On 11/05/2012 04:05 PM, Dan White wrote:
On 11/05/12 08:29 +0100, Admus wrote:On 11/04/2012 11:59 PM, Dan White wrote:On 11/04/12 23:13 +0100, admus wrote:Hello,I'm following https://help.ubuntu.com/12.04/serverguide/openldap-server.html#openldap-tls-replication how to:LDAP serwer starts correctly but when I tries to test StartTLS: ldapsearch -x -H ldap:/// -ZZ -d -1 I gets the following error: TLS: peer cert untrusted or revoked (0x42) TLS: can't connect: (unknown error code). ldap_err2string ldap_start_tls: Connect error (-11) additional info: (unknown error code) Any idea?Your hostname will need to match the certificate you have installed. '-Hldap:///' will, instead, need to include the hostname matching your certificate.For project documentation, see chapter 16 of the OpenLDAP Administrator'sGuide, slapd-config(5), ldap.conf(5), and ldapsearch(1).ldapsearch -x -H ldap://ldap1.example.com -ZZ -d -1 Does not help, same error. CN in my certificate is ldap1.example.com.Assuming that your OpenLDAP was compiled against GnuTLS, use the GnuTLS tools to trouble shoot your certificate.A google search for "peer cert untrusted or revoked (0x42)" finds users whoalso received that error.
The output of `gnutls-cli --print-cert -p 636 ldap1.example.com` is: - The hostname in the certificate matches 'ldap1.example.com'. - Peer's certificate issuer is unknown - Peer's certificate is NOT trusted - Version: TLS1.2 - Key Exchange: RSA - Cipher: AES-128-CBC - MAC: SHA1 - Compression: NULL - Handshake was completed