Zimbra LDAP replication problem: TLS isn't working.

[jdinunci]

Hello, I'm trying to install a second zimbra instance for LDAP replication.

The ldap master host is c.correo, and the replica is d.correo. After the installation, I see in the replica's zimbra log:

slap_client_connect: URI=ldap://c.correo.uc.edu.ve:389 Error, ldap_start_tls failed (-11)

So, it can't connect to the ldap master. I made a manual test without TLS

ldapsearch -x -H ldap://c.correo -D cn=config -w mypwd -b dc=mydomain 'uid=me'

and it works. But when I try using TLS

ldapsearch -x -Z -H ldap://c.correo -D cn=config -w mypwd -b dc=mydomain 'uid=me'

It answers:

ldap_start_tls: Connect error (-11)
ldap_result: Can't contact LDAP server (-1)

So, it seems that the ldap master host is not answering TLS connections. How can activate TLS answers in zimbra's openldap?

Thanks in advance.

[quanah]

add -d -1 to your ldapsearch command. Most likely your master has a different CA than your replica, and so the replica can't verify the master's cert.

[jdinunci]

Thanks!

In effect, when I run the search with -d -1 I get

Quote:

[...]
TLS certificate verification: depth: 0, err: 20, subject: /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=c.correo.uc.edu.ve, issuer: /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=c.correo.uc.edu.ve
TLS certificate verification: Error, unable to get local issuer certificate
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 30 ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.
[...]

If I edit ~zimbra/openldap/etc/openldap/ldap.conf and add

Quote:

TLS_REQCERT never

then, ldapsearch -Z ... success.

The master ldap is an old instance with more than a year, so its original certificate expired and I had to generate a new one (which I did by hand), but I don't think I changed the CA. These are the md5sum of the certs in the master:

Quote:

d1c089d9c6dfaa9077cd357b05c86196 ./conf/ca/ca.pem
d1c089d9c6dfaa9077cd357b05c86196 ./ssl/zimbra/ca/ca.pem

and these are the ones in the replica:

Quote:

d1c089d9c6dfaa9077cd357b05c86196 ./conf/ca/ca.pem
d1c089d9c6dfaa9077cd357b05c86196 ./ssl/zimbra/ca/ca.pem

What can I do to restore the vality fo the certificate in c.correo?

[quanah]

It clearly states in your bug log it doesn't know the CA:

TLS trace: SSL3 alert write:fatal:unknown CA

What does ls -l /opt/zimbra/conf/ca

show on the replica and the master?

[jdinunci]

On the master:

Quote:

lrwxrwxrwx 1 root root 6 Jul 15 09:30 22cd13e9.0 -> ca.pem
-rw-r--r-- 1 root root 887 Jul 15 09:30 ca.key
-rw-r--r-- 1 root root 976 Jul 15 09:30 ca.pem

on the replica:

Quote:

-rw-r----- 1 zimbra zimbra 887 Jul 14 09:27 ca.key
-rw-r----- 1 zimbra zimbra 976 Jul 14 09:27 ca.pem
lrwxrwxrwx 1 zimbra zimbra 6 Jul 14 09:27 f84c91e9.0 -> ca.pem

[quanah]

Note the difference in generated x509 hash between the master and the replica. Clearly the ca.pem files are different. You need to copy the "ca.pem" from the master to the replica, naming it "master_ca.pem" or similar. Create the same symlink to it as exists on the master. This way the replica will be able to verify the cert provided by the master.

[jdinunci]

Thanks!

After reading your comments I realized that when my cert expired, I only upgraded c.correo:/opt/zimbra/ssl/zimbra/server/server.crt but not c.correo:/opt/zimbra/conf/ca/ca.pem.

So I did:

Quote:

cd /opt/zimbra/conf/ca
openssl x509 -in ca.pem -days 3650 -out ca.pem -signkey ca.key

and then copied the certs on d.correo, as you indicated in your last message. Now the replica is working.

Thanks again.