Bug 1903350

Summary:	LDAPS replication and dsconf replication status fails with error "certificate verify failed"
Product:	Red Hat Directory Server	Reporter:	Marc Sauton <msauton>
Component:	389-ds-base	Assignee:	Simon Pichugin <spichugi>
Status:	CLOSED ERRATA	QA Contact:	RHDS QE <ds-qe-bugs>
Severity:	high	Docs Contact:	Marc Muehlfeld <mmuehlfe>
Priority:	unspecified
Version:	11.4	CC:	arajendr, cobrown, ldap-maint, mreynolds, sgouvern, spichugi, tmihinto, wrydberg
Target Milestone:	DS11.3	Keywords:	Triaged
Target Release:	dirsrv-11.4
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	redhat-ds-11-8050020210803164248.d3df4063	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2021-10-25 06:36:13 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Marc Sauton 2020-12-01 21:05:17 UTC

Description of problem:

( could not select the python3-lib389 component in this bug report)

dsconf replication status fails when replication is set with SSL or TLS, with error "Can't contact LDAP server" / "error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain)"

also related to
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org/thread/GVKK5EGFPJQYVJACG5LK7S7ZMFAW3GFZ/
https://github.com/389ds/389-ds-base/issues/4460


the dsconf replication status command seem to use a default value from
/usr/lib/python3.6/site-packages/lib389/__init__.py
and
./src/lib389/lib389/_constants.py:                 SER_SERVERID_PROP: "template",

and it seem the cert_dir may not be initialized, in

/src/lib389/lib389/__init__.py
...
class DirSrv(SimpleLDAPObject, object):

    def get_cert_dir(self):
        return self.ds_paths.cert_dir

it seems like there are a few other non initialized paths in the class DirSrv



dsconf -v m1 replication status --suffix dc=example,dc=test --bind-dn "cn=Directory Manager" --bind-passwd ${DM_BIND_PW}
...snip...
DEBUG: Using external ca certificate /etc/dirsrv/slapd-template
DEBUG: Using certificate policy 1
DEBUG: ldap.OPT_X_TLS_REQUIRE_CERT = 1
DEBUG: Cannot connect to 'ldaps://192.168.122.112:636/'
DEBUG: Connection to consumer (192.168.122.112:389) failed, error: {'desc': "Can't contact LDAP server", 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain)'}


but an OpenSSL command works just fine:
echo "Q\n" | openssl s_client -connect m1.example.test:636  -no_ign_eof  -state | less
as well as
echo "Q\n" | openssl s_client -connect m2.example.test:636  -no_ign_eof  -state | less
CONNECTED(00000003)
---
Certificate chain
 0 s:CN = m2.example.test
   i:O = example.test, CN = Subordinate CA1 Signing Certificate
 1 s:O = example.test, CN = Subordinate CA1 Signing Certificate
   i:O = Root CA1 Example Test, OU = rootca1, CN = CA Signing Certificate
 2 s:O = Root CA1 Example Test, OU = rootca1, CN = CA Signing Certificate
   i:O = Root CA1 Example Test, OU = rootca1, CN = CA Signing Certificate
---
Server certificate
...snip...
Acceptable client certificate CA names
O = example.test, CN = Subordinate CA1 Signing Certificate
O = Root CA1 Example Test, OU = rootca1, CN = CA Signing Certificate
C = AU, ST = Queensland, L = 389ds, O = testing, CN = ssca.389ds.example.com
Client Certificate Types: RSA sign, ECDSA sign, DSA sign
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA1:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA1:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA+SHA1
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3604 bytes and written 428 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 7EBE29FCE5887EB794AA9ED39B54A7E1E6B5BCB8D87187E9875100FEC032D203
    Session-ID-ctx: 
    Master-Key: E94291681880FC8E7E04826C9E02F7B7D9A68E5F77972CD4F94700A97406646D492712060F972D0112ACF05FFE4647BF
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1606856229
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
(END)


as well as a LDAPS search, from "m1" to "m2":

ldapsearch -o ldif-wrap=no -LLLH ldaps://m2.example.test:636 -D "cn=directory manager" -w password -s base -b "" 'objectclass=*' vendorVersion
dn:
vendorVersion: 389-Directory/1.4.2.12 B2020.119.1433



