On 11/05/2012 04:05 PM, Dan White wrote:
>On 11/05/12 08:29 +0100, Admus wrote:
>>On 11/04/2012 11:59 PM, Dan White wrote:
>>>On 11/04/12 23:13 +0100, admus wrote:
>>>>LDAP serwer starts correctly but when I tries to test StartTLS:
>>>>ldapsearch -x -H ldap:/// -ZZ -d -1
>>>>I gets the following error:
>>>>TLS: peer cert untrusted or revoked (0x42)
>>>>TLS: can't connect: (unknown error code).
>>>>ldap_start_tls: Connect error (-11)
>>>> additional info: (unknown error code)
>>>Your hostname will need to match the certificate you have installed.
>>>'-H ldap:///' will, instead, need to include the hostname matching
>>>For project documentation, see chapter 16 of the OpenLDAP
>>>Administrator's Guide, slapd-config(5), ldap.conf(5), and
>>ldapsearch -x -H ldap://ldap1.example.com
-ZZ -d -1
>>Does not help, same error. CN in my certificate is ldap1.example.com
>Assuming that your OpenLDAP was compiled against GnuTLS, use the GnuTLS
>tools to trouble shoot your certificate.
>A google search for "peer cert untrusted or revoked (0x42)" finds
>also received that error.
The output of `gnutls-cli --print-cert -p 636 ldap1.example.com` is:
- The hostname in the certificate matches 'ldap1.example.com'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.2
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed
According to gnutls-cli, your certificate is not trusted, and it's signer
it not trusted.
If you have created your own CA, or have self-signed your certificate, then
you will need to properly configure your ldap.conf containing a TLS_CACERT
directive, for ldapsearch to succeed.
Consult gnutls-cli's manpage for how to do the same for it.