Hi Howard, I actually thought that my certificate was bad, until I went back to 2.3 with the same certificate and configuration and it worked fine. Quanah pointed out the new TLS related syncrepl options which, when I added them to my config, fixed the problem. Thing is, I pointed the syncrepl options to the same certificate I am using for the TLS* server certificate directives. I am using a compound certificate, so my TLS related config looks like this:
... TLSCertificateFile 0.pem TLSCACertificateFile 0.pem TLSCertificateKeyFile 0.pem ... syncrepl rid=983 provider=ldaps://myhost.nortel.com:10636 type=refreshAndPersist searchbase=dc=nortel,dc=com bindmethod=simple binddn=cn=someaccount,dc=nortel,dc=com credentials=secret retry="30 +" tls_cert=0.pem tls_cacert=0.pem tls_key=0.pem In 2.4, if you configure syncrepl over TLS and omit the new options, does OpenLDAP use the values that are configured for the server certificate settings (TLS*), if any? If so, I'm confused as to why it failed for me originally. Cheers, Craig -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Howard Chu Sent: Thursday, February 26, 2009 4:30 PM To: Worgan, Craig (BVW:9T16) Cc: [email protected] Subject: Re: Single-master replication over TLS fails in 2.4.15 Craig Worgan wrote: > Hi, > > I am trying to upgrade from 2.3.42 to 2.4.15 and my setup uses > single-master replication over TLS. When I do the upgrade I have > noticed that replication fails. I have reproduced the problem in my > lab, using a single server and multiple slapd instances, and I get the > following error on the slave: > > [r...@otm-hp11 cnd]# ./slapd -f slapdSlave.conf -d sync -h > "ldap://47.11.48.221:20389 ldaps://47.11.48.221:20636" > @(#) $OpenLDAP: slapd 2.4.15 (Feb 25 2009 22:27:30) $ > > worg...@otm-hp11:/home/worganc/openldap_build/openldap-2.4.15/servers/ > slapd > > bdb_db_open: warning - no DB_CONFIG file found in directory > /opt/nortel/cnd/slave-data: (2). > Expect poor performance for suffix "dc=Nortel,dc=com". > slapd starting > TLS certificate verification: Error, self signed certificate in > certificate chain > TLS: can't connect: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed. > slap_client_connect: URI=ldaps://47.11.48.221:10636 > DN="cn=replicationagent,ou=replication,dc=nortel,dc=com" > ldap_sasl_bind_s failed (-1) > > do_syncrepl: rid=983 retrying (4 retries left) > > The corresponding trace on the master is: > > TLS: can't accept: error:14094418:SSL > routines:SSL3_READ_BYTES:tlsv1 alert unknown ca. Sounds like you didn't configure a TLSCACertificateFile on the consumer. > > Based on the error messages, I thought that there was a problem with > the certificates I am using, but when I revert the slapd executable to > the old 2.3.42 version, replication succeeds. Were more stringent CA > checks added between 2.3.42 and 2.4.15? Note that the same OpenSSL > version was used to build both slapd executables (0.9.8b). Also, the > same configuration options were used to build both versions. > > Cheers, > > Craig > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
