All,
My set up consists of three servers each syncing with each other. The host names are:
1) mm-server1.example.ldap
2) mm-server2.example.ldap
3) mm-server3.example.ldap
Utilizing TLSv1, on all three I have:
olcTLSCertificateFile: /usr/local/openldap/etc/openldap/CA/cacert.pem
olcTLSCertificateKeyFile: /usr/local/openldap/etc/openldap/CA/private/cakey.pem
olcTLSCipherSuite: HIGH:MEDIUM+TLSv1+SSLv3
Configured with self-signed wild-card certs, originally configured (using openssl 0.9.8) on mm-server2 and exported to the other servers.
When running ldapmodify, ldapsearch, etc with a "-Z", and openssl s_client on mm-server1 or mm-server3 or any client pointing back to mm-server1 or 3, I receive the following error:
TLS certificate verification: Error, self signed certificate
TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate).
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate)
Running any of those to mm-server2, it works with no such error.
I am guessing, that since the certs were created on mm-server2, originally, that is why it works this way. Also, guessing I missed a step somewhere.
I read online a post from 2005 with a good explanation of self-signed from Howard Chu about a similar problem.
What is the best procedure for creating wild-card certs and sharing those out to other servers? The procedure that was used was from openssl.org so it was not a fly-by-night weblog.
What did I miss (besides: a lot)?
Thanks in advance,
John D. Borresen (Dave)
Linux/Unix Systems Administrator
MIT Lincoln Laboratory
Surveillance Systems Group
244 Wood St
Lexington, MA 02420
Ph: (781) 981-1609
Email: john.borresen@ll.mit.edu