[Date Prev][Date Next]
Re: Ubuntu Server 12.04: StartTLS
On 11/05/12 21:02 +0100, Admus wrote:
On 11/05/2012 04:05 PM, Dan White wrote:
On 11/05/12 08:29 +0100, Admus wrote:
On 11/04/2012 11:59 PM, Dan White wrote:
On 11/04/12 23:13 +0100, admus wrote:
I'm following https://help.ubuntu.com/12.04/serverguide/openldap-server.html#openldap-tls-replication
LDAP serwer starts correctly but when I tries to test StartTLS:
ldapsearch -x -H ldap:/// -ZZ -d -1
I gets the following error:
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_start_tls: Connect error (-11)
additional info: (unknown error code)
Your hostname will need to match the certificate you have installed.
'-H ldap:///' will, instead, need to include the hostname matching your
For project documentation, see chapter 16 of the OpenLDAP
Administrator's Guide, slapd-config(5), ldap.conf(5), and
ldapsearch -x -H ldap://ldap1.example.com -ZZ -d -1
Does not help, same error. CN in my certificate is ldap1.example.com.
Assuming that your OpenLDAP was compiled against GnuTLS, use the GnuTLS
tools to trouble shoot your certificate.
A google search for "peer cert untrusted or revoked (0x42)" finds
also received that error.
The output of `gnutls-cli --print-cert -p 636 ldap1.example.com` is:
- The hostname in the certificate matches 'ldap1.example.com'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.2
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed
According to gnutls-cli, your certificate is not trusted, and it's signer
it not trusted.
If you have created your own CA, or have self-signed your certificate, then
you will need to properly configure your ldap.conf containing a TLS_CACERT
directive, for ldapsearch to succeed.
Consult gnutls-cli's manpage for how to do the same for it.