PingDirectory replication configuration depends on listener certificates. When certificate trust is broken between servers, replication and client traffic continues, but topology changes are disrupted.
PingDirectory uses a mirrored subtree service to keep configuration subtrees synchronized across a replicated topology. This synchronization depends on listener certificates being trusted between servers. If you discover (for example, during a topology change or from a peer connection alert) that these certificates are out of sync, the certificate trust is broken and the topology can’t be properly mirrored. For example, when one server tries to send changes to trusted servers, the operation fails if the receiving servers have a different master than the sending server, or don’t have a master at all.
Common causes of a broken mirrored subtree:
- Replacing one or more LDAPS connection handler certificates before adding the listener certificate trust to the topology
- Updating the key store on disk without running the replace-certificate tool
- Replacing the listener certificate trust with the new certificate without including the old certificate
- Using an older or untested custom script to replace the certificate
- Making a typo when replacing the certificate
- Allowing the server certificate to expire
When you have a large number of servers in your environment, and your listener certificates fall out of sync, repairing trust and restoring topology mirroring can become complex. Rollback after a certificate rotation might not be possible because the new certificate is already serving client traffic. To troubleshoot, you check the logs and statuses for multiple servers. After you find the root cause, you update all server members lacking the appropriate trust, but you have to force each of these servers as master because the topology is read-only, due to the lack of trust.
Instead of following this long and complicated troubleshooting procedure, you can use the repair-topology-listener-certificates CLI tool. This tool helps restore trust and bring replicated environments back to a working state, greatly reducing the effort required to fix this issue. Learn more about using the repair-topology-listener-certificates tool.