TLS: hostname does not match CN in peer certificate
Posted: Thu Oct 30, 2014 7:36 pm
Cert experts for Openvpn,
I have a commercial cert for the openvpn server. I have an in-house cert for our back end Active Directory server (for ldap). When a vpn client tries to connect, I get the following error:
Oct 30 10:26:57 point openvpn[20705]: Unable to enable STARTTLS: Connect error (TLS: hostname does not match CN in peer certificate)
Oct 30 10:26:57 point openvpn[20705]: LDAP connect failed.
So which certificate is the peer certificate? Is this the certificate that the client has on their end or is this the certificate that is being pointed to in the auth-ldap.conf file?
Note: If I use ldapsearch -ZZ (required cert) from the Linux openvpn server to our active directory ldap service, it works fine. So I know that SSL certs are working between the Linux server and Active Directory ldap service. I am using the same CA cert in the auth-ldap.conf file. The cert that is on the client side is the commercial cert for the openvpn service -not for the AD ldap service.
I should also mention that if I don't use ssl or tls, it works fine. So this is a cert issue that I have to resolve.
Tim
I have a commercial cert for the openvpn server. I have an in-house cert for our back end Active Directory server (for ldap). When a vpn client tries to connect, I get the following error:
Oct 30 10:26:57 point openvpn[20705]: Unable to enable STARTTLS: Connect error (TLS: hostname does not match CN in peer certificate)
Oct 30 10:26:57 point openvpn[20705]: LDAP connect failed.
So which certificate is the peer certificate? Is this the certificate that the client has on their end or is this the certificate that is being pointed to in the auth-ldap.conf file?
Note: If I use ldapsearch -ZZ (required cert) from the Linux openvpn server to our active directory ldap service, it works fine. So I know that SSL certs are working between the Linux server and Active Directory ldap service. I am using the same CA cert in the auth-ldap.conf file. The cert that is on the client side is the commercial cert for the openvpn service -not for the AD ldap service.
I should also mention that if I don't use ssl or tls, it works fine. So this is a cert issue that I have to resolve.
Tim