Nothing in the certificate contains the hostname of the server
(ldap.fi.trl)... which explains why GnuTLS complains when you test using
gnutls-cli... and probably causes ldapsearch to fail. You should regenerate
your certificate.
- Certificate[0] info:
# The hostname in the certificate does NOT ma
The error you got from testing with gnutls-cli says GnuTLS on that
particular client probably doesn't like the new certificate. Did you renew
the CA, server, or both certificates? Can you provide your new and old
certificates? On a side note, I recommend migrating from deprecated LDAPS
(port 636
Michael Kiefer wrote:
> On Maandag 08 Juni 2009 16:43:17 Simone Piccardi wrote:
>> Package: ldap-utils
>> Version: 2.4.15-1.1
>> Severity: normal
>>
>> ...
>> so it seems something related to gnutls.
>>
>
> For me it was a misconfiguration. I think I was able to cure it by setting
> olcTLSVerifyCl
On Maandag 08 Juni 2009 16:43:17 Simone Piccardi wrote:
> Package: ldap-utils
> Version: 2.4.15-1.1
> Severity: normal
>
> ...
> so it seems something related to gnutls.
>
For me it was a misconfiguration. I think I was able to cure it by setting
olcTLSVerifyClient: never
Michael
--
+---
Try generating your certificate chain with GnuTLS using certtool instead of
TinyCA2 which uses OpenSSL.
http://www.gnu.org/software/gnutls/manual/html_node/Invoking-certtool.html
On Mon, Jun 8, 2009 at 9:45 AM, Simone Piccardi wrote:
> Matt Kassawara wrote:
> > Did you recently upgrade OpenLDAP?
>
Matt Kassawara wrote:
> Did you recently upgrade OpenLDAP?
>
In both client and server side I'm just doing the ordinary updates near
every week. Don't remember when last upgrade was done.
The problem arised today, after renewing the certificate that was expired.
Simone
--
Simone Piccardi
Did you recently upgrade OpenLDAP?
On Mon, Jun 8, 2009 at 9:19 AM, Simone Piccardi wrote:
> Matt Kassawara wrote:
> > Did you upgrade from an older version of OpenLDAP built against OpenSSL?
> > Did you generate your certificates with OpenSSL or GnuTLS?
> The certificates where generated using t
Matt Kassawara wrote:
> Did you upgrade from an older version of OpenLDAP built against OpenSSL?
> Did you generate your certificates with OpenSSL or GnuTLS?
The certificates where generated using tinyca2, under sid, the request
is about 3 year old, the certificate was just renewed this morning.
Package: ldap-utils
Version: 2.4.15-1.1
Severity: normal
I have the following configuration for ldap client:
BASEdc=truelite,dc=it
URI ldaps://ldap.fi.trl
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
tls_checkpeer no
TLS_CACERT /etc/ssl/certs/Truelite-cacert.pem
and sim
9 matches
Mail list logo
