TLS: hostname does not match CN in peer certificate

german

#1

Hello,
After Renewing the complete SSL chain sdb.univention.de/content/15/332 … chain.html and changing the hostname of the server; the server started to throw the following errors on listener.log

====
{‘info’: ‘TLS: hostname does not match CN in peer certificate’, ‘desc’: ‘Connect error’}
UNIVENTION_DEBUG_END : uldap.__open host=mail port=7389 base=dc=airesistemas,dc=com
29.07.15 09:10:01.676 DEBUG_INIT
UNIVENTION_DEBUG_BEGIN : uldap.__open host=mail port=7389 base=dc=airesistemas,dc=com
29.07.15 09:10:01.687 LISTENER ( ERROR ) : ox-groups: handler failed: dn=‘cn=Printer-Admins,cn=g roups,dc=airesistemas,dc=com’
Traceback (most recent call last):
File “/usr/lib/pymodules/python2.6/univention/ox/listener_tools.py”, line 176, in process
result = func(dn, entry.new, entry.old, entry.action)
File “/usr/lib/univention-directory-listener/system/ox-groups.py”, line 78, in handler
ldapCon = univention.uldap.getMachineConnection(ldap_master=False)
File “/usr/lib/pymodules/python2.6/univention/uldap.py”, line 109, in getMachineConnection
lo=access(host=ucr[‘ldap/server/name’], port=port, base=ucr[‘ldap/base’], binddn=ucr[‘ldap/hostdn’ ], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect)
File “/usr/lib/pymodules/python2.6/univention/uldap.py”, line 184, in init
self.__open(ca_certfile)
File “/usr/lib/pymodules/python2.6/univention/uldap.py”, line 231, in __open
self.lo.start_tls_s()
File “/usr/lib/python2.6/dist-packages/ldap/ldapobject.py”, line 784, in start_tls_s
res = SimpleLDAPObject.start_tls_s(self)
File “/usr/lib/python2.6/dist-packages/ldap/ldapobject.py”, line 526, in start_tls_s
return self._ldap_call(self._l.start_tls_s)
File “/usr/lib/python2.6/dist-packages/ldap/ldapobject.py”, line 96, in _ldap_call
result = func(*args,**kwargs)
CONNECT_ERROR: {‘info’: ‘TLS: hostname does not match CN in peer certificate’, ‘desc’: ‘Connect error’ }

=========

   Same happened to all the services like  postfix  

==========
Jul 29 09:24:27 mail postfix/pickup[4688]: warning: BBB25104993: message has been queued for 12 days
Jul 29 09:24:27 mail postfix/pickup[4688]: BBB25104993: uid=0 from=
Jul 29 09:24:27 mail postfix/cleanup[26509]: error: dict_ldap_connect: Unable to set STARTTLS: -11: Connect error
Jul 29 09:24:27 mail postfix/cleanup[26509]: warning: BBB25104993: virtual_alias_maps map lookup problem for root@mail.airesistemas.com

     I am unable to  check license  and  or import licensing.   Please,  we need to know step by step changes required to do on the system services  ( cyrus, postfix, listener.. etc)  to get a functional server after changing hostname or Certificate  on UCS.  

         
     Full univention-support-info     upload_0aAty2.bz2

Rolando Riley


#2

Hello,

the message indicates that the LDAP-service is using a certificate for another hostname.
The crucial point seems to be the altered hostname.

From /etc/univention/templates/files/etc/ldap/slapd.conf/30univention-ldap-server_head:

TLSCertificateFile /etc/univention/ssl/@%@hostname@%@.@%@domainname@%@/cert.pem TLSCertificateKeyFile /etc/univention/ssl/@%@hostname@%@.@%@domainname@%@/private.key

Please make sure that Cert and Keyfiles with the correct hostname exist and are valid. Verfication ist possible with “univention-certificate dump”.
You can also renew the cert for a single host by using “univention-certificate renew …” as mentioned in Renewing the SSL certificates,

Best Regards,
Dirk Ahrnke


#3

Hi Dirk,
I followed your instruction and result is the same. Just to be straight to the problem hostname = mail hostname -f = mail.airesistemas.com

      I need to know what commands to run and verify what is the output result  of  @%@hostname@%@.@%@domainname@%@   variables are.    From where it is being read??

=======
root@mail:/etc/univention/templates/files/etc/ldap/slapd.conf.d# ucr get domainname
airesistemas.com
root@mail:/etc/univention/templates/files/etc/ldap/slapd.conf.d# ucr get hostname
mail

===
univention-certificate list
List all certificates
03 mail.airesistemas.com
04 univention-directory-manager.airesistemas.com

====

Rolando Riley


#4

Hi,

it seems that I need to explain the missing steps…

The template is responsible to generate /etc/ldap/slapd.conf.
In your case I would expect these lines in the config:

TLSCertificateFile /etc/univention/ssl/mail.airesistemas.com/cert.pem TLSCertificateKeyFile /etc/univention/ssl/mail.airesistemas.com/private.key

According to your “univention-certificate list” output the cert and key are existing.
If your ldap.conf contains the old hostname, “ucr commit /etc/ldap/slapd.conf” may fix the problem.

Best Regards,
Dirk Ahrnke


#5

Thanks Dirk,
Yes , I verify and /etc/ldap/slapd.conf does contain the correct path and the correct name of the certificate. I am still having the problem after doing commit and rebooting the server. I am seeing on the logs that the services ; for example LISTENER:

=====
03.08.15 12:11:46.762 LISTENER ( WARN ) : can not connect to LDAP server mail.com:7389
03.08.15 12:11:46.762 LISTENER ( WARN ) : can not connect any server, retrying in 30 seconds
03.08.15 12:12:16.762 LISTENER ( WARN ) : chosen server: mail.com:7389
03.08.15 12:14:23.930 LDAP ( ERROR ) : start_tls: Can’t contact LDAP server
03.08.15 12:14:23.930 LISTENER ( WARN ) : can not connect to LDAP server mail.com:7389
03.08.15 12:14:23.930 LISTENER ( WARN ) : can not connect any server, retrying in 30 seconds

          ... are parsing  incorrectly  the hostname    ... domainname.   It is parsing [b] mail.com[/b] on the request instead of [b]mail.airesistemas.com[/b] .      Can you point me from what environment variable this scripts are pulling  "domainname"  as it is my belief  that is the problem.

=======

root@mail:/var/log/univention# ucr dump | grep domainname
domainname: airesistemas.com
ox/cfg/cluster.properties/com.openexchange.cluster.name: @%@hostname@%@.@%@domainname@%@
root@mail:/var/log/univention#

Rolando Riley


#6

Hi,
What is the UCRV “ldap/server/name” showing? Are there any other results for “ucr dump | grep mail.com”?

Best Regards,
Dirk


#7

======

root@mail:/var/log# ucr dump | grep mail.com
kerberos/adminserver: mail.com
ldap/master: mail.com
mail/alias/root: systemmail@mail.com
postfix/permithosts: mail.com
ssl/email: ssl@mail.com
root@mail:/var/log#

=====
root@mail:/var/log# ucr dump | grep ldap/server/name
ldap/server/name: mail

=======

          Here it is.   I see several problems.  Await your instructions

Rolando Riley


#8

Hi,

all mentioned hostnames should be adjusted to the new FQDN of your system.
Changing the email-addresses is optional but a good idea.

Best Regards,
Dirk


#9

Okay Dirk,
TLS problem is fixed. I am having a different problem but will open a different thread.

Rolando Riley