Re: Ubuntu Server 12.04: StartTLS

[Admus <admus@op.pl>]

On 11/05/2012 07:41 PM, Khosrow Ebrahimpour wrote:
> Hi,
>
> On November 4, 2012 11:13:27 PM admus wrote:
> > Hello,
> > I'm following
> > https://help.ubuntu.com/12.04/serverguide/openldap-server.html#openldap-tls
> > -replication how to: LDAP serwer starts correctly but when I tries to test
> > StartTLS:
> > ldapsearch -x -H ldap:/// -ZZ -d -1
> > I gets the following error:
> > TLS: peer cert untrusted or revoked (0x42)
> > TLS: can't connect: (unknown error code).
> > ldap_err2string
> > ldap_start_tls: Connect error (-11)
> >      additional info: (unknown error code)
> > Any idea?
> Have you verified your certificate? What is the output of :
>
> openssl s_client -connect ldap1.example.com:636 -showcerts
>
> or  on the server itself you can dump the cert info
>
> cat ldap-cert.pem | openssl x509 -text

The certificate info is as follow:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1352064827 (0x5096df3b)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=ldap1.example.com
        Validity
            Not Before: Nov  4 21:33:47 2012 GMT
            Not After : Nov  2 21:33:47 2022 GMT
        Subject: O=Example Com, CN=ldap1.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2432 bit)
                Modulus:
                    00:e7:06:b9:1d:19:c7:67:de:93:8e:db:e8:a3:1f:
                    e2:c7:39:62:20:bb:7d:5b:d3:5a:78:5c:7c:89:5d:
                    27:00:a8:71:03:73:b0:9a:a9:fe:31:a7:22:f0:ac:
                    d5:9f:f4:3b:a4:9a:08:95:ba:f7:cf:7d:6e:a6:86:
                    2d:39:7e:c1:06:aa:27:07:43:78:77:6e:b0:20:a2:
                    6f:80:4a:cf:39:8b:e3:91:92:c3:9c:ca:84:2a:45:
                    4f:35:48:87:bd:02:8d:48:04:e0:9b:7a:9d:a8:bd:
                    7b:f8:e3:6d:64:88:25:ab:2f:66:d6:4a:0e:5c:3b:
                    47:a9:21:27:5d:0c:f6:47:ac:d1:e0:55:0b:41:27:
                    a9:9b:b2:97:4e:07:5c:ef:5f:ad:0a:9a:ad:f5:ed:
                    f0:0f:16:56:2e:54:8e:e9:64:65:47:67:26:69:65:
                    31:9d:18:74:b7:67:af:72:1c:9a:bb:ad:89:3a:d0:
                    bb:15:13:88:13:59:e0:cb:61:05:9a:da:a7:d7:88:
                    15:6b:f2:78:52:be:da:a5:79:a7:bd:cc:94:70:17:
                    47:58:f3:48:2c:0f:47:7f:bb:ed:05:9c:32:26:1c:
                    79:f2:4f:b8:2e:82:e4:5c:7f:13:31:92:4a:7e:67:
                    76:7a:8c:5a:bb:2d:13:31:34:05:2e:19:88:70:dc:
                    34:db:14:38:18:71:fb:8f:c1:2a:9d:56:75:80:54:
                    ff:34:e6:b3:ad:9c:96:de:f9:c7:39:df:f1:83:63:
                    a6:af:47:8b:a8:d2:6e:92:30:e9:94:14:27:9c:18:
                    0a:08:6d:c7:4d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Subject Key Identifier:
50:88:10:B9:46:9D:61:37:B9:24:2E:A0:33:6A:15:34:23:38:1B:1E
            X509v3 Authority Key Identifier:
keyid:8E:98:97:7B:2E:DC:62:92:44:14:55:74:EF:31:E5:BC:60:3F:57:70