[Linux-HA] quorumd: Problem with certificates
Michael Schwartzkopff
misch at multinet.de
Mon Feb 4 06:20:38 MST 2008
Am Montag, 4. Februar 2008 13:09 schrieb Dejan Muhamedagic:
(...)
> > Hi,
> >
> > I found the thread from May 9th of this list. Somebody having the same
> > problems. I used the sample certificates of that post, but still no
> > success. Strange!
>
> You can test the TLS communication using the openssl tools
> (openssl s_client/s_server). They should tell you what's wrong.
> One typical problem is name resolution, i.e. the parties
> communicating have to resolve to exactly the names in the
> certificates (reverse name resolution).
openssl s_client/s_server works good. Even when I start quorumd on the tie
breaker and connect to that machine with
opessl s_client -connect xen04:5561 -cert client-cert.pem -key
client-key.pem -CAfile ca-cert.pem -showcerts
it works. The client tells me:
CONNECTED(00000003)
When I start heartbeat on the node it failes. Strange...
Name resolution: The CN of the client certificate should be the name of the
clsuter (i.e. MyCluster), see docs. The reverse name resolution would always
point to the name of the node. These both names would always differ. So this
cannot be the problem.
What do I do wrong using the sample certificates of zhenh? What does this
error mean? Is there any better debugging inside quorumd?
--
Dr. Michael Schwartzkopff
MultiNET Services GmbH
Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany
Tel: +49 - 89 - 45 69 11 0
Fax: +49 - 89 - 45 69 11 21
mob: +49 - 174 - 343 28 75
mail: misch at multinet.de
web: www.multinet.de
Sitz der Gesellschaft: 85630 Grasbrunn
Registergericht: Amtsgericht München HRB 114375
Geschäftsführer: Günter Jurgeneit, Hubert Martens
---
PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B
Skype:misch42
More information about the Linux-HA
mailing list