Certificate Confusion:hostname does not match CN

Derrick 'dman' Hudson dman at dman13.dyndns.org
Wed Jun 9 19:42:11 CEST 2004

On Wed, Jun 09, 2004 at 02:58:43PM +0000, Becky Hepper wrote:
| I got the following error:  "SSL3_GET_SERVER_CERTIFICATE: certificate 
| verify failed".

The cert could be self-signed.  Unless the CA (Certificate Authority)
certificate is known (and trusted) by the client, the verification
will fail because the client has no way to automatically trust the

| So I asked the people that control the LDAP server for a 
| key.  They sent me the Netscape certificate: cert7.db & key3.db.  If I put 
| those two files in my home directory and add this line to my code:   
| ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, "/home/jack")

This solves that problem.

| I get an error:  "TLS: hostname does not match CN in peer
| certificate".  Does anyone know what that error means?

This means that you tried to connect to a machine using the name
'foo'.  However the CN (Common Name) in the SSL certificate is 'bar'.
The CN in the certificate needs to match the hostname used to connect
in order for automatic verification to work.

One cause for this problem is a machine with multiple host names.
In this scenario, make sure you are using the name in the CN of the
cert and not some other name that resolves to that host.

Another cause is a poorly made cert.  If this is the case, have the
server administrators recreate the cert and instruct them to specify
the correct hostname as the CN for the cert.

BTW, you can demonstrate both of these "error" conditions with a web
browser.  The only difference is the browser then prompts the user and
allows the user to manually choose to trust the cert when automatic
verification fails.


"Open Source Software - Sometimes you get more than you paid for..."
www: http://dman13.dyndns.org/~dman/            jabber: dman at dman13.dyndns.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20040609/15b87eb3/attachment.pgp>

More information about the python-ldap mailing list