Version-Release number of selected component (if applicable):
RHEL-8.2
389-ds-base-1.4.2.12-2.module+el8dsrv+6428+6e54c518.x86_64
python3-lib389-1.4.2.12-2.module+el8dsrv+6428+6e54c518.noarch


How reproducible:
on demand


Steps to Reproduce:

1. create 2 instances, example for first one:

groupadd -r ldapgroup1
useradd -r -g  ldapgroup1 ldapuser1
dscreate create-template ~/ds11.instance.inf
sed     -e 's/;instance_name = .*/instance_name = m1/g'     -e 's/;user = .*/user = ldapuser1/g'     -e 's/;group = .*/group = ldapgroup1/g'     -e 's/;root_password = .*/root_password = password/g'     -e 's/;suffix = .*/suffix = dc=example,dc=test/g'     ~/ds11.instance.inf > ~/ds11.m1.instance.inf
dscreate from-file ~/ds11.m1.instance.inf

create a second instance
and set replication as 2x mmr


2. prepare for 2 SSL server certificates issued by a subordinate CA, trust chain example for first one:

trust anchor ~/rootca1.crt 
trust anchor ~/subca1.crt 

trust list ca-anchors | grep -i ca1
[root@m1 slapd-m1]# 

trust list | grep -i ca1
    label: Subordinate CA1 Signing Certificate
    label: SecureSign RootCA11
[root@m1 slapd-m1]# 


3. add the new certificates, with the SSL server cert issued by a subordinate CA

note: did not used the "dsctl m1 tls import commands" nor
dsctl m1 tls generate-server-cert-csr --help
dsctl m1 tls import-server-cert --help
( should I ?) , and instead, did a pk12util import:

dsctl m1 stop
pk12util -i /etc/dirsrv/slapd-m1/ssl.server.cert.m1.from.subca1.p12 -d /etc/dirsrv/slapd-m1/ -k /etc/dirsrv/slapd-m1/pwdfile.txt -W password -n sslserverm1fromsubca1
and then changed the nsSSLPersonalitySSL in the web UI

certutil -O -d /etc/dirsrv/slapd-m1 -n sslserverm1fromsubca1
"rootca1" [CN=CA Signing Certificate,OU=rootca1,O=Root CA1 Example Test]
  "subca1" [CN=Subordinate CA1 Signing Certificate,O=example.test]
    "sslserverm1fromsubca1" [CN=m1.example.test]

dsctl m1 start


3. did some replication tests, example
/usr/bin/ldclt -D "cn=directory manager" -w password -h localhost -p 389 -s subtree -b "ou=people,dc=example,dc=test" -e randombinddn,randombinddnlow=100,randombinddnhigh=999 -e random,attreplace=roomNumber:roomXXX -r 1 -R 19  -n 2 -I 32 -q -f "uid=guestXX"


4. verify replication status:
dsconf -v m1 replication status --suffix dc=example,dc=test --bind-dn "cn=Directory Manager" --bind-passwd ${DM_BIND_PW}
...snip...


Actual results:

...snip...
DEBUG: _gen_selector filter = (&(&(objectclass=nsds5Replica))(|(nsDS5ReplicaRoot=dc=example,dc=test)))
DEBUG: cn=replica,cn=dc\3Dexample\2Cdc\3Dtest,cn=mapping tree,cn=config getVal('nsDS5ReplicaRoot')
DEBUG: cn=replica,cn=dc\3Dexample\2Cdc\3Dtest,cn=mapping tree,cn=config getVal('nsDS5ReplicaId')
DEBUG: Allocate <class 'lib389.DirSrv'> with None
DEBUG: Allocate <class 'lib389.DirSrv'> with 192.168.122.112:636
DEBUG: Allocate <class 'lib389.DirSrv'> with 192.168.122.112:636
DEBUG: open(): Connecting to uri ldaps://192.168.122.112:636/
DEBUG: Using dirsrv ca certificate /etc/dirsrv/slapd-template
DEBUG: Using external ca certificate /etc/dirsrv/slapd-template
DEBUG: Using external ca certificate /etc/dirsrv/slapd-template
DEBUG: Using certificate policy 1
DEBUG: ldap.OPT_X_TLS_REQUIRE_CERT = 1
DEBUG: Cannot connect to 'ldaps://192.168.122.112:636/'
DEBUG: Connection to consumer (192.168.122.112:389) failed, error: {'desc': "Can't contact LDAP server", 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain)'}
INFO: {'agmt-name': ['m1tom2exampleSSL'], 'replica': ['192.168.122.112:636'], 'replica-enabled': ['on'], 'update-in-progress': ['FALSE'], 'last-update-start': ['19700101000000Z'], 'last-update-end': ['19700101000000Z'], 'number-changes-sent': ['0'], 'number-changes-skipped': ['unavailable'], 'last-update-status': ["Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error)"], 'last-init-start': ['19700101000000Z'], 'last-init-end': ['19700101000000Z'], 'last-init-status': ['unavailable'], 'reap-active': ['0'], 'replication-status': ['Not in Synchronization: supplier (Unknown) consumer (Unknown) State (red) Reason (Consumer can not be contacted)'], 'replication-lag-time': ['Unavailable']}
INFO: Command successful.
[root@m1 slapd-m1]# 


