Hi Everyone,
I've configured 2 new 389 DS hubs (eg
new1.example.com,
new2.example.com) and have
connected them to our main 389 DS cluster.
They each have their own self-signed certificate, and replication is working well.
I now want to load-balance these 2 nodes under their own VIP/hostname:
downtown.example.com.
I have added our wildcard cert for *.example.com to each node's NSS cert DB in
/etc/dirsrv/slapd-<instance> to cover the "downtown.example.com"
address.
However, querying the VIP's SSL, I see that the new node's self-signed cert is
still presented instead of the wildcard:
$ echo | openssl s_client -connect downtown.example.com:636
CONNECTED(00000003)
depth=1 CN =
self-ca.example.com
verify error:num=19:self signed certificate in certificate chain
---
<server cert details redacted>
I thought that perhaps the node's own
new1.example.com self-signed cert was taking
precedence over the wildcard cert.
But removing it resulted in:
$ echo | openssl s_client -connect downtown.example.com:636
socket: Bad file descriptor
connect:errno=9
Would anyone be able to tell me how to achieve this correctly, or point me in the
right/another direction?
Thanks a lot,
Trev