Hi Ray, I finally did it, I use your recomendation to add the cert to /etc/ssl/crt using "ca-certificates" command.
Thanks ray Pada Selasa, 12 Januari 2021 pukul 05.26.40 UTC+7 Ray Bon menulis: > Irvan, > > It looks like mod_auth_cas is unable to find the cert at that location > (/etc/ssl/certs), or it is not an x509 cert, or it is not readable. > > Ray > > On Mon, 2021-01-11 at 12:08 -0800, irvan suryadi wrote: > > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > Ray, > > I have done your recommendation above, > I think a little more might work. > > Now I find the following error message: > MOD_AUTH_CAS: curl_easy_perform() failed (error setting certificate verify > locations:\n CAfile: /etc/ssl/certs/cas.cer\n CApath: /etc/ssl/certs). > > What can I do? (I have imported cas.cer to cacert in jvm ... / security / > cacerts). > > Thanks, > Irvan > > > Pada Selasa, 12 Januari 2021 pukul 02.24.08 UTC+7 Ray Bon menulis: > > Irvan, > > Try moving the certificate from /etc/cas/ to the system cert store, > somewhere like, /etc/ssl/certs/, so that the host Curl can find it. (And > update mod auth cas confg to point there.) > > Ray > > On Mon, 2021-01-11 at 11:09 -0800, irvan suryadi wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > Hai ray, > > I've been tried what you recommended before. > But I still get the same error. After I check the error log in the apache2 > log. > > I find this error message : > [client 127.0.0.1:51490] MOD_AUTH_CAS: curl_easy_perform() failed (SSL > certificate problem: self signed certificate) > > I think this because I use the self-signed Keystore and certificate using > "./gradlew createKeystore in the cas-server files. > > Can I use the self-signed or turn off the self-signed certificate checker > on apache? > > Thanks, > Irvan > Pada Kamis, 07 Januari 2021 pukul 04.31.07 UTC+7 Ray Bon menulis: > > Irvan, > > The embedded container properties might be for tomcat. > You may have to add the cert to the java keystore, usually in > <JAVA_HOME>/jre/lib/security/cacerts. > > Ray > > On Wed, 2021-01-06 at 12:06 -0800, irvan suryadi wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > Hello Ray, > > I have done several experiments based on your suggestions. Previously, I'd > like to answer about cas.example.org and localhost. Yes, it is true that > they are the same domain on ip (127.0.0.1). > > I have added the certificate to "auth_cas.conf" using the command > "CasCertificatePath" But the problem is still the same. > > is there anything i missed? > > Thanks, > Irvan > > auth_cas.conf : > > <directory "/ var / www / html / secured-by-cas"> > <IfModule mod_auth_cas.c> > AuthType CAS > CASAuthNHeader On > </IfModule> > Require valid-user > </directory> > > <IfModule mod_auth_cas.c> > CASLoginUrl https://cas.example.org:8443/cas/login > CASValidateUrl https://cas.example.org:8443/cas/serviceValidate > CASCookiePath / var / cache / apache2 / mod_auth_cas / > CASSSOEnabled On > CASDebug On > Debug logLevel > CASCertificatePath /etc/cas/cas.crt > </IfModule> > > ------------------------- > > Based on your directions here is what my apache server "access.log" looks > like when I try to run cas: > :: 1 - - [07 / Jan / 2021: 02: 20: 30 +0700] "GET / secured-by-cas HTTP / > 1.1" 302 668 "-" "Mozilla / 5.0 (X11; Linux x86_64) AppleWebKit / 537.36 > (KHTML, like Gecko) Chrome / 87.0.4280.88 Safari / 537.36 " > :: 1 - - [07 / Jan / 2021: 02: 21: 22 +0700] "-" 408 0 "-" "-" > :: 1 - - [07 / Jan / 2021: 02: 30: 41 +0700] "GET / secured-by-cas HTTP / > 1.1" 302 668 "-" "Mozilla / 5.0 (X11; Linux x86_64) AppleWebKit / 537.36 > (KHTML, like Gecko) Chrome / 87.0.4280.88 Safari / 537.36 " > :: 1 - - [07 / Jan / 2021: 02: 38: 18 +0700] "GET / secured-by-cas HTTP / > 1.1" 302 668 "-" "Mozilla / 5.0 (X11; Linux x86_64) AppleWebKit / 537.36 > (KHTML, like Gecko) Chrome / 87.0.4280.88 Safari / 537.36 " > :: 1 - - [07 / Jan / 2021: 02: 39: 10 +0700] "-" 408 0 "-" "-" > 127.0.0.1 - - [07 / Jan / 2021: 02: 41: 54 +0700] "GET / secured-by-cas? > Ticket = ST-1 - sZOsx9-Yf4rt4RwvMt6cJnYsNs-Irvan HTTP / 1.1" 401 682 "-" > "Mozilla / 5.0 (X11; Linux x86_64) AppleWebKit / 537.36 (KHTML, like