Expected results:
yes


Additional info:

related to

https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org/thread/GVKK5EGFPJQYVJACG5LK7S7ZMFAW3GFZ/
https://github.com/389ds/389-ds-base/issues/4460


attempted workaround resulting in a different error:  duplicate the etc instance directory into /etc/dirsrv/slapd-template/ and rehash the certs: "TLS: hostname does not match peer certificate"

# on m1 and m2:
rsync -av /etc/dirsrv/slapd-m1/ /etc/dirsrv/slapd-template/

# on m1:
certutil -L -d /etc/dirsrv/slapd-template/ -n sslserverm1fromsubca1 -a > /etc/dirsrv/slapd-template/sslserverm1fromsubca1.crt

# on m2:
certutil -L -d /etc/dirsrv/slapd-template/ -n sslserverm2fromsubca1 -a > /etc/dirsrv/slapd-template/sslserverm2fromsubca1.crt
certutil -L -d /etc/dirsrv/slapd-template/ -n subca1 -a > /etc/dirsrv/slapd-template/subca1.crt
certutil -L -d /etc/dirsrv/slapd-template/ -n rootca1 -a > /etc/dirsrv/slapd-template/rootca1.crt
openssl rehash  /etc/dirsrv/slapd-template/
ls -l /etc/dirsrv/slapd-template/

# on m1:
dsconf -v m1 replication status --suffix dc=example,dc=test --bind-dn "cn=Directory Manager" --bind-passwd ${DM_BIND_PW}
...snip...
DEBUG: Allocate <class 'lib389.DirSrv'> with 192.168.122.112:636
DEBUG: open(): Connecting to uri ldaps://192.168.122.112:636/
DEBUG: Using dirsrv ca certificate /etc/dirsrv/slapd-template
DEBUG: Using external ca certificate /etc/dirsrv/slapd-template
DEBUG: Using external ca certificate /etc/dirsrv/slapd-template
DEBUG: Using certificate policy 1
DEBUG: ldap.OPT_X_TLS_REQUIRE_CERT = 1
DEBUG: Cannot connect to 'ldaps://192.168.122.112:636/'
DEBUG: Connection to consumer (192.168.122.112:389) failed, error: {'desc': "Can't contact LDAP server", 'info': 'TLS: hostname does not match peer certificate'}
INFO: {'agmt-name': ['m1tom2exampleSSL'], 'replica': ['192.168.122.112:636'], 'replica-enabled': ['on'], 'update-in-progress': ['FALSE'], 'last-update-start': ['19700101000000Z'], 'last-update-end': ['19700101000000Z'], 'number-changes-sent': ['0'], 'number-changes-skipped': ['unavailable'], 'last-update-status': ["Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error)"], 'las
t-init-start': ['19700101000000Z'], 'last-init-end': ['19700101000000Z'], 'last-init-status': ['unavailable'], 'reap-active': ['0'], 'replication-status': ['Not in Synchronization: supplier (Unknown) consumer (Unknown) State (red) Reason (Consumer can not be contacted)'], 'replication-lag-time': ['Unavailable']}
INFO: Command successful.


