Rob Crittenden <rcritten at redhat.com> wrote: > Alex aka Magobin wrote: [...] > > today I tried to issue 2 server certs using the same CA...using the same > > CN...I can make correctly the certs and in Manage Certificate I can see > > both server certs with the same name...but when I try to establish ssl > > encryption between servers: > > > > NSMMReplicationPlugin -agmt="cn="Replication to > > nodo1.domain.example.com""(nodo1:636): Simple bind failed, LDAP sdk > > error 81 (Can't contact LDAP server), Netscape Portable Runtime error- > > 12276 (Unable to communicate securely with peer: requested domain name > > does not match the server's certificate.) > > > > Is there someone that use two server Fedora DS to authenticate clients? > > Even if I can browse in clear mode FDS both on nodo1 and nodo2...in > > encrypt mode only one can certificate my clients? > > This isn't an SSL problem, it's a problem with the way you are trying to > use it. You are trying to present the world with a single directory > server and behind the scenes have 2 physical servers. Nothing wrong with > this but you were told a while back that this could be a problem. > > You basically need your machine to answer to 2 separate things: its > "real" hostname and the "cluster" hostname. > > As I see it, there are 2 ways to resolve this. I'm not a DS engineer so > I can't say which one is more plausible/possible, and there may be other > ways that I'm not seeing. > > 1. The easiest solution is to use a wildcard in the SSL server > certificate hostname: CN=*.example.com. This is super ugly but should > work. Note that you'll never get a CA like Verisign to issue you a > wildcard server certificate. So if you are using your own self-signed CA > during testing and plan to get server certs later from another CA beware. > > 2. I wonder if it is possible to set up multiple listeners and assign a > separate SSL certificate to each one. Then you could have > CN=host1.example.com on say port 638 for replication and > CN=ldap.example.com on 636 for general use. > > I don't know of #2 is even possible right now. #1 definitely is but has > issues. One of the reasons for SSL is to prevent man-in-the-middle > attacks. This is preceisely the problem you are having. SSL is detecting > that things aren't lining up like they should and preventing you from > continuing. While a wildcard certificate will get around this you must > understand that you are also giving up a certain amount of security. Does Directory Server support the subjectAltName extension on SSL certs? If it does, then you could create a certificate with a subject of cn=ldap.domain.example.com,... and a subjectAltName of something like DNS:nodo1.domain.example.com. I think you can have multiple subjectAltName extensions on one certificate. See /usr/share/doc/openssl-0.9.7a/openssl.txt for some more details. I'm not a DS engineer either, and while it's on my "to do" list, I haven't tried this myself yet. -- Steve Bonneville
