Connection to LDAP server fails if the  LDAP server certificate’s Subject Alternative Name (SAN) does not match the hostname of the system. 

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 7
  • openldap-2.4.46-18.el8

Issue

  • ipa-client-install fails with error:
Unable to initialize STARTTLS session
    Connect error: TLS: hostname does not match subjectAltName in peer certificate
Failed to bind to server!
  • ldapsearch over SSL/TLS fails with error:
# ldapsearch -ZZ -H ldap://ldapserver.example.com -b dc=example,dc=com 
ldap_start_tls: Connect error (-11)
        additional info: TLS: hostname does not match subjectAltName in peer certificate

Resolution

  • Make sure the LDAP server certificate contains a Subject Alternative Name (SAN) that matches the hostname.

  • If the LDAP server certificate does not contain a Subject Alternative Name (SAN) that matches the hostname a new certificate has to be issued.

    • In case IdM is used, this can be done with the following command on all IdM servers:
# ipa-getcert resubmit -d /etc/dirsrv/slapd-<REALM> -n Server-Cert -D `hostname -f`

Root Cause

With RHBA-2021:4449 the library now enforces what is recommended in RfC6125 :

As noted, a client MUST NOT seek a match for a reference identifier
   of CN-ID if the presented identifiers include a DNS-ID, SRV-ID,
   URI-ID, or any application-specific identifier types supported by the
   client.

   Therefore, if and only if the presented identifiers do not include a
   DNS-ID, SRV-ID, URI-ID, or any application-specific identifier types
   supported by the client, then the client MAY as a last resort check
   for a string whose form matches that of a fully qualified DNS domain
   name in a Common Name field of the subject field (i.e., a CN-ID).

This means that the LDAP server certificate must have a Subject Alternative Name (SAN) of type dnsName that matches the hostname of the system when SAN exists.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments