On 10/07/2015 08:34 AM, Karel Lang AFD wrote:
hi,
In reply to my own question (presented as topic no. 1 in vol.125 -see
below- chainmail):
It is solved, problem is the script, that is recommended by fedora
wiki (setupssl2.sh) as a way for automatic SSL generation for 389-DS
server, is not suitable for setting up multimaster, nor master/slave
scenarios.
Correct. It is for single server self signed scenarios (e.g. testing,
not production). You really need a "real" CA in order to issue multiple
certs for multiple servers.
If that is not clear from the docs, please let us know.
It is Ok to use the script for SSL generation and enabling for single
389 sever, but not for replications, as servers do not trust each
other (even after importing the CA certificate to each other one),
because there is number of errors to deal with - like - same serialno.
of certifictes, parameters of generated CA cert etc.
I had to delete those script generated SSL certs on both servers,
manually create my own company CA key and then sign with this key my
own company CA certificate.
Then create CSR file from each 389-DS server, sign this CSR files with
the CA company cert and import the created *CRT keys to each server
(for directory server and administration dir server separately ofc).
Great! That sounds like the right way to go.
After that, all worked without problems.
So as conclusion, script is OK for testing purposes and quick server
setups, but not really for live or more complicated scenarios.
But anyway kudos to anyone who wrote it, because i 'gutted' it in
order to better understand the whole proces.
If the documentation needs to be made more clear that the intention of
setupssl2.sh is for demo/testing purposes only, please let us know.
cheers,
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
