I am using a compound certificate, so my TLS
related config looks like this:
...
TLSCertificateFile 0.pem
TLSCACertificateFile 0.pem
TLSCertificateKeyFile 0.pem
...
syncrepl rid=983
provider=ldaps://myhost.nortel.com:10636
type=refreshAndPersist
searchbase=dc=nortel,dc=com
bindmethod=simple
binddn=cn=someaccount,dc=nortel,dc=com
credentials=secret
retry="30 +"
tls_cert=0.pem
tls_cacert=0.pem
tls_key=0.pem
In 2.4, if you configure syncrepl over TLS and omit the new options,
does OpenLDAP use the values that are configured for the server
certificate settings (TLS*), if any? If so, I'm confused as to why it
failed for me originally.
Cheers,
Craig
-----Original Message-----
From: openldap-software-bounces+worganc=nortel.com@openldap.org
[mailto:openldap-software-bounces+worganc=nortel.com@openldap.org] On
Behalf Of Howard Chu
Sent: Thursday, February 26, 2009 4:30 PM
To: Worgan, Craig (BVW:9T16)
Cc: openldap-software@openldap.org
Subject: Re: Single-master replication over TLS fails in 2.4.15
Craig Worgan wrote:
> Hi,
>
> I am trying to upgrade from 2.3.42 to 2.4.15 and my setup uses
> single-master replication over TLS. When I do the upgrade I have
> noticed that replication fails. I have reproduced the problem in my
> lab, using a single server and multiple slapd instances, and I get the
> following error on the slave:
>
> [root@otm-hp11 cnd]# ./slapd -f slapdSlave.conf -d sync -h
> "ldap://47.11.48.221:20389 ldaps://47.11.48.221:20636"
> @(#) $OpenLDAP: slapd 2.4.15 (Feb 25 2009 22:27:30) $
>
> worganc@otm-hp11:/home/worganc/openldap_build/openldap-2.4.15/servers/
> slapd
>
> bdb_db_open: warning - no DB_CONFIG file found in directory
> /opt/nortel/cnd/slave-data: (2).
> Expect poor performance for suffix "dc=Nortel,dc=com".
> slapd starting
> TLS certificate verification: Error, self signed certificate in
> certificate chain
> TLS: can't connect: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.
> slap_client_connect: URI=ldaps://47.11.48.221:10636
> DN="cn=replicationagent,ou=replication,dc=nortel,dc=com"
> ldap_sasl_bind_s failed (-1)
>
> do_syncrepl: rid=983 retrying (4 retries left)
>
> The corresponding trace on the master is:
>
> TLS: can't accept: error:14094418:SSL
> routines:SSL3_READ_BYTES:tlsv1 alert unknown ca.
Sounds like you didn't configure a TLSCACertificateFile on the consumer.
>
> Based on the error messages, I thought that there was a problem with
> the certificates I am using, but when I revert the slapd executable to
> the old 2.3.42 version, replication succeeds. Were more stringent CA
> checks added between 2.3.42 and 2.4.15? Note that the same OpenSSL
> version was used to build both slapd executables (0.9.8b). Also, the
> same configuration options were used to build both versions.
>
> Cheers,
>
> Craig
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/