Nothing in the certificate contains the hostname of the server (ldap.fi.trl)... which explains why GnuTLS complains when you test using gnutls-cli... and probably causes ldapsearch to fail. You should regenerate your certificate. - Certificate[0] info: # The hostname in the certificate does NOT match 'ldap.fi.trl'.
On Mon, Jun 8, 2009 at 12:05 PM, Simone Piccardi <picca...@truelite.it>wrote: > Matt Kassawara wrote: > > The error you got from testing with gnutls-cli says GnuTLS on that > > particular client probably doesn't like the new certificate. Did you > > renew the CA, server, or both certificates? Can you provide your new > > and old certificates? On a side note, I recommend migrating from > > deprecated LDAPS (port 636) to STARTTLS. > > The new one is attached, I resigned my old request with tinyca (this > operation was made on the sid machine). I did not changed CA or key, > just the server certificate. > > For the old one, sorry, I made a copy, but I also mistakenly overwrote > it... > > I'll look at STARTTLS, but I don't like it so much, I want to be sure > that unencrypted connection will be always rejected, and I have LDAP > listening on 389 only from localhost. > > Simone > -- > Simone Piccardi Truelite Srl > picca...@truelite.it (email/jabber) Via Monferrato, 6 > Tel. +39-347-1032433 50142 Firenze > http://www.truelite.it Tel. +39-055-7879597 Fax. +39-055-7333336 >
