k bah wrote:
Hi,
I have LDAP replication setup (slurpd), works fine. Until a while ago I had a
CA certificate, and with that one I signed other two certificates, for two different hosts. So I had 3 "hosts", one is the CA, another one is LDAP Master and the last the ldap slave. Configuration on both master and slave slapd.conf had:
TLSCertificateFile /etc/openldap/"this"-machine-certificate.crt TLSCertificateKeyFile /etc/openldap/"this"-machine-key.key TLSCACertificateFile /etc/openldap/"the-ca"-machine-cert.crt
That sounds like a correct configuration.
Now I changed the certificates, both the Master and Slave machines use self signed certificates, I changed the certificates/tls config on several services that used it, they work fine, but LDAP replication stopped working.
That is a bad configuration. The old saying applies - "if it ain't broke, don't fix it." Your original config was fine...
If you're replacing certs because they expired or some other reason, just duplicate the structure you had originally. Create one self-signed CA cert, then create your server certs and use your CA cert to sign all the other certs. Then distribute your CA cert to all the client machines as usual.