Hi Brian,
I can think about several possibilities:
[1] the value of nsslapd-validate-cert config attribute may have changed
(i.e: now the certificate chain is verified while it was not the case
before)
Turning off nsslapd-validate-cert should then solve the issue.
[2] DNS resolution issue: i.e: fully qualified hostname associated with
the supplier ip address differs on both machines (But upgrading RHDS should
not impact the DNS resolution ... )
[3] Problem in the way the certificate gets generated ...
certutil -L -d /etc/dirsrv/slapd-*inst* [name] is your
friend to display the certificate(s).
Good luck !
Pierre
On Tue, Jul 19, 2022 at 9:52 PM Brian Collins <rbriancoll...@gmail.com>
wrote:
> Good day,
>
> We have an LDAP cluster on RHEL 8. We were
> running 1.4.4.17-1.module_el8+13163+e27841f7.x86_64 and recently updated
> to 2.0.15-1.module_el8+14185+adb3f555.x86_64.
>
> Since then, replication fails from any server to any other server. What I
> am seeing in /var/log/dirsrv/slapd-pro01/errors is:
> [19/Jul/2022:15:20:20.174222661 -0400] - ERR - NSMMReplicationPlugin -
> bind_and_check_pwp - agmt="cn=pro01topro02" (pro02:636) - Replication bind
> with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) (TLS:
> hostname does not match subjectAltName in peer certificate)
> and
> [19/Jul/2022:15:46:41.092806631 -0400] - ERR - slapi_ldap_bind - Could not
> send bind request for id [cn=replication manager,cn=config] authentication
> mechanism [SIMPLE]: error -1 (Can't contact LDAP server), system error
> -5987 (Invalid function argument.), network error 0 (Unknown error, host "
> pro02.example.com:636")
>
> I regenerated and reinstalled the certs for pro01 and pro02, adding the
> SAN. But that did not help things any.
>
> Did I miss something in the update to v2?
> Thanks in advance,
> Brian Collins
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
--
--
389 Directory Server Development Team
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
