On 11/05/2012 07:41 PM, Khosrow Ebrahimpour wrote:
Hi,
On November 4, 2012 11:13:27 PM admus wrote:
Hello, I'm following https://help.ubuntu.com/12.04/serverguide/openldap-server.html#openldap-tls -replication how to: LDAP serwer starts correctly but when I tries to test StartTLS: ldapsearch -x -H ldap:/// -ZZ -d -1 I gets the following error: TLS: peer cert untrusted or revoked (0x42) TLS: can't connect: (unknown error code). ldap_err2string ldap_start_tls: Connect error (-11) additional info: (unknown error code) Any idea?
Have you verified your certificate? What is the output of :
openssl s_client -connect ldap1.example.com:636 -showcerts
or on the server itself you can dump the cert info
cat ldap-cert.pem | openssl x509 -text
The certificate info is as follow:
Certificate: Data: Version: 3 (0x2) Serial Number: 1352064827 (0x5096df3b) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=ldap1.example.com Validity Not Before: Nov 4 21:33:47 2012 GMT Not After : Nov 2 21:33:47 2022 GMT Subject: O=Example Com, CN=ldap1.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2432 bit) Modulus: 00:e7:06:b9:1d:19:c7:67:de:93:8e:db:e8:a3:1f: e2:c7:39:62:20:bb:7d:5b:d3:5a:78:5c:7c:89:5d: 27:00:a8:71:03:73:b0:9a:a9:fe:31:a7:22:f0:ac: d5:9f:f4:3b:a4:9a:08:95:ba:f7:cf:7d:6e:a6:86: 2d:39:7e:c1:06:aa:27:07:43:78:77:6e:b0:20:a2: 6f:80:4a:cf:39:8b:e3:91:92:c3:9c:ca:84:2a:45: 4f:35:48:87:bd:02:8d:48:04:e0:9b:7a:9d:a8:bd: 7b:f8:e3:6d:64:88:25:ab:2f:66:d6:4a:0e:5c:3b: 47:a9:21:27:5d:0c:f6:47:ac:d1:e0:55:0b:41:27: a9:9b:b2:97:4e:07:5c:ef:5f:ad:0a:9a:ad:f5:ed: f0:0f:16:56:2e:54:8e:e9:64:65:47:67:26:69:65: 31:9d:18:74:b7:67:af:72:1c:9a:bb:ad:89:3a:d0: bb:15:13:88:13:59:e0:cb:61:05:9a:da:a7:d7:88: 15:6b:f2:78:52:be:da:a5:79:a7:bd:cc:94:70:17: 47:58:f3:48:2c:0f:47:7f:bb:ed:05:9c:32:26:1c: 79:f2:4f:b8:2e:82:e4:5c:7f:13:31:92:4a:7e:67: 76:7a:8c:5a:bb:2d:13:31:34:05:2e:19:88:70:dc: 34:db:14:38:18:71:fb:8f:c1:2a:9d:56:75:80:54: ff:34:e6:b3:ad:9c:96:de:f9:c7:39:df:f1:83:63: a6:af:47:8b:a8:d2:6e:92:30:e9:94:14:27:9c:18: 0a:08:6d:c7:4d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Subject Key Identifier: 50:88:10:B9:46:9D:61:37:B9:24:2E:A0:33:6A:15:34:23:38:1B:1E X509v3 Authority Key Identifier: keyid:8E:98:97:7B:2E:DC:62:92:44:14:55:74:EF:31:E5:BC:60:3F:57:70