On 11/05/12 21:02 +0100, Admus wrote:
On 11/05/2012 04:05 PM, Dan White wrote:On 11/05/12 08:29 +0100, Admus wrote:On 11/04/2012 11:59 PM, Dan White wrote:On 11/04/12 23:13 +0100, admus wrote:Hello,I'm following https://help.ubuntu.com/12.04/serverguide/openldap-server.html#openldap-tls-replication how to:LDAP serwer starts correctly but when I tries to test StartTLS: ldapsearch -x -H ldap:/// -ZZ -d -1 I gets the following error: TLS: peer cert untrusted or revoked (0x42) TLS: can't connect: (unknown error code). ldap_err2string ldap_start_tls: Connect error (-11) additional info: (unknown error code) Any idea?Your hostname will need to match the certificate you have installed. '-H ldap:///' will, instead, need to include the hostname matching your certificate. For project documentation, see chapter 16 of the OpenLDAP Administrator's Guide, slapd-config(5), ldap.conf(5), and ldapsearch(1).ldapsearch -x -H ldap://ldap1.example.com -ZZ -d -1 Does not help, same error. CN in my certificate is ldap1.example.com.Assuming that your OpenLDAP was compiled against GnuTLS, use the GnuTLS tools to trouble shoot your certificate.A google search for "peer cert untrusted or revoked (0x42)" finds users whoalso received that error.The output of `gnutls-cli --print-cert -p 636 ldap1.example.com` is: - The hostname in the certificate matches 'ldap1.example.com'. - Peer's certificate issuer is unknown - Peer's certificate is NOT trusted - Version: TLS1.2 - Key Exchange: RSA - Cipher: AES-128-CBC - MAC: SHA1 - Compression: NULL - Handshake was completed
According to gnutls-cli, your certificate is not trusted, and it's signer it not trusted. If you have created your own CA, or have self-signed your certificate, then you will need to properly configure your ldap.conf containing a TLS_CACERT directive, for ldapsearch to succeed. Consult gnutls-cli's manpage for how to do the same for it. -- Dan White