[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Trying to perform mirror sync , but getting - TLS: error: the certificate '/etc/openldap/certs/xxx.crt' could not be found in the database - error -12285:Unable to find the certificate or key necessary for authentication.

Sterling Sahaydak wrote:

I've recently updated both my openldap servers to 2.4.39 version and
everything seems to be working EXCEPT the mirror synchronization which was the
issue I had previously with 2.4.23
Running on CentOS 6.5
Setup -
Server1(provider):    ldap-east.xxxxx.net
Server2(consumer):  ldap-west.xxxxx.net
Not using self signed certs.  Instead have a SAN(Subject Alternative Name)cert
from DigiCert with 4 hostnames:
ldap.xxxxx.net
ldap-1.xxxxx.net
ldap-2.xxxxx.net
ldap-alt.xxxxx.net
I'm using slapd.conf vs cn=config.
The details:
[root@ldap-east certs]# slapd -d sync
541b16ed @(#) $OpenLDAP: slapd 2.4.39 (Sep 16 2014 19:42:16) $
root@admin.pcoral.net:/root/rpmbuild/BUILD/openldap-2.4.39/openldap-2.4.39/servers/slapd
<mailto:root@admin.pcoral.net:/root/rpmbuild/BUILD/openldap-2.4.39/openldap-2.4.39/servers/slapd>
541b16ed /etc/openldap/slapd.conf: line 165: warning, destination
attributeType 'sAMAccountName' is not defined in schema
541b16ed PROXIED attributeDescription "SAMACCOUNTNAME" inserted.
541b16ed /etc/openldap/slapd.conf: line 215: rootdn is always granted
unlimited privileges.
541b16ed bdb_monitor_db_open: monitoring disabled; configure monitor database
to enable
541b16ed slapd starting
TLS: error: the certificate '/etc/openldap/certs/ldap_xxxxx_net.crt' could not
be found in the database - error -12285:Unable to find the certificate or key
necessary for authentication..
TLS: certificate '/etc/openldap/certs/ldap_xxxxx_net.crt' successfully loaded
from PEM file.
TLS: no unlocked certificate for certificate 'CN=ldap.xxxxx.net,O="xxxxxx,
INC.",L=Alviso,ST=California,C=US'.
541b16ed do_syncrep2: rid=001 LDAP_RES_INTERMEDIATE - REFRESH_DELETE
*** I wonder if there is something about SAN certs where ldap is having issues ?
This has nothing to do with OpenLDAP. Your build is using the MozNSS crypto library, ask Red Hat for help with that. 


*** Since it is a signed CA cert in a mirror sync setup do I need to set it up
in the local CA(using certutil) and add it?  (didn't have to for non-sync use)
*** Unclear of 'not found in database' - which one?  I've tried adding it
using certutil in various permutations of setting adding the cert to the local
CA database with all the various SAN names as different nick names
*** I've also setup symlinks in /etc/openldap/certs pointing from the hashes
-> certs - but all of these with the exact same output as above.
 From the debug log:



--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/