[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap client can't contact server with SubjectAltName used



OK, thanks. I'll try that. Unfortunately, I don't have control of the CA. Our corporate division manages that, and yes it is Entrust. I will ask them to regenerate the cert.

Niels Frimodt Sørensen wrote:
Hi,

It seems to me that you are using an Entrust PKI to generate the certificate? If this is the case ensure that you set the subjectAltName in SMA with "" surrounding it - if not SMA prepends the e-mail qualifier...


Venlig hilsen/Kind regards

Niels Frimodt Sørensen

Signaturgruppen A/S
www.signaturgruppen.dk
+45 40207496



Howard Chu skrev:
Seed, Steven wrote:
Sending again, because I'm not sure if the first message got through since I had not acknowledged my membership...

Steven Seed wrote:
I have an ldap server set up with a SSL certificate such that the CN=hostname.fqdn. In the same certificate I have created a SubjectAltName with several DNS aliases. With everything configured properly in my ldap.conf file, I can make TLS connections to my ldap server as long as I use the hostname that matches the CN, but if I change my connection to use one of the aliases in the SubjectAltName I get:

ldap_start_tls: Can't contact LDAP server (-1)
additional info: TLS: hostname does not match CN in peer certificate

An openssl dump of the certificate yields the following in the SubjectAltName section:

Certificate:
Data:
CN=Proton.fas.fa.disney.com
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
email:dns:faldap,dns:fatestldap,dns:faldap.fas.fa.disney.com,dns:fatestldap.fas.fa.disney.com


X509v3 CRL Distribution Points:
DirName:/DC=com/DC=disney/OU=PKI/CN=The Walt Disney Company Enterprise CA/CN=CRL27
URI:http://cdp.disney.pvt/CRL/EnterpriseCRL.crl
URI:http://cdp.disney.com/CRL/EnterpriseCRL.crl


Can anyone help me figure out what is going wrong? This is the same with both version 2.2.13 and 2.3.32 of openldap. Does the SubjectAltName format look correct?

Your subjectAltName appears to have encoded an email extension with the string "dns:....." as its value, instead of an actual dns extension. So basically, your subjectAltName is wrong.




--
Steven L. Seed
Sr. Systems Administrator
Walt Disney Feature Animation
Steven.Seed@disney.com
=================================================================
()
__/\__
|\ .-"` `"-. /| I HAVE BEEN CHOSEN...
| \.'( ') (' ) (. )`./ | FAREWELL MY FRIENDS...
\_ _/ I GO ONTO A BETTER PLACE!
\ `~"'=::='"~` /
`-.__ __.-' ( `""~~""` )
[_____[##]_____] =================================================================