r0m5 wrote:
So I set up a PKI and now it looks OK regarding syncrepl. So I guess my problem might be related to ITS#8427, which I didn't see before posting here.
I still have issues though, with applications randomly failing STARTTLS to my consumers
Many problems like this are caused by not getting the PKI to issue correct public-key certs. Especially you should put all DNS names a LDAP client might use to connect to your LDAP server in subjectAltName extension.
E.g. ITS#8427 says: "Provide the servers with TLS certificates that are correct but do not include an address used in syncrepl provider setting." What the heck does that mean?!?
Ciao, Michael.