Certificate Confusion:hostname does not match CN

Michael Ströder michael at stroeder.com
Fri Jun 11 12:48:43 CEST 2004

Becky Hepper wrote:
> I got the following error:  "SSL3_GET_SERVER_CERTIFICATE: certificate 
> verify failed".  So I asked the people that control the LDAP server for 
> a key.  They sent me the Netscape certificate: cert7.db & key3.db.  If I 
> put those two files in my home directory and add this line to my code:   
> ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, "/home/jack")  I get an 
> error:  "TLS: hostname does not match CN in peer certificate".


How did you build python-ldap? I really wonder why this does anything useful.

>  Can I use the cert7.db or does it 
> have to be converted to a PEM file?

python-ldap uses the OpenLDAP libs which in turn use the OpenSSL libs which 
cannot handle Netscape certificate database files
=> you have to use PEM files.

>  I get the same error if I use the 
> following line in my code: ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, 
> "/usr/share/ssl/cert.pem")  What is this cert.pem file that 
> automatically gets installed?

There's nothing automatically installed. cert.pem should contain the CA 
certificate against which the server certificate is validated.

Recommended reading:


Ciao, Michael.

More information about the python-ldap mailing list