Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora Directory (http://www.linux-archive.org/fedora-directory/)
-   -   Using Wildcard SSL Certificate (http://www.linux-archive.org/fedora-directory/671226-using-wildcard-ssl-certificate.html)

Jeff Field 05-26-2012 04:41 AM

Using Wildcard SSL Certificate
 
Hello,
I'm attempting to use a Wildcard SSL certificate for my domain with 389ds. The certificate and the CA (godaddy) intermediate cert import fine into both the admin server and the directory server, but attempts to use an LDAPS:// URI with ldapmodify result in this error:



ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

curl gets this:

curl -vvv -3 https://myserver.ldap.mydomain.com:636
* About to connect() to myserver.ldap.mydomain.com port 636 (#0)


*** Trying x.x.x.x... connected
* Connected to myserver.ldap.mydomain.com (x.x.x.x) port 636 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*** CAfile: /etc/pki/tls/certs/ca-bundle.crt


* CApath: none
* SSL: certificate subject name '*.mydomain.com' does not match target host name 'myserver.ldap.mydomain.com'


* NSS error -12276
* Closing connection #0
curl: (51) SSL: certificate subject name '*.mydomain.com' does not match target host name 'myserver.ldap.mydomain.com'



Am I not able to use a wildcard SSL cert in this instance? If that is the case, what would my best course of action be?

Thanks,
-Jeff

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Patrick Morris 05-26-2012 08:45 PM

Using Wildcard SSL Certificate
 
On 5/25/2012 9:41 PM, Jeff Field wrote:


Hello,

I'm attempting to use a Wildcard SSL certificate for my domain
with 389ds. The certificate and the CA (godaddy) intermediate cert
import fine into both the admin server and the directory server,
but attempts to use an LDAPS:// URI with ldapmodify result in this
error:



ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)



curl gets this:



curl: (51) SSL: certificate subject name '*.mydomain.com'
does not match target host name 'myserver.ldap.mydomain.com'



Am I not able to use a wildcard SSL cert in this instance? If that
is the case, what would my best course of action be?




The problem here isn't that you're using a wildcard certificate,
it's that your wildcard certificate truly does not match your server
name.



The "*" in a wildcard certificate does not allow you to span
subdomains.* *.mydomain.com would match for ldap.mydomain.com, but
if you add further names below that, it won't match.*
*.ldap.mydomain.com would match and probably work correctly for you,
given the hostname you are using.



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


All times are GMT. The time now is 11:44 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.