[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: ldap_start_tls: Can't contact LDAP server
The RFC wasn't explicit on whether wildcards are allowed in the commonName
or not. The library only allows wildcards in a subjectAltName; the
commonName is expected to be a fully qualified domain name.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support
> -----Original Message-----
> From: Justin Wood [mailto:justin@flipdog.com]
> Sent: Monday, April 22, 2002 11:02 AM
> To: Howard Chu
> Cc: openldap-software@openldap.org
> Subject: Re: ldap_start_tls: Can't contact LDAP server
>
>
> It appears that it doesn't understand wildcard certs:
>
> TLS: hostname (fs1.p.flipdog.com) does not match common name in
> certificate (*.flipdog.com).
>
> -Justin.
>
> Howard Chu wrote:
> > Try running your slapd with debug set to -d 127 and then look at the TLS
> > trace messages.
> >
> > -- Howard Chu
> > Chief Architect, Symas Corp. Director, Highland Sun
> > http://www.symas.com http://highlandsun.com/hyc
> > Symas: Premier OpenSource Development and Support
> >
> >
> >>-----Original Message-----
> >>From: Justin Wood [mailto:justin@flipdog.com]
> >>Sent: Monday, April 22, 2002 10:03 AM
> >>To: Howard Chu
> >>Cc: openldap-software@OpenLDAP.org
> >>Subject: Re: ldap_start_tls: Can't contact LDAP server
> >>
> >>
> >>That's what I've got. I created a CA cert, then a server certificate
> >>for *.flipdog.com which is signed by the CA cert. That's all I have.
> >>
> >>-Justin.
> >>
> >>Howard Chu wrote:
> >>
> >>>>-----Original Message-----
> >>>>From: owner-openldap-software@OpenLDAP.org
> >>>>[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Justin Wood
> >>>
> >>>
> >>>>openssl s_client -connect ldapmaster.flipdog.com:636, and it seems to
> >>>>see the cert, but I get a response I'm not sure of. Along with
> >>>>reporting the certificate it found, I see the following.
> >>>>
> >>>>verify error:num=19:self signed certificate in certificate chain
> >>>>
> >>>>Can anyone shed some light on this for me?
> >>>
> >>>
> >>>I believe this means you have more than one self-signed
> >>
> >>certificate in your
> >>
> >>>certificate chain. This shouldn't happen; you should have one
> root-level
> >>>Certificate Authority that has a self-signed cert, and then all other
> >>>(lower) certificates in a chain should be signed by a superior CA.
> >>>
> >>> -- Howard Chu
> >>> Chief Architect, Symas Corp. Director, Highland Sun
> >>> http://www.symas.com http://highlandsun.com/hyc
> >>> Symas: Premier OpenSource Development and Support
> >>>
> >>
> >>
> >>
> >>--
> >>----------------------------------------------------------
> >>Justin Wood justin@flipdog.com
> >>Systems Administrator
> >>FlipDog.com
> >> http://www.flipdog.com/
> >>----------------------------------------------------------
> >
> >
>
>
>
> --
> ----------------------------------------------------------
> Justin Wood justin@flipdog.com
> Systems Administrator
> FlipDog.com
> http://www.flipdog.com/
> ----------------------------------------------------------