<div dir="ltr"><div dir="ltr" style="font-family:arial,sans-serif;font-size:13px">Rich,<div><br><div>I'm running on ubuntu. Pretty much the same.</div><div><br></div><div>test environment:</div><div>dpkg -l | grep -i nss<br>
</div><div><div>ii libnss3 3.13.1.with.ckbi.1.88-1ubuntu6 Network Security Service libraries</div><div>ii libnss3-1d 3.13.1.with.ckbi.1.88-1ubuntu6 Network Security Service libraries</div>
<div>ii libnss3-dev 3.13.1.with.ckbi.1.88-1ubuntu6 Development files for the Network Security Service libraries</div></div><div><br></div><div>production environment:</div></div><div>dpkg -l | grep -i nss<br>
</div><div><div>ii libnss3 3.13.1.with.ckbi.1.88-1ubuntu6 Network Security Service libraries</div><div>ii libnss3-1d 3.13.1.with.ckbi.1.88-1ubuntu6 Network Security Service libraries</div>
<div>ii libnss3-dev 3.13.1.with.ckbi.1.88-1ubuntu6 Development files for the Network Security Service libraries</div></div><div><br></div><div><br></div><div>and mod_nss-1.0.8 on both.</div></div>
<div class="" style="font-family:arial,sans-serif;font-size:13px"></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Dec 5, 2013 at 3:18 PM, Rich Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div><div class="h5">
<div>On 12/05/2013 10:12 AM, Alberto Viana
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>I have 2 389 running (389-Directory/<a href="http://1.3.2.6" target="_blank">1.3.2.6</a> and
389-Directory/<a href="http://1.3.1.3" target="_blank">1.3.1.3</a>)
with multiple master configuration.</div>
<div><br>
</div>
<div>When I set the option "check hostname against name in
certificate for outbound SSL connections" the agreement does
not work and shows me this error:</div>
<div><br>
</div>
<div>[05/Dec/2013:14:35:55 -0200] slapi_ldap_bind - Error: could
not send bind request for id [uid=app.389.w,cn=config]
authentication mechanism [SIMPLE]: error -1 (Can't contact
LDAP server), system error -5987 (Invalid function argument.),
network error 115 (Operation now in progress, host
"hmg2.homolog.rnp")</div>
<div>[05/Dec/2013:14:35:55 -0200] NSMMReplicationPlugin -
agmt="cn=389-HMG2" (hmg2:636): Replication bind with SIMPLE
auth failed: LDAP error -1 (Can't contact LDAP server)
((unknown error code))</div>
<div><br>
</div>
<div><br>
</div>
<div>When I unset the option, everything works as expected.</div>
<div><br>
</div>
<div>Here's the subject of my certificates:</div>
<div>Subject: C=BR, ST=Rio de Janeiro, L=Rio de Janeiro, O=Rede
Nacional de Ensino e Pesquisa, OU=GTI, CN=hmg3.homolog.rnp</div>
<div><br>
</div>
<div>Subject: C=BR, ST=Rio de Janeiro, L=Rio de Janeiro, O=Rede
Nacional de Ensino e Pesquisa, OU=GTI, CN=hmg2.homolog.rnp</div>
<div><br>
</div>
<div>My DNS is configured correctly (the reverse too).</div>
<div>
<br>
</div>
<div>In my production enviroment this options works fine, but
it's a little bit old (389-Directory/<a href="http://1.2.10.12" target="_blank">1.2.10.12</a>)</div>
</div>
</blockquote>
<br></div></div>
What version of NSS do you have in your production environment?<br>
What version of NSS do you have in your test environment?<br>
<br>
rpm -q nss<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Any clues?</div>
</div>
<br><span class="HOEnZb"><font color="#888888">
<fieldset></fieldset>
<br>
<pre>--
389 users mailing list
<a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></pre>
</font></span></blockquote>
<br>
</div>
</blockquote></div><br></div>