Hi George, They are both identically configured in all ways including their TLS settings. Quanah has pointed out that TLS configuration syncrepl has changed in 2.4. I am currently testing in my lab.
Thanks, Craig -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of George Holbert Sent: Thursday, February 26, 2009 1:35 PM To: [email protected] Subject: Re: Single-master replication over TLS fails in 2.4.15 Craig Worgan wrote: > > Hi, > > I am trying to upgrade from 2.3.42 to 2.4.15 and my setup uses > single-master replication over TLS. When I do the upgrade I have > noticed that replication fails. I have reproduced the problem in my > lab, using a single server and multiple slapd instances, and I get the > following error on the slave: > > [r...@otm-hp11 cnd]# ./slapd -f slapdSlave.conf -d sync -h > "ldap://47.11.48.221:20389 ldaps://47.11.48.221:20636" > @(#) $OpenLDAP: slapd 2.4.15 (Feb 25 2009 22:27:30) $ > > > worg...@otm-hp11:/home/worganc/openldap_build/openldap-2.4.15/servers/ > slapd > > bdb_db_open: warning - no DB_CONFIG file found in directory > /opt/nortel/cnd/slave-data: (2). > Expect poor performance for suffix "dc=Nortel,dc=com". > slapd starting > TLS certificate verification: Error, self signed certificate in > certificate chain > TLS: can't connect: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed. > slap_client_connect: URI=ldaps://47.11.48.221:10636 > DN="cn=replicationagent,ou=replication,dc=nortel,dc=com" > ldap_sasl_bind_s failed (-1) > > do_syncrepl: rid=983 retrying (4 retries left) > > The corresponding trace on the master is: > > TLS: can't accept: error:14094418:SSL > routines:SSL3_READ_BYTES:tlsv1 alert unknown ca. > Are your 2.3.42 and your 2.4.15 instances both identically configured to be aware of your CA's public certificate ? > Based on the error messages, I thought that there was a problem with > the certificates I am using, but when I revert the slapd executable to > the old 2.3.42 version, replication succeeds. Were more stringent CA > checks added between 2.3.42 and 2.4.15? Note that the same OpenSSL > version was used to build both slapd executables (0.9.8b). Also, the > same configuration options were used to build both versions. > > Cheers, > > Craig >
