I have 2 servers (version 2.4.31) in multi-master-replication behind a single IP. Whenever replication tries to start, it fails because the cert name does not match the hostname.

----
TLS: hostname (per5-unity-ldap02.mbox.net) does not match common name in certificate (unity-ldap.mbox.net).
5009c52e slap_client_connect: URI=ldap://per5-unity-ldap02.mbox.net Error, ldap_start_tls failed (-11)
5009c52e do_syncrepl: rid=523 rc -11 retrying (5 retries left)
----

However in the slapd configuration, I have the olcSyncrepl tls_reqcert parameter set to 'never'
----
olcSyncrepl: {0}rid=523 provider="ldap://per5-unity-ldap02.mbox.net"
 network-timeout=2 retry="1 10 10 60 60 +" keepalive="60:3:60"
 starttls=critical tls_reqcert=never
 bindmethod=simple timeout=2 binddn="uid=foo,cn=bar" credentials="baz"
 type=refreshAndPersist searchbase="dc=my,dc=domain"
----

Why is this happening?

I even ran across ITS#7014 which is about this exact issue, and with tls_reqcert=allow and tls_reqcert=never, it's not supposed to happen.


Thanks

-Patrick