Hi Brian, I can think about several possibilities: [1] the value of nsslapd-validate-cert config attribute may have changed (i.e: now the certificate chain is verified while it was not the case before) Turning off nsslapd-validate-cert should then solve the issue. [2] DNS resolution issue: i.e: fully qualified hostname associated with the supplier ip address differs on both machines (But upgrading RHDS should not impact the DNS resolution ... ) [3] Problem in the way the certificate gets generated ... certutil -L -d /etc/dirsrv/slapd-*inst* [name] is your friend to display the certificate(s).
Good luck ! Pierre On Tue, Jul 19, 2022 at 9:52 PM Brian Collins <rbriancoll...@gmail.com> wrote: > Good day, > > We have an LDAP cluster on RHEL 8. We were > running 1.4.4.17-1.module_el8+13163+e27841f7.x86_64 and recently updated > to 2.0.15-1.module_el8+14185+adb3f555.x86_64. > > Since then, replication fails from any server to any other server. What I > am seeing in /var/log/dirsrv/slapd-pro01/errors is: > [19/Jul/2022:15:20:20.174222661 -0400] - ERR - NSMMReplicationPlugin - > bind_and_check_pwp - agmt="cn=pro01topro02" (pro02:636) - Replication bind > with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) (TLS: > hostname does not match subjectAltName in peer certificate) > and > [19/Jul/2022:15:46:41.092806631 -0400] - ERR - slapi_ldap_bind - Could not > send bind request for id [cn=replication manager,cn=config] authentication > mechanism [SIMPLE]: error -1 (Can't contact LDAP server), system error > -5987 (Invalid function argument.), network error 0 (Unknown error, host " > pro02.example.com:636") > > I regenerated and reinstalled the certs for pro01 and pro02, adding the > SAN. But that did not help things any. > > Did I miss something in the update to v2? > Thanks in advance, > Brian Collins > _______________________________________________ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > -- -- 389 Directory Server Development Team
_______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure