[gnutls-help] Create csr with netscape extension = server

m.postman at mafrigo.net m.postman at mafrigo.net
Sat Jun 14 16:03:12 CEST 2014


Hey,
Actually you are right, openldap on opensuse 13.1 is compiled with openssl.
I misread the output of "ldd", sorry for the inconvenience!

Thanks for your help anyway :)
Marc

Am 12.06.2014 11:12, schrieb Nikos Mavrogiannopoulos:
> On Wed, Jun 11, 2014 at 7:50 PM,  <m.postman at mafrigo.net> wrote:
>> Hi,
>> i've been working on this problem quite long now.
>> OpenLDAP on my OpenSuSE 13.1 is compiled with gnutls apparently.
>> But connecting to the OpenLDAP server fails with the following message:
>> # ldapsearch -h localhost -W -D uid=admin,dc=example,dc=net -b
>> dc=example,dc=net -s sub "(uid=user1)" -v -ZZ
>> ldap_initialize( ldap://localhost )
>> ldap_start_tls: Connect error (-11)
>>          additional info: error:14090086:SSL
>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (unsupported
>> certificate purpose)
> This is not a gnutls error. Most likely is comes from openssl. My
> guess would be that your server certificate doesn't have the correct
> purpose set, or has some purpose set that is unknown to it.
>
>> Tracking down this error lead to a missing "Netscape Extension" called
>> "server".
> I doubt that any software would use that extension. It has been dead
> since a decade.
> Most likely you need to consult the key purpose extensions. My guess
> would be that it requires the "tls_www_server" option to the certtool
> template.
>
> regards,
> Nikos




More information about the Gnutls-help mailing list