<div>Nothing in the certificate contains the hostname of the server (ldap.fi.trl)... which explains why GnuTLS complains when you test using gnutls-cli... and probably causes ldapsearch to fail. You should regenerate your certificate.<br>
</div><div></div><div>- Certificate[0] info:<br># The hostname in the certificate does NOT match 'ldap.fi.trl'.<br></div><br><div class="gmail_quote">On Mon, Jun 8, 2009 at 12:05 PM, Simone Piccardi <span dir="ltr"><<a href="mailto:piccardi@truelite.it">piccardi@truelite.it</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="im">Matt Kassawara wrote:<br>
> The error you got from testing with gnutls-cli says GnuTLS on that<br>
> particular client probably doesn't like the new certificate. Did you<br>
> renew the CA, server, or both certificates? Can you provide your new<br>
> and old certificates? On a side note, I recommend migrating from<br>
> deprecated LDAPS (port 636) to STARTTLS.<br>
<br>
</div>The new one is attached, I resigned my old request with tinyca (this<br>
operation was made on the sid machine). I did not changed CA or key,<br>
just the server certificate.<br>
<br>
For the old one, sorry, I made a copy, but I also mistakenly overwrote<br>
it...<br>
<br>
I'll look at STARTTLS, but I don't like it so much, I want to be sure<br>
that unencrypted connection will be always rejected, and I have LDAP<br>
listening on 389 only from localhost.<br>
<div><div class="h5"><br>
Simone<br>
--<br>
Simone Piccardi Truelite Srl<br>
<a href="mailto:piccardi@truelite.it">piccardi@truelite.it</a> (email/jabber) Via Monferrato, 6<br>
Tel. +39-347-1032433 50142 Firenze<br>
<a href="http://www.truelite.it" target="_blank">http://www.truelite.it</a> Tel. +39-055-7879597 Fax. +39-055-7333336</div></div></blockquote></div><br>