[Fedora-directory-users] problem with cert for ssl on RHAS5
Craig White
craigwhite at azapple.com
Wed Dec 5 02:12:16 UTC 2007
On Wed, 2007-12-05 at 15:04 +1300, Steven Jones wrote:
> Hi,
>
> I am trying to do a ldapsearch with ssl enabled....and I get this error,
>
> 8><----------
> [root at hack openldap]# ldapsearch -x -ZZ '(uid=jonesst1)'
> ldap_start_tls: Connect error (-11)
> additional info: TLS: hostname does not match CN in peer
> certificate
>
> /etc/openldap/ldap.conf looks like this,
>
> #=========
> #ssl setup
> # http://www.padl.com
> base dc=vuw,dc=ac,dc=nz
> pam_password md5
> BASE dc=vuw,dc=ac,dc=nz
> TLS_REQCERT allow
> #TLS_REQCERT never
> host ldap.vuw.ac.nz
> ssl start_tls
> uri ldap://ldap.vuw.ac.nz/
> tls_cacertdir /etc/openldap/cacerts
>
> So my understanding was I had the cn= wrong, "cn=vuw.ac.nz" but I have
> corrected this "cn=vuwunicvfdsm001.vuw.ac.nz" and I am still getting the
> error....
>
> I used this command,
>
> 7. Generate the server certificate:
> ../shared/bin/certutil -S -n "Server-Cert" -s \
> "cn=vuwunicvfdsm001.vuw.ac.nz" -c "CA certificate" -t "u,u,u" -m 1001 -v
> \
> 120 -d . -z noise.txt -f pwdfile.txt
>
> So what did I do wrong?
----
probably should only use uri and not host in /etc/openldap/ldap.conf and
it's clear that
ldap.vuw.ac.nz != cn=vuwunicvfdsm001.vuw.ac.nz (certificate)
Craig
More information about the Fedora-directory-users
mailing list