LDAP certificate not valid for any names

perrymil · July 21, 2023, 7:43pm

Hi All,

Internal Server Error

Login error: failed to connect: LDAP Result Code 200 “Network Error”: x509: certificate is not valid for any names, but wanted to match ldap.acc.ohsu.edu

I got that message after configuring our cluster.yml file and restarting httpd and ondemand-dex.

Is this something to do with CA trust? I saw some mention of the tls cert configuration in the ood_portal.yml file, but wasn’t sure if I needed to add anything beyond the ssl cert configuration:

ssl:

‘SSLCertificateFile “/etc/pki/tls/certs/openondemanddev.ohsu.edu.crt”’
‘SSLCertificateKeyFile “/etc/pki/tls/private/openondemanddev.ohsu.edu.key”’
‘SSLCertificateChainFile “/etc/pki/tls/certs/openondemanddev.ohsu.edu-chain.pem”’

Which appears to be working fine for the TLS cert in that it redirects to https fine, and shows a valid cert…

Jul 21 15:37:38 openondemanddev ondemand-dex[3561]: time=“2023-07-21T19:37:38Z” level=error msg=“Failed to login user: failed to connect: LDAP Result Code 200 "Network Error": x509: certificate is not valid for any names, but wanted to match ldap.acc.ohsu.edu”

Thoughts?

jeff.ohrstrom · July 21, 2023, 7:59pm

There’s some issue with the certificate that the LDAP server is providing I would guess.

You can see what the certificate looks like with this command.

openssl s_client -connect <host>:<port> -starttls ldap

Beyond that I think you’d need to ensure that the appropriate Certificate Authority files are on both machines (the ldap server and the OOD server).

perrymil · July 21, 2023, 10:24pm

Thanks, we got that part resolved.

jeff.ohrstrom · July 25, 2023, 6:13pm

Thanks for the response! Please let us know what the resolution was in case someone else runs into the same.