[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ubuntu Server 12.04: StartTLS

On 11/05/12 21:02 +0100, Admus wrote:
On 11/05/2012 04:05 PM, Dan White wrote:
On 11/05/12 08:29 +0100, Admus wrote:
On 11/04/2012 11:59 PM, Dan White wrote:
On 11/04/12 23:13 +0100, admus wrote:
I'm following https://help.ubuntu.com/12.04/serverguide/openldap-server.html#openldap-tls-replication how to:
LDAP serwer starts correctly but when I tries to test StartTLS:
ldapsearch -x -H ldap:/// -ZZ -d -1
I gets the following error:
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_start_tls: Connect error (-11)
  additional info: (unknown error code)
Any idea?

Your hostname will need to match the certificate you have installed.
'-H ldap:///' will, instead, need to include the hostname matching your

For project documentation, see chapter 16 of the OpenLDAP
Administrator's Guide, slapd-config(5), ldap.conf(5), and

ldapsearch -x -H ldap://ldap1.example.com -ZZ -d -1

Does not help, same error. CN in my certificate is ldap1.example.com.

Assuming that your OpenLDAP was compiled against GnuTLS, use the GnuTLS
tools to trouble shoot your certificate.

A google search for "peer cert untrusted or revoked (0x42)" finds users who
also received that error.

The output of `gnutls-cli --print-cert -p 636 ldap1.example.com` is:

- The hostname in the certificate matches 'ldap1.example.com'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.2
- Key Exchange: RSA
- Cipher: AES-128-CBC
- Compression: NULL
- Handshake was completed

According to gnutls-cli, your certificate is not trusted, and it's signer
it not trusted.

If you have created your own CA, or have self-signed your certificate, then
you will need to properly configure your ldap.conf containing a TLS_CACERT
directive, for ldapsearch to succeed.

Consult gnutls-cli's manpage for how to do the same for it.

Dan White