Hi Howard,
I actually thought that my certificate was bad, until I went back to 2.3
with the same certificate and configuration and it worked fine. Quanah
pointed out the new TLS related syncrepl options which, when I added
them to my config, fixed the problem. Thing is, I pointed the syncrepl
options to the same certificate I am using for the TLS* server
certificate directives. I am using a compound certificate, so my TLS
related config looks like this:
...
TLSCertificateFile 0.pem
TLSCACertificateFile 0.pem
TLSCertificateKeyFile 0.pem
...
syncrepl rid=983
provider=ldaps://myhost.nortel.com:10636
type=refreshAndPersist
searchbase=dc=nortel,dc=com
bindmethod=simple
binddn=cn=someaccount,dc=nortel,dc=com
credentials=secret
retry="30 +"
tls_cert=0.pem
tls_cacert=0.pem
tls_key=0.pem
In 2.4, if you configure syncrepl over TLS and omit the new options,
does OpenLDAP use the values that are configured for the server
certificate settings (TLS*), if any? If so, I'm confused as to why it
failed for me originally.
Cheers,
Craig
-----Original Message-----
From: openldap-software-bounces+worganc=nortel.com(a)openldap.org
[mailto:openldap-software-bounces+worganc=nortel.com@openldap.org] On
Behalf Of Howard Chu
Sent: Thursday, February 26, 2009 4:30 PM
To: Worgan, Craig (BVW:9T16)
Cc: openldap-software(a)openldap.org
Subject: Re: Single-master replication over TLS fails in 2.4.15
Craig Worgan wrote:
Hi,
I am trying to upgrade from 2.3.42 to 2.4.15 and my setup uses
single-master replication over TLS. When I do the upgrade I have
noticed that replication fails. I have reproduced the problem in my
lab, using a single server and multiple slapd instances, and I get the
following error on the slave:
[root@otm-hp11 cnd]# ./slapd -f slapdSlave.conf -d sync -h
"ldap://47.11.48.221:20389 ldaps://47.11.48.221:20636"
@(#) $OpenLDAP: slapd 2.4.15 (Feb 25 2009 22:27:30) $
worganc@otm-hp11:/home/worganc/openldap_build/openldap-2.4.15/servers/
slapd
bdb_db_open: warning - no DB_CONFIG file found in directory
/opt/nortel/cnd/slave-data: (2).
Expect poor performance for suffix "dc=Nortel,dc=com".
slapd starting
TLS certificate verification: Error, self signed certificate in
certificate chain
TLS: can't connect: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.
slap_client_connect: URI=ldaps://47.11.48.221:10636
DN="cn=replicationagent,ou=replication,dc=nortel,dc=com"
ldap_sasl_bind_s failed (-1)
do_syncrepl: rid=983 retrying (4 retries left)
The corresponding trace on the master is:
TLS: can't accept: error:14094418:SSL
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca.
Sounds like you didn't configure a TLSCACertificateFile on the consumer.
Based on the error messages, I thought that there was a problem with
the certificates I am using, but when I revert the slapd executable to
the old 2.3.42 version, replication succeeds. Were more stringent CA
checks added between 2.3.42 and 2.4.15? Note that the same OpenSSL
version was used to build both slapd executables (0.9.8b). Also, the
same configuration options were used to build both versions.
Cheers,
Craig
--
-- Howard Chu
CTO, Symas Corp.
http://www.symas.com
Director, Highland Sun
http://highlandsun.com/hyc/
Chief Architect, OpenLDAP
http://www.openldap.org/project/