Results 1 to 5 of 5

Thread: OpenLDAP TLS Problem

  1. #1

    Angry OpenLDAP TLS Problem

    i keep on getting an error to the effect of:

    "TLS: hostname does not match the cn of:
    TLS : hostname does not match CN in peer certificate

    I have tried changing the hostname and domain name of my opensuse 13.1 box in the network settings. also in the network settings i have tried to set the hostname to an actual network device to no avail as well.

    i have tried to change the hostname in the ldap.conf files both in etc/openldap/ and /etc folders and that doesn't work.

    in the CA Manager i have tried to put in the host name from the network configuration into the CA Certificate, Server Certificate. also tried adding the same info into the Issuer alt name as well. not working. i thought Yast2 was meant to be easy to use. with Ca Manager i also tried to export the CA cert to a folder as a certificate pem file, same with the server cert. with the key, left unencrypted. still didn't work

    where do you find the hostname for your openldap server so it matches the cn in your certificate.

    i have no command line experience in opensuse, so i would have no idea of how to work anything out on the command line. i need help. very frustrated as i'm running out of ideas

    Any help would be greatly appreciated. however, please be very clear on your instructions a i get confused very easily

  2. #2

    Default Re: OpenLDAP TLS Problem

    Quote Originally Posted by jshand2013 View Post
    i keep on getting an error to the effect of:

    "TLS: hostname does not match the cn of:
    TLS : hostname does not match CN in peer certificate


    I have tried changing the hostname and domain name of my opensuse 13.1 box in the network settings. also in the network settings i have tried to set the hostname to an actual network device to no avail as well.

    i have tried to change the hostname in the ldap.conf files both in etc/openldap/ and /etc folders and that doesn't work.

    in the CA Manager i have tried to put in the host name from the network configuration into the CA Certificate, Server Certificate. also tried adding the same info into the Issuer alt name as well. not working. i thought Yast2 was meant to be easy to use. with Ca Manager i also tried to export the CA cert to a folder as a certificate pem file, same with the server cert. with the key, left unencrypted. still didn't work

    where do you find the hostname for your openldap server so it matches the cn in your certificate.

    i have no command line experience in opensuse, so i would have no idea of how to work anything out on the command line. i need help. very frustrated as i'm running out of ideas

    Any help would be greatly appreciated. however, please be very clear on your instructions a i get confused very easily
    i'm also trying use ldap client yast2 module to use my ca certificate to no avail when i select tls checkbox

  3. #3
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    13,295
    Blog Entries
    2

    Default Re: OpenLDAP TLS Problem

    On general principles,

    You need to re-generate or generate a certificate correctly with the proper attributes.
    If it was so easy that you could configure devices or machines to match the attributes on a certificate, I'd consider that a security flaw.

    Certificates generally provide two functions (as was recently illustrated recently to some degree with Hearbleed). Fundamentally, certificates are used to encrypt communications. But, although considered optional stronger systems will also use certificates to authenticate someone or something (apparently the machine in your case). For authentication to work, the system must rely on an Authenticator which stores keys and oftentimes how those keys were generated (if you don't use a separate CA) and then satisfies requests for authenticating.

    IMO,
    TSU

  4. #4

    Default Re: OpenLDAP TLS Problem

    Quote Originally Posted by tsu2 View Post
    On general principles,

    You need to re-generate or generate a certificate correctly with the proper attributes.
    If it was so easy that you could configure devices or machines to match the attributes on a certificate, I'd consider that a security flaw.

    Certificates generally provide two functions (as was recently illustrated recently to some degree with Hearbleed). Fundamentally, certificates are used to encrypt communications. But, although considered optional stronger systems will also use certificates to authenticate someone or something (apparently the machine in your case). For authentication to work, the system must rely on an Authenticator which stores keys and oftentimes how those keys were generated (if you don't use a separate CA) and then satisfies requests for authenticating.

    IMO,
    TSU
    Hey thanks for replying.

    please let me know that you mean by generating a certificate with the proper attributes...with these attributes you speak of, please let me know how to set them correctly. i have currently set up a static ip address for authentication and encryption of data. i have no idea what you put in the cn (common name) to match your current machine. my current setup is dc1.globalsoftware.com where dc1 is the hostname and globalsoftware.com is the domain....also when i check the HOSTNAME file it has the fully qualified domain name dc1.globalsoftware.com.

    thanks again

  5. #5
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    13,295
    Blog Entries
    2

    Default Re: OpenLDAP TLS Problem

    Quote Originally Posted by jshand2013 View Post
    Hey thanks for replying.

    please let me know that you mean by generating a certificate with the proper attributes...with these attributes you speak of, please let me know how to set them correctly. i have currently set up a static ip address for authentication and encryption of data. i have no idea what you put in the cn (common name) to match your current machine. my current setup is dc1.globalsoftware.com where dc1 is the hostname and globalsoftware.com is the domain....also when i check the HOSTNAME file it has the fully qualified domain name dc1.globalsoftware.com.

    thanks again
    The CN should be whatever name or ID clients use to access the server. Although normally it's the Fully Qualified Domain Name, in some instances it can be something else like an IP address or only the Hostname. The correlation of this of course is that you need to configure not only the CN appropriately, you also need to configure clients to use the same name (specified as the CN) or again there will be a mis-match.

    TSU

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •