Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: TLS : hostname does not match CN in peer certificate

  1. #1

    Question TLS : hostname does not match CN in peer certificate

    Hello,
    I'm trying to use LDAP with TLS but allways got Connect error.
    The message error is TLS : hostname does not match CN in peer certificate
    So I've tried to generate new certificate with my hostname for CN but my LDAP still don't want to work with TLS.

    I use opensus 11.3.
    I used YAST2 for crating my CA and certificates.

  2. #2
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    3,098

    Default Re: TLS : hostname does not match CN in peer certificate

    Quote Originally Posted by Jazzyjazz View Post
    Hello,
    I'm trying to use LDAP with TLS but allways got Connect error.
    The message error is TLS : hostname does not match CN in peer certificate
    So I've tried to generate new certificate with my hostname for CN but my LDAP still don't want to work with TLS.

    I use opensus 11.3.
    I used YAST2 for crating my CA and certificates.
    Probably the most obvious question is whether your CN includes your LDAP Domain.

  3. #3

    Default Re: TLS : hostname does not match CN in peer certificate

    Finally, the problem is that the name I fill in Common Name wasn't in FQDN.
    So when I create a new server certificate with the name (hostname.domainname) The message error didn't change.

    But now, I got a new message error.

    Just before I go ahead does anyone successfully implement LDAP over SSL/TLS by using just Yast ? I use opensus 10.3

  4. #4
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    3,098

    Default Re: TLS : hostname does not match CN in peer certificate

    Quote Originally Posted by Jazzyjazz View Post
    Finally, the problem is that the name I fill in Common Name wasn't in FQDN.
    So when I create a new server certificate with the name (hostname.domainname) The message error didn't change.

    But now, I got a new message error.

    Just before I go ahead does anyone successfully implement LDAP over SSL/TLS by using just Yast ? I use opensus 10.3
    If you're getting a different message error now, you should post that error.

    Tony

  5. #5
    Join Date
    Sep 2009
    Location
    UK
    Posts
    235

    Default Re: TLS : hostname does not match CN in peer certificate

    Did you fix this. If so, how ?

    I get the same in my ldap server is on openSuse
    but not if it's on Suse ES

    regards

    M

  6. #6

    Default Re: TLS : hostname does not match CN in peer certificate

    All that is required is to configure client with FQDN rather than IP.....assuming you issued the server certificate to the FQDN of LDAP server.

  7. #7
    Join Date
    Sep 2009
    Location
    UK
    Posts
    235

    Default Re: TLS : hostname does not match CN in peer certificate

    Yes, thank you that does fix it

    The interesting question now is why does it work
    with the ip address if you use Novell Suse and not
    in opensuse

    Ta

    M

  8. #8
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    3,098

    Default Re: TLS : hostname does not match CN in peer certificate

    Although I haven't looked at what might be happening on SLES,
    - There might be a re-direct/re-write option
    - Security might be set at a lower level. SSL/TLS sometimes is used only for encryption without authentication, in that case the CN is irrelevant

    Most likely the second is what is happening.

    HTH,
    Tony

  9. #9

    Default Re: TLS : hostname does not match CN in peer certificate

    i'm still having an issue after resolving the above (fqdn) ... so could someone verify my steps:

    -> i generate a certificate with the CN server.example.com (hostname is set to server, domain is set to example.com in the network settings)
    -> export it as the common server certificate (no warning about wrong hostname or so on)
    -> start ldap configuration using the common server cert.
    -> set my base dn to: dc=server,dc=example,dc=com
    -> complete the ldap server setup
    -> start the ldap client and select [Fetch DN] it throws a connection error: 14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certitifcate verify failed (self signed certificate in certificate chain)

    so how do i use a self signed certificate!?

    tia,

    emo

  10. #10
    Join Date
    Sep 2009
    Location
    UK
    Posts
    235

    Default Re: TLS : hostname does not match CN in peer certificate

    The way I did it ... which might be entirely wrong .... is :-
    Create a Certificate Request
    Sign it with the CA certificate
    Once it's created export it as the Common server Certificate
    Set up LDAP to use common server certificate
    Start a terminal and enter 'openssl s_client -connect <insert address here>:636 -showcerts'
    You get a screen full of stuff, Ctrl C to get a prompt back
    copy and paste the two certificates that are in the output ( getting rid of all non cert bits ) into a file as something.pem
    You can then either just put the file in the /etc/openldap/cacerts directory and use the advanced bit 'Yast/Ldap client' to tell it what and where the file is or alternatively
    you can dump the file on a web server and you the 'Download Certificate button'

    ...er .. I think thats it :-)

    Two things I discovered 1) if you used the IP address when you set this up originally I have never found a way to change to to the FQN it seems to ignore anything you do in Yast and 2) Suse ( as in the Novell rather than open ) sets up an alternative name in the certificate which is the IP address so either IP or FQN works

    Have fun

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •