Thanks Michael. The message is clear but the solution isn't. I think you missed the part about this exact same slapd node being a replication consumer replicating successfully using the exact same certificate/TLS setup. Just for added validation the masters have been active for a couple years serving a very active test environment with ~100 test clients connecting via ldaps. Something appears to be hinky with the configuration processing or certificate validation processing in back-ldap. My gut is that olcDBStartTLS isn't being converted/formatted correctly or isn't being parsed correctly and the option to set the path to the CA cert file is being ignored.
-Jon
On Jul 8, 2017, at 6:39 AM, Michael Ströder michael@stroeder.com wrote:
Jon C Kidder wrote:
TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 19, subject: […] TLS certificate verification: Error, self signed certificate in certificate chain TLS trace: SSL3 alert write:fatal:unknown CA
I think this messages are pretty clear. Something's wrong on your back-ldap proxy with validating the target server's certificate.
It's a pretty good idea to verify first on the command-line:
openssl s_client -connect ldap.example.com:636 -CAfile /path/to/rootca.crt
LDAPTLS_CACERT=/path/to/rootca.crt ldapwhoami ldaps://ldap.example.com
Ciao, Michael.