On 11/05/12 21:02 +0100, Admus wrote:
On 11/05/2012 04:05 PM, Dan White wrote:
On 11/05/12 08:29 +0100, Admus wrote:
On 11/04/2012 11:59 PM, Dan White wrote:
On 11/04/12 23:13 +0100, admus wrote:
Hello, I'm following https://help.ubuntu.com/12.04/serverguide/openldap-server.html#openldap-tls-... how to: LDAP serwer starts correctly but when I tries to test StartTLS: ldapsearch -x -H ldap:/// -ZZ -d -1 I gets the following error: TLS: peer cert untrusted or revoked (0x42) TLS: can't connect: (unknown error code). ldap_err2string ldap_start_tls: Connect error (-11) additional info: (unknown error code) Any idea?
Your hostname will need to match the certificate you have installed. '-H ldap:///' will, instead, need to include the hostname matching your certificate.
For project documentation, see chapter 16 of the OpenLDAP Administrator's Guide, slapd-config(5), ldap.conf(5), and ldapsearch(1).
ldapsearch -x -H ldap://ldap1.example.com -ZZ -d -1
Does not help, same error. CN in my certificate is ldap1.example.com.
Assuming that your OpenLDAP was compiled against GnuTLS, use the GnuTLS tools to trouble shoot your certificate.
A google search for "peer cert untrusted or revoked (0x42)" finds users who also received that error.
The output of `gnutls-cli --print-cert -p 636 ldap1.example.com` is:
- The hostname in the certificate matches 'ldap1.example.com'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.2
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed
According to gnutls-cli, your certificate is not trusted, and it's signer it not trusted.
If you have created your own CA, or have self-signed your certificate, then you will need to properly configure your ldap.conf containing a TLS_CACERT directive, for ldapsearch to succeed.
Consult gnutls-cli's manpage for how to do the same for it.