which is strange as both the "m1" and "m2" SSL server ceritifcates do have a SAN extension populated with a correct corresponding DNS name value:
(hostname correct, but DNS resolution could be the cause in my test, but was not in a customer case with the same exact problem)

certutil -L -d ${nssdir} -n sslserverm1fromsubca1 | less
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 8 (0x8)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=Subordinate CA1 Signing Certificate,O=example.test"
        Validity:
            Not Before: Mon Nov 23 05:59:20 2020
            Not After : Wed Feb 23 01:31:07 2022
        Subject: "CN=m1.example.test"
...snip...
        Signed Extensions:
            Name: Certificate Authority Key Identifier
            Key ID:
                e2:45:24:43:7c:b1:ee:f1:a3:44:57:2d:54:87:b7:6f:
                19:91:8f:aa

            Name: Certificate Subject Alt Name
            DNS name: "m1.example.test"

            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location: 
                URI: "http://ca1.example.test:8444/ca/ocsp"

            Name: Certificate Key Usage
            Critical: True
            Usages: Digital Signature
                    Key Encipherment
                    Data Encipherment

            Name: Extended Key Usage
                TLS Web Server Authentication Certificate
                TLS Web Client Authentication Certificate


and

certutil -L -d ${nssdir} -n sslserverm2fromsubca1 | less
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 9 (0x9)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=Subordinate CA1 Signing Certificate,O=example.test"
        Validity:
            Not Before: Mon Nov 23 06:00:17 2020
            Not After : Wed Feb 23 01:31:07 2022
        Subject: "CN=m2.example.test"
...snip...
        Signed Extensions:
            Name: Certificate Authority Key Identifier
            Key ID:
                e2:45:24:43:7c:b1:ee:f1:a3:44:57:2d:54:87:b7:6f:
                19:91:8f:aa

            Name: Certificate Subject Alt Name
            DNS name: "m2.example.test"

            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location: 
                URI: "http://ca1.example.test:8444/ca/ocsp"

            Name: Certificate Key Usage
            Critical: True
            Usages: Digital Signature
                    Key Encipherment
                    Data Encipherment

            Name: Extended Key Usage
                TLS Web Server Authentication Certificate
                TLS Web Client Authentication Certificate
...snip...

Comment 2 mreynolds 2020-12-01 22:00:14 UTC

Regarding this:

    DEBUG: Cannot connect to 'ldaps://192.168.122.112:636/'
    DEBUG: Connection to consumer (192.168.122.112:389) failed, error: {'desc': "Can't contact LDAP server", 'info': 'TLS: hostname does not match peer certificate'}


You can not use an IP address over LDAPS, you must always use the FQDN or else you will get errors like this.

They should update the .dsrc file to use a FQDN instead of the IP address in the "uri", and the tls_cacertdir

example for: /root/.dsrc


[localhost]
tls_cacertdir = /etc/dirsrv/slapd-localhost
uri = ldaps://localhost.localdomain:636


But they probably need this fix as well:

https://github.com/389ds/389-ds-base/pull/4463

Comment 3 Marc Sauton 2020-12-03 05:16:32 UTC

ok for the IP @ in the SSL connections...fixed my test, replaced the nsDS5ReplicaHost with the corresponding hostnames, had some virtual guests and host weirderness with dnsmasq, so the workaround with the slapd-template nss db works:

dsconf -v m1 replication status --suffix dc=example,dc=test --bind-dn "cn=Directory Manager" --bind-passwd password
...snip...
DEBUG: Allocate <class 'lib389.DirSrv'> with m2.example.test:636
DEBUG: open(): Connecting to uri ldaps://m2.example.test:636/
DEBUG: Using dirsrv ca certificate /etc/dirsrv/slapd-template
DEBUG: Using external ca certificate /etc/dirsrv/slapd-template
DEBUG: Using external ca certificate /etc/dirsrv/slapd-template
DEBUG: Using certificate policy 1
DEBUG: ldap.OPT_X_TLS_REQUIRE_CERT = 1
DEBUG: open(): bound as cn=Directory Manager
INFO: {'agmt-name': ['m1tom2exampleSSL'], 'replica': ['m2.example.test:636'], 'replica-enabled': ['on'], 'update-in-progress': ['FALSE'], 'last-update-start': ['20201203020121Z'], 'last-update-end': ['20201203020121Z'], 'number-changes-sent': ['1:143/0 '], 'number-changes-skipped': ['unavailable'], 'last-update-status': ['Error (0) Replica acquired successfully: Incremental update succeeded'], 'last-init-start': ['20201203020019Z'], 'last-init-end': ['20201203020027Z'], 'last-init-status': ['Error (0) Total update succeeded'], 'reap-active': ['0'], 'replication-status': ['In Synchronization'], 'replication-lag-time': ['00:00:00']}
INFO: Command successful.
[root@m1 ~]# 


now, if I remove the workaround, there is the LDAPS connection failure "certificate verify failed" :

mv /etc/dirsrv/slapd-template /etc/dirsrv/slapd-template-1

dsconf -v m1 replication status --suffix dc=example,dc=test --bind-dn "cn=Directory Manager" --bind-passwd password
...snip...
DEBUG: Allocate <class 'lib389.DirSrv'> with m2.example.test:636
DEBUG: open(): Connecting to uri ldaps://m2.example.test:636/
DEBUG: Using dirsrv ca certificate /etc/dirsrv/slapd-template
DEBUG: Using external ca certificate /etc/dirsrv/slapd-template
DEBUG: Using external ca certificate /etc/dirsrv/slapd-template
DEBUG: Using certificate policy 1
DEBUG: ldap.OPT_X_TLS_REQUIRE_CERT = 1
DEBUG: Cannot connect to 'ldaps://m2.example.test:636/'
DEBUG: Connection to consumer (m2.example.test:636) failed, error: {'desc': "Can't contact LDAP server", 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain)'}
INFO: {'agmt-name': ['m1tom2exampleSSL'], 'replica': ['m2.example.test:636'], 'replica-enabled': ['on'], 'update-in-progress': ['FALSE'], 'last-update-start': ['20201203020121Z'], 'last-update-end': ['20201203020121Z'], 'number-changes-sent': ['1:143/0 '], 'number-changes-skipped': ['unavailable'], 'last-update-status': ['Error (0) Replica acquired successfully: Incremental update succeeded'], 'last-init-start': ['20201203020019Z'], 'last-init-end': ['20201203020027Z'], 'last-init-status': ['Error (0) Total update succeeded'], 'reap-active': ['0'], 'replication-status': ['Not in Synchronization: supplier (5fc846ea000e00010000) consumer (Unavailable) State (green) Reason (error (0) replica acquired successfully: incremental update succeeded)'], 'replication-lag-time': ['Unavailable']}
INFO: Command successful.


same error with the .dsrc:

cat /root/.dsrc
[localhost]
tls_cacertdir = /etc/dirsrv/slapd-m1
uri = ldaps://m1.example.test:636

so I need the fix from 
https://github.com/389ds/389-ds-base/pull/4463
but it seem now it is outdated, so in the issue
https://github.com/389ds/389-ds-base/issues/4460
is it now
https://github.com/389ds/389-ds-base/commit/ce7beae4d698880f45c09de17c487c1fefbc3410
or
https://github.com/389ds/389-ds-base/pull/4463/commits/79996ff59dc38bf23e99d8f219fcc90557721524
?

Comment 4 Marc Sauton 2020-12-03 05:19:07 UTC

and there is something going on with SER_SERVERID_PROP left to the default value of "template"

Comment 5 mreynolds 2020-12-03 15:40:39 UTC

>
> so I need the fix from 
> https://github.com/389ds/389-ds-base/pull/4463
> but it seem now it is outdated, so in the issue
> https://github.com/389ds/389-ds-base/issues/4460
> is it now
> https://github.com/389ds/389-ds-base/commit/ce7beae4d698880f45c09de17c487c1fefbc3410
> ? or
> https://github.com/389ds/389-ds-base/pull/4463/commits/79996ff59dc38bf23e99d8f219fcc90557721524
> ?

These are all the same.  So you need the fix for https://github.com/389ds/389-ds-base/pull/4463 and maybe https://github.com/389ds/389-ds-base/pull/4472

As for the "template" issue, I'm not seeing that problem.  Maybe it will be resolved with the two fixes above?

