Alex wrote:
Like Richard said, what is nsSSLPersonalitySSL set to in dse.ldif on the nodes?you should keep the names consistent. I mean, how do you know whether alt-server refers to nodo1 or nodo2?? You know now but what about 5 months from now??also, can you do ldapsearch -ZZ against both nodo1/2 without problems?I'm apologize but I'don't understand what you want to say...and no....at this point I can't do ldapsearch -zz I only follow your instructions to enable encryption on both server and trying to make a query from a client on both server using a floating ip with ssl enable....I understood that the solution was SubjectAltName and I asked in which way was possible to implement it...following Rob tips seems doesn't working and last post is the last step on my configuration for testing it.
You are doing a couple of odd things:1. Why does nodo1 get it's own nickname but nodo2 is named Alt-Cert? As I've said before, the nicknames aren't important, but you should have some sort of naming policy. 2. You may need to fully qualify the cn in the certificates: nodo1.domain.example.com. This alone could explain the -12276 error. I don't know if NSS will reconstitute the domain from it's dc components.
Does ldapsearch work against each fully-qualified host? Get ldapsearch working for the CN and for the alt subject first before trying to do MMR.
rob
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
