Hello, I'm following https://help.ubuntu.com/12.04/serverguide/openldap-server.html#openldap-tls-... how to: LDAP serwer starts correctly but when I tries to test StartTLS: ldapsearch -x -H ldap:/// -ZZ -d -1 I gets the following error: TLS: peer cert untrusted or revoked (0x42) TLS: can't connect: (unknown error code). ldap_err2string ldap_start_tls: Connect error (-11) additional info: (unknown error code) Any idea?
On 11/04/12 23:13 +0100, admus wrote:
Hello, I'm following https://help.ubuntu.com/12.04/serverguide/openldap-server.html#openldap-tls-... how to: LDAP serwer starts correctly but when I tries to test StartTLS: ldapsearch -x -H ldap:/// -ZZ -d -1 I gets the following error: TLS: peer cert untrusted or revoked (0x42) TLS: can't connect: (unknown error code). ldap_err2string ldap_start_tls: Connect error (-11) additional info: (unknown error code) Any idea?
Your hostname will need to match the certificate you have installed. '-H ldap:///' will, instead, need to include the hostname matching your certificate.
For project documentation, see chapter 16 of the OpenLDAP Administrator's Guide, slapd-config(5), ldap.conf(5), and ldapsearch(1).
On 11/04/2012 11:59 PM, Dan White wrote:
On 11/04/12 23:13 +0100, admus wrote:
Hello, I'm following https://help.ubuntu.com/12.04/serverguide/openldap-server.html#openldap-tls-... how to: LDAP serwer starts correctly but when I tries to test StartTLS: ldapsearch -x -H ldap:/// -ZZ -d -1 I gets the following error: TLS: peer cert untrusted or revoked (0x42) TLS: can't connect: (unknown error code). ldap_err2string ldap_start_tls: Connect error (-11) additional info: (unknown error code) Any idea?
Your hostname will need to match the certificate you have installed. '-H ldap:///' will, instead, need to include the hostname matching your certificate.
For project documentation, see chapter 16 of the OpenLDAP Administrator's Guide, slapd-config(5), ldap.conf(5), and ldapsearch(1).
ldapsearch -x -H ldap://ldap1.example.com -ZZ -d -1
Does not help, same error. CN in my certificate is ldap1.example.com.
On Mon, Nov 05, 2012 at 08:29:45AM +0100, Admus wrote:
On 11/04/2012 11:59 PM, Dan White wrote:
On 11/04/12 23:13 +0100, admus wrote:
Hello, I'm following https://help.ubuntu.com/12.04/serverguide/openldap-server.html#openldap-tls-... how to: LDAP serwer starts correctly but when I tries to test StartTLS: ldapsearch -x -H ldap:/// -ZZ -d -1 I gets the following error: TLS: peer cert untrusted or revoked (0x42) TLS: can't connect: (unknown error code). ldap_err2string ldap_start_tls: Connect error (-11) additional info: (unknown error code) Any idea?
Well, your error does say 'untrusted or revoked'. Have you taken steps to have your client trust the certifcate?
On 11/05/12 08:29 +0100, Admus wrote:
On 11/04/2012 11:59 PM, Dan White wrote:
On 11/04/12 23:13 +0100, admus wrote:
Hello, I'm following https://help.ubuntu.com/12.04/serverguide/openldap-server.html#openldap-tls-... how to: LDAP serwer starts correctly but when I tries to test StartTLS: ldapsearch -x -H ldap:/// -ZZ -d -1 I gets the following error: TLS: peer cert untrusted or revoked (0x42) TLS: can't connect: (unknown error code). ldap_err2string ldap_start_tls: Connect error (-11) additional info: (unknown error code) Any idea?
Your hostname will need to match the certificate you have installed. '-H ldap:///' will, instead, need to include the hostname matching your certificate.
For project documentation, see chapter 16 of the OpenLDAP Administrator's Guide, slapd-config(5), ldap.conf(5), and ldapsearch(1).
ldapsearch -x -H ldap://ldap1.example.com -ZZ -d -1
Does not help, same error. CN in my certificate is ldap1.example.com.
Assuming that your OpenLDAP was compiled against GnuTLS, use the GnuTLS tools to trouble shoot your certificate.
A google search for "peer cert untrusted or revoked (0x42)" finds users who also received that error.
On 11/05/2012 04:05 PM, Dan White wrote:
On 11/05/12 08:29 +0100, Admus wrote:
On 11/04/2012 11:59 PM, Dan White wrote:
On 11/04/12 23:13 +0100, admus wrote:
Hello, I'm following https://help.ubuntu.com/12.04/serverguide/openldap-server.html#openldap-tls-... how to: LDAP serwer starts correctly but when I tries to test StartTLS: ldapsearch -x -H ldap:/// -ZZ -d -1 I gets the following error: TLS: peer cert untrusted or revoked (0x42) TLS: can't connect: (unknown error code). ldap_err2string ldap_start_tls: Connect error (-11) additional info: (unknown error code) Any idea?
