Thanks Pierre! I think I've solved the problem. It was my self-signed CA, TinyCA. It seems to be incapable of adding the SAN. I switched to XCA and it signed with the SAN. Replaced the cert on pro02, and now we are replicating again over LDAPS.
Thanks again for the quick response and suggestions! -Brian On Wed, Jul 20, 2022 at 9:12 AM Pierre Rogier <prog...@redhat.com> wrote: > Hi Brian, > > I can think about several possibilities: > [1] the value of nsslapd-validate-cert config attribute may have changed > (i.e: now the certificate chain is verified while it was not the case > before) > Turning off nsslapd-validate-cert should then solve the issue. > [2] DNS resolution issue: i.e: fully qualified hostname associated > with the supplier ip address differs on both machines (But upgrading RHDS > should not impact the DNS resolution ... ) > [3] Problem in the way the certificate gets generated ... > certutil -L -d /etc/dirsrv/slapd-*inst* [name] is your > friend to display the certificate(s). > > Good luck ! > Pierre > > > On Tue, Jul 19, 2022 at 9:52 PM Brian Collins <rbriancoll...@gmail.com> > wrote: > >> Good day, >> >> We have an LDAP cluster on RHEL 8. We were >> running 1.4.4.17-1.module_el8+13163+e27841f7.x86_64 and recently updated >> to 2.0.15-1.module_el8+14185+adb3f555.x86_64. >> >> Since then, replication fails from any server to any other server. What >> I am seeing in /var/log/dirsrv/slapd-pro01/errors is: >> [19/Jul/2022:15:20:20.174222661 -0400] - ERR - NSMMReplicationPlugin - >> bind_and_check_pwp - agmt="cn=pro01topro02" (pro02:636) - Replication bind >> with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) (TLS: >> hostname does not match subjectAltName in peer certificate) >> and >> [19/Jul/2022:15:46:41.092806631 -0400] - ERR - slapi_ldap_bind - Could >> not send bind request for id [cn=replication manager,cn=config] >> authentication mechanism [SIMPLE]: error -1 (Can't contact LDAP server), >> system error -5987 (Invalid function argument.), network error 0 (Unknown >> error, host "pro02.example.com:636") >> >> I regenerated and reinstalled the certs for pro01 and pro02, adding the >> SAN. But that did not help things any. >> >> Did I miss something in the update to v2? >> Thanks in advance, >> Brian Collins >> _______________________________________________ >> 389-users mailing list -- 389-users@lists.fedoraproject.org >> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org >> Do not reply to spam on the list, report it: >> https://pagure.io/fedora-infrastructure >> > > > -- > -- > > 389 Directory Server Development Team > _______________________________________________ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure