> On 13 Nov 2019, at 20:29, Graham Leggett <minfrin@xxxxxxxx> wrote: > > On 13 Nov 2019, at 01:37, William Brown <wbrown@xxxxxxx> wrote: > >>> Does anyone know why 389ds would suddenly stop sending the full certificate chain while replicating? >>> >>> It also looks like the error handling in 389ds SSL is broken - if the slave sent “unknown CA" to the master, the master needs to log that fact, and not report the error as “success”. >> >> We'll need to see the output of certutil -L -d /etc/dirsrv/slapd-<instance>/ from both the master and replica servers please. >> >> In a TLS auth process the client doesn't send it's CA - if you get unknown CA it's most likely the replica has either had the CA and it's chain members expire, or they are not marked as trusted for client auth. So that's why I'd like to see the certutil output please. > > I discovered the same problem had been reported in OpenLDAP: https://www.centos.org/forums/viewtopic.php?t=67042 > > This in turn is caused by a regression in NSS, where it is no longer sufficient to have a trusted root certificate, you now need all intermediate certificates marked as trusted as well. > > Making the following change to the intermediate certs fixed the problem: > > [root@ldap01 ~]# certutil -L -d /etc/dirsrv/slapd-hg > > Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > > intermediateB ,, > intermediateA ,, > rootrootroot CT,C,C > ldap01 u,u,u > [root@ldap01 ~]# certutil -M -d /etc/dirsrv/slapd-hg -t "CT,C,C" -n "intermediateA" > [root@ldap01 ~]# certutil -M -d /etc/dirsrv/slapd-hg -t "CT,C,C" -n "intermediateB" > [root@ldap01 ~]# certutil -L -d /etc/dirsrv/slapd-hg > > Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > > intermediateA CT,C,C > intermediateB CT,C,C > rootrootroot CT,C,C > ldap01 u,u,u > > Raised the bug here: https://bugzilla.redhat.com/show_bug.cgi?id=1771979 Awesome work, thanks for following up on this! > > Regards, > Graham > — > > _______________________________________________ > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx — Sincerely, William Brown Senior Software Engineer, 389 Directory Server SUSE Labs _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
