TLS : hostname does not match CN in peer certificate

Hello,
I’m trying to use LDAP with TLS but allways got Connect error.
The message error is TLS : hostname does not match CN in peer certificate
So I’ve tried to generate new certificate with my hostname for CN but my LDAP still don’t want to work with TLS.

I use opensus 11.3.
I used YAST2 for créating my CA and certificates.

Probably the most obvious question is whether your CN includes your LDAP Domain.

Finally, the problem is that the name I fill in Common Name wasn’t in FQDN.
So when I create a new server certificate with the name (hostname.domainname) The message error didn’t change.

But now, I got a new message error.

Just before I go ahead does anyone successfully implement LDAP over SSL/TLS by using just Yast ? I use opensus 10.3

If you’re getting a different message error now, you should post that error.

Tony

Did you fix this. If so, how ?

I get the same in my ldap server is on openSuse
but not if it’s on Suse ES

regards

M

All that is required is to configure client with FQDN rather than IP…assuming you issued the server certificate to the FQDN of LDAP server.

Yes, thank you that does fix it

The interesting question now is why does it work
with the ip address if you use Novell Suse and not
in opensuse

Ta

M

Although I haven’t looked at what might be happening on SLES,

  • There might be a re-direct/re-write option
  • Security might be set at a lower level. SSL/TLS sometimes is used only for encryption without authentication, in that case the CN is irrelevant

Most likely the second is what is happening.

HTH,
Tony

i’m still having an issue after resolving the above (fqdn) … so could someone verify my steps:

-> i generate a certificate with the CN server.example.com (hostname is set to server, domain is set to example.com in the network settings)
-> export it as the common server certificate (no warning about wrong hostname or so on)
-> start ldap configuration using the common server cert.
-> set my base dn to: dc=server,dc=example,dc=com
-> complete the ldap server setup
-> start the ldap client and select [Fetch DN] it throws a connection error: 14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certitifcate verify failed (self signed certificate in certificate chain)

so how do i use a self signed certificate!?

tia,

emo

The way I did it … which might be entirely wrong … is :-
Create a Certificate Request
Sign it with the CA certificate
Once it’s created export it as the Common server Certificate
Set up LDAP to use common server certificate
Start a terminal and enter ‘openssl s_client -connect <insert address here>:636 -showcerts’
You get a screen full of stuff, Ctrl C to get a prompt back
copy and paste the two certificates that are in the output ( getting rid of all non cert bits ) into a file as something.pem
You can then either just put the file in the /etc/openldap/cacerts directory and use the advanced bit ‘Yast/Ldap client’ to tell it what and where the file is or alternatively
you can dump the file on a web server and you the ‘Download Certificate button’

…er … I think thats it :slight_smile:

Two things I discovered 1) if you used the IP address when you set this up originally I have never found a way to change to to the FQN it seems to ignore anything you do in Yast and 2) Suse ( as in the Novell rather than open ) sets up an alternative name in the certificate which is the IP address so either IP or FQN works

Have fun

thx & lol …

i did that downloading thing (entered file:///root/myvert.pem and it saved my file to /etc/openldap/cacert/…) and after this - i’m back at “hostname does not match CN in peer certificate” :smiley:

tia

Just a thought … see my ‘note 1’ in the previous post

I know this isn’t an answer to your problem but I gave
up on opensuse as a server - We are a school so we
can get Novell Suse really cheap - if you can find a
way to get it we have found that opensuse clients
and Novell Suse servers work really well

Hi everyone. Sorry to open this up again. opensuse 11.4

I have tried all the combinations of the methods described above but still I get the error: hostname does not match CN in peer certificate.

My hostname is hh1.com. My DN is cn=admin,dc=com.

I have ldap working fine without tls.

My question is: what should the CN in the peer certificate be for me?

Thanks.

I did get it working eventually. I’ll rebuild the setup tomorrow at work and get back to you

M

Sorry I didn’t get back to you yesterday. My employer keeps making me do boring stuff like work.

OK, I knocked together an opensuse ldapserver/nfs/automount etc more or less the same way
as I do a Novell Suse with an opensuse 12.1 client and it all worked as advertised. The
only thing that happened is I had your erroronce when I forgot to use the fqdn and
used the ip address instead. I think the moral of the story is NEVER use anything
other than the fqdn in anything for both server and client and it seems to work just
fine.

It doesn’t seem to matter what you call the Root CA as long as the server certificate
common name is the the same as the machine ( you could look at one of my other
post ‘hostname vs fqdn’ - I always make them the same. You might get odd results if
they are different ) There is another post of mine called ‘Certificates’ to which a guy
wrote a blog called Certificates for Dummies that is very interesting and informative.

I also noticed that if you ever use the ip address on the client end it’s very difficult
to get it to forget that and use the fqdn

Anyway maybe that will help ( or maybe not, but at least I tried )

M