Hi,
I am trying to upgrade from 2.3.42 to 2.4.15 and my setup uses
single-master replication over TLS. When I do the upgrade I have
noticed that replication fails. I have reproduced the problem in my
lab, using a single server and multiple slapd instances, and I get the
following error on the slave:
[root@otm-hp11 cnd]# ./slapd -f slapdSlave.conf -d sync -h
"ldap://47.11.48.221:20389 ldaps://47.11.48.221:20636"
@(#) $OpenLDAP: slapd 2.4.15 (Feb 25 2009 22:27:30) $
worganc@otm-hp11:/home/worganc/openldap_build/openldap-2.4.15/servers/sl
apd
bdb_db_open: warning - no DB_CONFIG file found in directory
/opt/nortel/cnd/slave-data: (2).
Expect poor performance for suffix "dc=Nortel,dc=com".
slapd starting
TLS certificate verification: Error, self signed certificate in
certificate chain
TLS: can't connect: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.
slap_client_connect: URI=ldaps://47.11.48.221:10636
DN="cn=replicationagent,ou=replication,dc=nortel,dc=com"
ldap_sasl_bind_s failed (-1)
do_syncrepl: rid=983 retrying (4 retries left)
The corresponding trace on the master is:
TLS: can't accept: error:14094418:SSL
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca.
Based on the error messages, I thought that there was a problem with the
certificates I am using, but when I revert the slapd executable to the
old 2.3.42 version, replication succeeds. Were more stringent CA checks
added between 2.3.42 and 2.4.15? Note that the same OpenSSL version was
used to build both slapd executables (0.9.8b). Also, the same
configuration options were used to build both versions.
Cheers,
Craig