Comment 10 sgouvern 2021-10-12 14:20:50 UTC

Having 2 instances configured as 2 MMR, security on

# cat /root/.dsrc
[inst1]
tls_cacertdir = /etc/dirsrv/slapd-inst1
uri = ldaps://localhost.localdomain:1636
binddn = cn=directory manager
basedn = dc=example,dc=com

[inst2]
tls_cacertdir = /etc/dirsrv/slapd-inst2
uri = ldaps://localhost.localdomain:2636
binddn = cn=directory manager
basedn = dc=example,dc=com 

# cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE	dc=example,dc=com
URI	ldaps://localhost.localdomain:1636  ldaps://localhost.localdomain:2636
TLS_CACERTDIR	/etc/dirsrv/ssca




]# dsconf -v -D "cn=Directory Manager" -w password ldaps://localhost.localdomain:2636 replication status --suffix dc=example,dc=com
DEBUG: The 389 Directory Server Configuration Tool
DEBUG: Inspired by works of: ITS, The University of Adelaide
DEBUG: dsrc path: /root/.dsrc
DEBUG: dsrc container path: /data/config/container.inf
DEBUG: dsrc instances: ['inst1', 'inst2']
DEBUG: dsrc no such section: slapd-ldaps://localhost.localdomain:2636
DEBUG: Called with: Namespace(basedn=None, bind_dn=None, bind_passwd=None, binddn='cn=Directory Manager', bindpw='secret12', func=<function get_repl_status at 0x7faffe623840>, instance='ldaps://localhost.localdomain:2636', json=False, prompt=False, pwdfile=None, starttls=False, suffix='dc=example,dc=com', verbose=True)
DEBUG: Instance details: {'uri': 'ldaps://localhost.localdomain:2636', 'basedn': None, 'binddn': 'cn=Directory Manager', 'bindpw': None, 'saslmech': None, 'tls_cacertdir': None, 'tls_cert': None, 'tls_key': None, 'tls_reqcert': None, 'starttls': False, 'prompt': False, 'pwdfile': None, 'args': {'ldapurl': 'ldaps://localhost.localdomain:2636', 'root-dn': 'cn=Directory Manager'}}
DEBUG: Allocate <class 'lib389.DirSrv'> with ldaps://localhost.localdomain:2636
DEBUG: Allocate <class 'lib389.DirSrv'> with localhost.localdomain:2636
DEBUG: Allocate <class 'lib389.DirSrv'> with localhost.localdomain:2636
DEBUG: Allocate <class 'lib389.DirSrv'> with ldaps://localhost.localdomain:2636
DEBUG: Allocate <class 'lib389.DirSrv'> with localhost.localdomain:2636
DEBUG: Allocate <class 'lib389.DirSrv'> with localhost.localdomain:2636
DEBUG: open(): Connecting to uri ldaps://localhost.localdomain:2636
DEBUG: Using /etc/openldap/ldap.conf certificate policy
DEBUG: ldap.OPT_X_TLS_REQUIRE_CERT = 2
DEBUG: open(): bound as cn=Directory Manager
DEBUG: Retrieving entry with [('',)]
DEBUG: Retrieved entry [dn: 
vendorVersion: 389-Directory/1.4.3.27 B2021.263.1550

]
DEBUG: _gen_selector filter = (&(&(objectclass=nsds5Replica))(|(nsDS5ReplicaRoot=dc=example,dc=com)))
DEBUG: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config getVal('nsDS5ReplicaRoot')
DEBUG: list filter = (&(objectclass=nsds5replicationagreement))
DEBUG: cn=inst2toinst1,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config get_all_attrs
DEBUG: cn=inst2toinst1,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config getVal('nsDS5ReplicaRoot')
DEBUG: cn=inst2toinst1,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config getVal('cn')
DEBUG: _gen_selector filter = (&(&(objectclass=nsds5Replica))(|(nsDS5ReplicaRoot=dc=example,dc=com)))
DEBUG: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config getVal('nsDS5ReplicaRoot')
DEBUG: cn=inst2toinst1,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config getVal('nsds5replicaLastUpdateStatusJSON')
DEBUG: cn=inst2toinst1,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config getVal('nsDS5ReplicaHost')
DEBUG: cn=inst2toinst1,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config getVal('nsDS5ReplicaPort')
DEBUG: cn=inst2toinst1,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config getVal('nsDS5ReplicaRoot')
DEBUG: cn=inst2toinst1,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config getVal('nsds5replicatransportinfo')
DEBUG: _gen_selector filter = (&(&(objectclass=nsds5Replica))(|(nsDS5ReplicaRoot=dc=example,dc=com)))
DEBUG: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config getVal('nsDS5ReplicaRoot')
DEBUG: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config getVal('nsDS5ReplicaId')
DEBUG: Allocate <class 'lib389.DirSrv'> with None
DEBUG: Allocate <class 'lib389.DirSrv'> with localhost.localdomain:1636
DEBUG: Allocate <class 'lib389.DirSrv'> with localhost.localdomain:1636
DEBUG: open(): Connecting to uri ldaps://localhost.localdomain:1636/
DEBUG: Using /etc/openldap/ldap.conf certificate policy
DEBUG: ldap.OPT_X_TLS_REQUIRE_CERT = 2
DEBUG: open(): bound as cn=Directory Manager
DEBUG: Retrieving entry with [('',)]
DEBUG: Retrieved entry [dn: 
vendorVersion: 389-Directory/1.4.3.27 B2021.263.1550

