> On 13 Nov 2019, at 20:29, Graham Leggett <minf...@sharp.fm> wrote: > > On 13 Nov 2019, at 01:37, William Brown <wbr...@suse.de> wrote: > >>> Does anyone know why 389ds would suddenly stop sending the full certificate >>> chain while replicating? >>> >>> It also looks like the error handling in 389ds SSL is broken - if the slave >>> sent “unknown CA" to the master, the master needs to log that fact, and not >>> report the error as “success”. >> >> We'll need to see the output of certutil -L -d /etc/dirsrv/slapd-<instance>/ >> from both the master and replica servers please. >> >> In a TLS auth process the client doesn't send it's CA - if you get unknown >> CA it's most likely the replica has either had the CA and it's chain members >> expire, or they are not marked as trusted for client auth. So that's why I'd >> like to see the certutil output please. > > I discovered the same problem had been reported in OpenLDAP: > https://www.centos.org/forums/viewtopic.php?t=67042 > > This in turn is caused by a regression in NSS, where it is no longer > sufficient to have a trusted root certificate, you now need all intermediate > certificates marked as trusted as well. > > Making the following change to the intermediate certs fixed the problem: > > [root@ldap01 ~]# certutil -L -d /etc/dirsrv/slapd-hg > > Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > > intermediateB ,, > intermediateA ,, > rootrootroot CT,C,C > ldap01 u,u,u > [root@ldap01 ~]# certutil -M -d /etc/dirsrv/slapd-hg -t "CT,C,C" -n > "intermediateA" > [root@ldap01 ~]# certutil -M -d /etc/dirsrv/slapd-hg -t "CT,C,C" -n > "intermediateB" > [root@ldap01 ~]# certutil -L -d /etc/dirsrv/slapd-hg > > Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > > intermediateA CT,C,C > intermediateB CT,C,C > rootrootroot CT,C,C > ldap01 u,u,u > > Raised the bug here: https://bugzilla.redhat.com/show_bug.cgi?id=1771979
Awesome work, thanks for following up on this! > > Regards, > Graham > — > > _______________________________________________ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org — Sincerely, William Brown Senior Software Engineer, 389 Directory Server SUSE Labs _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