Your hostname will need to match the certificate you have installed. '-H ldap:///' will, instead, need to include the hostname matching your certificate.
For project documentation, see chapter 16 of the OpenLDAP Administrator's Guide, slapd-config(5), ldap.conf(5), and ldapsearch(1).
ldapsearch -x -H ldap://ldap1.example.com -ZZ -d -1
Does not help, same error. CN in my certificate is ldap1.example.com.
Assuming that your OpenLDAP was compiled against GnuTLS, use the GnuTLS tools to trouble shoot your certificate.
A google search for "peer cert untrusted or revoked (0x42)" finds users who also received that error.
The output of `gnutls-cli --print-cert -p 636 ldap1.example.com` is:
- The hostname in the certificate matches 'ldap1.example.com'. - Peer's certificate issuer is unknown - Peer's certificate is NOT trusted - Version: TLS1.2 - Key Exchange: RSA - Cipher: AES-128-CBC - MAC: SHA1 - Compression: NULL - Handshake was completed
On Mon, 5 Nov 2012, Admus wrote: ...
The output of `gnutls-cli --print-cert -p 636 ldap1.example.com` is:
- The hostname in the certificate matches 'ldap1.example.com'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
In order to verify the server's certificate, root CA that's 'above' the server's cert needs to be configured as a trusted CA for the client.
For OpenSSL, that's done by placing it in the file designated by the TLS_CACERT ldap.conf option, or in the directory designated by the TLS_CACERTDIR ldap.conf option with the correct hashed filename.
The ldap.conf(5) manpage indicates that the latter is ignored for GnuTLS, so presumably you just have to place the trusted root certificate(s) in a single file and point TLS_CACERT at that, in whatever format GnuTLS uses.
Philip Guenther
On 11/05/2012 09:24 PM, Philip Guenther wrote:
On Mon, 5 Nov 2012, Admus wrote: ...
The output of `gnutls-cli --print-cert -p 636 ldap1.example.com` is:
- The hostname in the certificate matches 'ldap1.example.com'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
In order to verify the server's certificate, root CA that's 'above' the server's cert needs to be configured as a trusted CA for the client.
For OpenSSL, that's done by placing it in the file designated by the TLS_CACERT ldap.conf option, or in the directory designated by the TLS_CACERTDIR ldap.conf option with the correct hashed filename.
The ldap.conf(5) manpage indicates that the latter is ignored for GnuTLS, so presumably you just have to place the trusted root certificate(s) in a single file and point TLS_CACERT at that, in whatever format GnuTLS uses.
Philip Guenther
My cn=config looks as follow:
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem olcTLSCertificateFile: /etc/ssl/certs/ldap1_slapd_cert.pem olcTLSCertificateKeyFile: /etc/ssl/private/ldap1_slapd_key.pem
I tried also set TLS_CACERT in /etc/ldap/ldap.conf to:
TLS_CACERT /etc/ssl/certs/cacert.pem
and
TLS_CACERT /etc/ssl/certs/ldap1_slapd_cert.pem
but without success, the error has became same.
What should be TLS_CACERT value? Is /etc/ldap/ldap.conf respected at all?
My client and server is the same host.
On 11/05/12 21:02 +0100, Admus wrote:
On 11/05/2012 04:05 PM, Dan White wrote:
On 11/05/12 08:29 +0100, Admus wrote:
On 11/04/2012 11:59 PM, Dan White wrote:
On 11/04/12 23:13 +0100, admus wrote:
Hello, I'm following https://help.ubuntu.com/12.04/serverguide/openldap-server.html#openldap-tls-... how to: LDAP serwer starts correctly but when I tries to test StartTLS: ldapsearch -x -H ldap:/// -ZZ -d -1 I gets the following error: TLS: peer cert untrusted or revoked (0x42) TLS: can't connect: (unknown error code). ldap_err2string ldap_start_tls: Connect error (-11) additional info: (unknown error code) Any idea?
Your hostname will need to match the certificate you have installed. '-H ldap:///' will, instead, need to include the hostname matching your certificate.
For project documentation, see chapter 16 of the OpenLDAP Administrator's Guide, slapd-config(5), ldap.conf(5), and ldapsearch(1).
ldapsearch -x -H ldap://ldap1.example.com -ZZ -d -1
Does not help, same error. CN in my certificate is ldap1.example.com.
Assuming that your OpenLDAP was compiled against GnuTLS, use the GnuTLS tools to trouble shoot your certificate.
A google search for "peer cert untrusted or revoked (0x42)" finds users who also received that error.
The output of `gnutls-cli --print-cert -p 636 ldap1.example.com` is:
- The hostname in the certificate matches 'ldap1.example.com'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.2
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed
According to gnutls-cli, your certificate is not trusted, and it's signer it not trusted.
If you have created your own CA, or have self-signed your certificate, then you will need to properly configure your ldap.conf containing a TLS_CACERT directive, for ldapsearch to succeed.
Consult gnutls-cli's manpage for how to do the same for it.
Hi,
On November 4, 2012 11:13:27 PM admus wrote:
Hello, I'm following https://help.ubuntu.com/12.04/serverguide/openldap-server.html#openldap-tls -replication how to: LDAP serwer starts correctly but when I tries to test StartTLS: ldapsearch -x -H ldap:/// -ZZ -d -1 I gets the following error: TLS: peer cert untrusted or revoked (0x42) TLS: can't connect: (unknown error code). ldap_err2string ldap_start_tls: Connect error (-11) additional info: (unknown error code) Any idea?
Have you verified your certificate? What is the output of :
openssl s_client -connect ldap1.example.com:636 -showcerts
or on the server itself you can dump the cert info
cat ldap-cert.pem | openssl x509 -text
On 11/05/2012 07:41 PM, Khosrow Ebrahimpour wrote:
Hi,
On November 4, 2012 11:13:27 PM admus wrote:
Hello, I'm following https://help.ubuntu.com/12.04/serverguide/openldap-server.html#openldap-tls -replication how to: LDAP serwer starts correctly but when I tries to test StartTLS: ldapsearch -x -H ldap:/// -ZZ -d -1 I gets the following error: TLS: peer cert untrusted or revoked (0x42) TLS: can't connect: (unknown error code). ldap_err2string ldap_start_tls: Connect error (-11) additional info: (unknown error code) Any idea?
Have you verified your certificate? What is the output of :
openssl s_client -connect ldap1.example.com:636 -showcerts
or on the server itself you can dump the cert info
cat ldap-cert.pem | openssl x509 -text
The certificate info is as follow:
Certificate: Data: Version: 3 (0x2) Serial Number: 1352064827 (0x5096df3b) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=ldap1.example.com Validity Not Before: Nov 4 21:33:47 2012 GMT Not After : Nov 2 21:33:47 2022 GMT Subject: O=Example Com, CN=ldap1.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2432 bit) Modulus: 00:e7:06:b9:1d:19:c7:67:de:93:8e:db:e8:a3:1f: e2:c7:39:62:20:bb:7d:5b:d3:5a:78:5c:7c:89:5d: 27:00:a8:71:03:73:b0:9a:a9:fe:31:a7:22:f0:ac: d5:9f:f4:3b:a4:9a:08:95:ba:f7:cf:7d:6e:a6:86: 2d:39:7e:c1:06:aa:27:07:43:78:77:6e:b0:20:a2: 6f:80:4a:cf:39:8b:e3:91:92:c3:9c:ca:84:2a:45: 4f:35:48:87:bd:02:8d:48:04:e0:9b:7a:9d:a8:bd: 7b:f8:e3:6d:64:88:25:ab:2f:66:d6:4a:0e:5c:3b: 47:a9:21:27:5d:0c:f6:47:ac:d1:e0:55:0b:41:27: a9:9b:b2:97:4e:07:5c:ef:5f:ad:0a:9a:ad:f5:ed: f0:0f:16:56:2e:54:8e:e9:64:65:47:67:26:69:65: 31:9d:18:74:b7:67:af:72:1c:9a:bb:ad:89:3a:d0: bb:15:13:88:13:59:e0:cb:61:05:9a:da:a7:d7:88: 15:6b:f2:78:52:be:da:a5:79:a7:bd:cc:94:70:17: 47:58:f3:48:2c:0f:47:7f:bb:ed:05:9c:32:26:1c: 79:f2:4f:b8:2e:82:e4:5c:7f:13:31:92:4a:7e:67: 76:7a:8c:5a:bb:2d:13:31:34:05:2e:19:88:70:dc: 34:db:14:38:18:71:fb:8f:c1:2a:9d:56:75:80:54: ff:34:e6:b3:ad:9c:96:de:f9:c7:39:df:f1:83:63: a6:af:47:8b:a8:d2:6e:92:30:e9:94:14:27:9c:18: 0a:08:6d:c7:4d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Subject Key Identifier: 50:88:10:B9:46:9D:61:37:B9:24:2E:A0:33:6A:15:34:23:38:1B:1E X509v3 Authority Key Identifier: keyid:8E:98:97:7B:2E:DC:62:92:44:14:55:74:EF:31:E5:BC:60:3F:57:70
openldap-technical@openldap.org
-
admus -
Admus
-
Brian Reichert -
Dan White -
Khosrow Ebrahimpour -
Philip Guenther