Hi Everyone,

 

I've configured 2 new 389 DS hubs (eg new1.example.com, new2.example.com) and have connected them to our main 389 DS cluster.

They each have their own self-signed certificate, and replication is working well.

 

I now want to load-balance these 2 nodes under their own VIP/hostname: downtown.example.com.

I have added our wildcard cert for *.example.com to each node's NSS cert DB in /etc/dirsrv/slapd-<instance> to cover the "downtown.example.com" address.

 

However, querying the VIP's SSL, I see that the new node's self-signed cert is still presented instead of the wildcard:

 

$ echo | openssl s_client -connect downtown.example.com:636

CONNECTED(00000003)

depth=1 CN = self-ca.example.com

verify error:num=19:self signed certificate in certificate chain

---

<server cert details redacted>

 

I thought that perhaps the node's own new1.example.com self-signed cert was taking precedence over the wildcard cert.

But removing it resulted in:

 

$ echo | openssl s_client -connect downtown.example.com:636

socket: Bad file descriptor

connect:errno=9

 

 

Would anyone be able to tell me how to achieve this correctly, or point me in the right/another direction?

 

Thanks a lot,

Trev