]
DEBUG: cn=inst2toinst1,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config getVal('nsds5replicaUpdateInProgress')
DEBUG: cn=inst2toinst1,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config getVal('nsDS5ReplicaRoot')
DEBUG: cn=inst2toinst1,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config getVal('cn')
DEBUG: _gen_selector filter = (&(&(objectclass=nsds5Replica))(|(nsDS5ReplicaRoot=dc=example,dc=com)))
DEBUG: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config getVal('nsDS5ReplicaRoot')
DEBUG: cn=inst2toinst1,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config getVal('nsDS5ReplicaHost')
DEBUG: cn=inst2toinst1,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config getVal('nsDS5ReplicaPort')
DEBUG: cn=inst2toinst1,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config getVal('nsDS5ReplicaRoot')
DEBUG: cn=inst2toinst1,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config getVal('nsds5replicatransportinfo')
DEBUG: _gen_selector filter = (&(&(objectclass=nsds5Replica))(|(nsDS5ReplicaRoot=dc=example,dc=com)))
DEBUG: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config getVal('nsDS5ReplicaRoot')
DEBUG: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config getVal('nsDS5ReplicaId')
DEBUG: Allocate <class 'lib389.DirSrv'> with None
DEBUG: Allocate <class 'lib389.DirSrv'> with localhost.localdomain:1636
DEBUG: Allocate <class 'lib389.DirSrv'> with localhost.localdomain:1636
DEBUG: open(): Connecting to uri ldaps://localhost.localdomain:1636/
DEBUG: Using /etc/openldap/ldap.conf certificate policy
DEBUG: ldap.OPT_X_TLS_REQUIRE_CERT = 2
DEBUG: open(): bound as cn=Directory Manager
DEBUG: Retrieving entry with [('',)]
DEBUG: Retrieved entry [dn: 
vendorVersion: 389-Directory/1.4.3.27 B2021.263.1550

]
INFO: {'agmt-name': ['inst2toinst1'], 'replica': ['localhost.localdomain:1636'], 'replica-enabled': ['on'], 'update-in-progress': ['FALSE'], 'last-update-start': ['20211012134524Z'], 'last-update-end': ['20211012134524Z'], 'number-changes-sent': ['2:2/0 '], 'number-changes-skipped': ['unavailable'], 'last-update-status': ['Error (0) Replica acquired successfully: Incremental update succeeded'], 'last-init-start': ['20211012125518Z'], 'last-init-end': ['20211012125521Z'], 'last-init-status': ['Error (0) Total update succeeded'], 'reap-active': ['0'], 'replication-status': ['Not in Synchronization: supplier (616585b7000000020000) consumer (Unavailable) State (green) Reason (error (0) replica acquired successfully: incremental update succeeded)'], 'replication-lag-time': ['unavailable']}
INFO: Command successful.


No 'certificate verify failed' error

The behavior is compliant with the fix : 
dsconf called with instance name get information from ~/.dsrc
dsconf called with url is considered as remote connection and get info from /etc/openldap/ldap.conf

marking as verified

Comment 12 errata-xmlrpc 2021-10-25 06:36:13 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Low: redhat-ds:11 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3955