LISTSERV - NETANN-L Archives

NETANN-L Archives

- NETANN-L - Networkmaine Network Announcement List

NETANN-L@LISTS.MAINE.EDU

	LISTSERV Archives
	NETANN-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	LDAP issues this morning with some software
From:	Irelann Anderson <[log in to unmask]>
Reply To:	- NETANN-L - Networkmaine Network Announcement List <[log in to unmask]>
Date:	Wed, 13 Nov 2013 13:36:03 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (45 lines)

The existing SSL certificates on our LDAP servers are signed by an
internal certificate authority (CA2).   These certificates are
expiring in 27 days and need to be replaced.

Since we have a site licence for an unlimited number of commercial SSL
certificates from InCommon (Comodo) and these roots are pre-installed
in nearly all software created in the last 10 years or so  (Windows,
Linux, Firefox, Chrome, etc..) we plan to switch to these certs.

We had acquired the new certs and had them in place without activating
them with the intent that we would send out an announcement warning
people of the change ahead of time.   Unfortunately, in dealing with a
problem with replication from the master LDAP server to the slave LDAP
servers, the new certs were inadvertantly activated.

Any software that used a bundle or library of root CA certs would not
have noticed the change.   Unfortunately, software that specified a
particular root certificate and had specified CA2 broke.    We have
had it reported that image-now, call manager and some lab
authentication software fell into this group and we backed out to the
old certs on NameO and NameP as soon as we were aware of the issue and
made sure that backing out would not cause further problems.

At the moment NameO and NameP are using the old CA2 certificates and
NameA, NameF, NameI, NameK and NameM are using the new InCommon
certificates.     We can back out the other LDAP servers if it is
causing issues for anyone.   Those who saw problems can test against
the servers with InCommon SSL certs to make sure they will continue to
work when we do eventually switch over.

We will send an announcement in the near future as to when the
cut-over to the new certificates will occur.   If we have to back out
any of the other slave LDAP servers, we will send another notice so
you will know which servers are using which certificates.

We apologize for the unplanned change.

-- 
Irelann Kerry Anderson          phone:    (207)561-3508
Systems and Operations
Information Technology Services
University of Maine System
5752 Neville Hall
Orono, Maine 04469-5752

ATOM RSS1 RSS2

LISTS.MAINE.EDU