How to Fix “TLS: hostname does not match CN in peer certificate” Error in LDAP StartTLS Connection


3 views

The error occurs because the hostname you're using to connect (172.25.80.144) doesn't match the Common Name (CN) in your LDAP server's certificate. This is a security feature of TLS that prevents man-in-the-middle attacks.

From your configuration files, I notice several potential issues:

// Server ldap.conf
BASE dc=prueba,dc=borja
URI  ldap://prueba.borja  // Notice the hostname here is different from IP address used
TLS_CACERT /etc/ssl/certs/ca-certificates.crt

// Client ldap.conf
ssl start_tls
tls_checkpeer no  // This bypasses certificate verification (not recommended)
TLS_REQCERT allow  // Also reduces security

Proper Solution: Fix Certificate Configuration

1. Check your certificate's CN and Subject Alternative Names (SANs):

openssl x509 -in /path/to/your/cert.pem -text -noout | grep -E "Subject:|DNS:"

2. Either:

  • Use the hostname (prueba.borja) instead of IP when connecting
  • OR regenerate certificate with IP address in SANs

Alternative Solutions (for testing only)

If you're in a development environment and need a quick workaround:

// Modify client ldap.conf to:
TLS_REQCERT never

// Or use this command option:
ldapsearch -x -H ldap://prueba.borja -ZZ -o ldif-wrap=no \
  -o nettimeout=30 -o tls_reqcert=never

Here's how to properly configure both server and client:

# Server /etc/ldap/ldap.conf
BASE dc=prueba,dc=borja
URI ldaps://prueba.borja
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
TLS_CERT /etc/ldap/ssl/server.crt
TLS_KEY /etc/ldap/ssl/server.key

# Client /etc/ldap/ldap.conf
BASE dc=prueba,dc=borja
URI ldaps://prueba.borja
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT demand  # For production security

If you need to regenerate certificates with proper SANs:

openssl req -new -x509 -nodes -out /etc/ldap/ssl/server.crt \
  -keyout /etc/ldap/ssl/server.key -days 365 \
  -subj "/CN=prueba.borja" -addext "subjectAltName = IP:172.25.80.144,DNS:prueba.borja"

Remember to restart your LDAP server after certificate changes:

sudo service slapd restart

For production environments, always use properly signed certificates from a trusted CA rather than self-signed certificates.

When configuring LDAP with StartTLS encryption between an Ubuntu 12.04 server and 11.04 client, you might encounter the following error:

ldapsearch -x -H 172.25.80.144 -ZZ 
ldap_start_tls: Connect error (-11)
                additional info: TLS: hostname does not match CN in peer certificate

This occurs when the hostname/IP address used to connect (172.25.80.144) doesn't match the Common Name (CN) or Subject Alternative Names (SANs) in the server's SSL certificate. The TLS protocol strictly validates this to prevent MITM attacks.

First, examine your server certificate:

openssl x509 -in /etc/ssl/certs/ldap.crt -text -noout

Look for these critical fields:

Subject: CN = prueba.borja
X509v3 Subject Alternative Name:
    DNS:prueba.borja, DNS:ldap.prueba.borja

Option 1: Certificate Adjustment (Recommended)

Regenerate your certificate with proper SANs:

openssl req -new -x509 -nodes -out /etc/ssl/certs/ldap.crt \
-keyout /etc/ssl/private/ldap.key -days 3650 \
-subj "/CN=prueba.borja" \
-addext "subjectAltName = DNS:prueba.borja, DNS:172.25.80.144, IP:172.25.80.144"

Option 2: Client Configuration Override

Modify /etc/ldap/ldap.conf with TLS options:

TLS_REQCERT allow
TLS_CACERT /etc/ssl/certs/ca-certificates.crt

Option 3: ldapsearch Command-line Override

Use these parameters for testing:

ldapsearch -x -H ldap://172.25.80.144 -ZZ \
-o ldif-wrap=no \
-o tls_reqcert=never

For production systems, always:

  • Use FQDNs instead of IPs in certificates
  • Maintain proper CA-signed certificates
  • Set TLS_REQCERT to 'demand' once validated

Verify TLS connection with OpenSSL:

openssl s_client -connect 172.25.80.144:389 -starttls ldap -showcerts

Check LDAP debug output:

LDAPTLS_REQCERT=never ldapsearch -d 5 -x -H ldap://172.25.80.144 -ZZ