Certificate Confusion:hostname does not match CN
michael at stroeder.com
Fri Jun 11 12:48:43 CEST 2004
Becky Hepper wrote:
> I got the following error: "SSL3_GET_SERVER_CERTIFICATE: certificate
> verify failed". So I asked the people that control the LDAP server for
> a key. They sent me the Netscape certificate: cert7.db & key3.db. If I
> put those two files in my home directory and add this line to my code:
> ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, "/home/jack") I get an
> error: "TLS: hostname does not match CN in peer certificate".
How did you build python-ldap? I really wonder why this does anything useful.
> Can I use the cert7.db or does it
> have to be converted to a PEM file?
python-ldap uses the OpenLDAP libs which in turn use the OpenSSL libs which
cannot handle Netscape certificate database files
=> you have to use PEM files.
> I get the same error if I use the
> following line in my code: ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,
> "/usr/share/ssl/cert.pem") What is this cert.pem file that
> automatically gets installed?
There's nothing automatically installed. cert.pem should contain the CA
certificate against which the server certificate is validated.
More information about the python-ldap