Gecko) > Chrome / 87.0.4280.88 Safari / 537.36" > 127.0.0.1 - - [07 / Jan / 2021: 02: 41: 54 +0700] "GET /favicon.ico HTTP / > 1.1" 404 493 "http://cas.example.org/secured-by-cas?ticket = ST-1 - > sZOsx9-Yf4rt4RwvMt6cJnYsNs-Irvan "" Mozilla / 5.0 (X11; Linux x86_64) > AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 87.0.4280.88 Safari / > 537.36 " > > ------------------------ > Here's the log from my apache server: > > ================================================== ========== > WHO: audit: unknown > WHAT: [event = success, timestamp = Thu Jan 07 02:41:48 WIB 2021, source = > RankedMultifactorAuthenticationProviderWebflowEventResolver] > ACTION: AUTHENTICATION_EVENT_TRIGGERED > APPLICATION: CAS > WHEN: Thu Jan 07 02:41:48 WIB 2021 > CLIENT IP ADDRESS: 127.0.0.1 > SERVER IP ADDRESS: 127.0.0.1 > ================================================== =========== > > > > 2021-01-07 02: 41: 53,860 INFO > [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - > <Authenticated principal [irvan] with attributes [{}] via credentials > [[UsernamePasswordCredential (username = irvan, source = null, customFields > = {})]].> > 2021-01-07 02: 41: 53,878 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > ================================================== =========== > WHO: irvan > WHAT: Supplied credentials: [UsernamePasswordCredential (username = irvan, > source = null, customFields = {})] > ACTION: AUTHENTICATION_SUCCESS > APPLICATION: CAS > WHEN: Thu Jan 07 02:41:53 WIB 2021 > CLIENT IP ADDRESS: 127.0.0.1 > SERVER IP ADDRESS: 127.0.0.1 > ================================================== =========== > > > > 2021-01-07 02: 41: 53,898 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > ================================================== =========== > WHO: irvan > WHAT: [result = Service Access Granted, service = http: // > cas.example.org/secured-by-cas,principal=SimplePrincipal (id = irvan, > attributes = {}), requiredAttributes = {}] > ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED > APPLICATION: CAS > WHEN: Thu Jan 07 02:41:53 WIB 2021 > CLIENT IP ADDRESS: 127.0.0.1 > SERVER IP ADDRESS: 127.0.0.1 > ================================================== =========== > > > > 2021-01-07 02: 41: 53,979 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > ================================================== =========== > WHO: irvan > WHAT: [result = Service Access Granted, service = http: // > cas.example.org/secured-by-cas,principal=SimplePrincipal (id = irvan, > attributes = {}), requiredAttributes = {}] > ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED > APPLICATION: CAS > WHEN: Thu Jan 07 02:41:53 WIB 2021 > CLIENT IP ADDRESS: 127.0.0.1 > SERVER IP ADDRESS: 127.0.0.1 > ================================================== =========== > > > > 2021-01-07 02: 41: 54,031 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > ================================================== =========== > WHO: irvan > WHAT: TGT-1 - ***** xRhS4ALrTY-Irvan > ACTION: TICKET_GRANTING_TICKET_CREATED > APPLICATION: CAS > WHEN: Thu Jan 07 02:41:54 WIB 2021 > CLIENT IP ADDRESS: 127.0.0.1 > SERVER IP ADDRESS: 127.0.0.1 > ================================================== =========== > > > > 2021-01-07 02: 41: 54,092 INFO > > Pada Rabu, 06 Januari 2021 pukul 04.08.31 UTC+7 Ray Bon menulis: > > Irvan, > > In your cas config you use cas.example.org but in your auth_cas.conf you > have localhost. > Are they on the same host? > > Check your cas client / apache logs. > > Make sure apache knows about the cas certificate. > > Ray > > On Tue, 2021-01-05 at 11:47 -0800, irvan suryadi wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > Hi Everyone, > > I am currently trying to create a client application for my cas server > using Apache2 on ubuntu 20.04 LTS. > > But at this time I encountered an obstacle. After successfully logging in > using sso cas. The following problems arise: > > // > Unauthorized > > This server could not verify that you are authorized to access the > document requested. Either you supplied the wrong credentials (e.g., bad > password), or your browser doesn't understand how to supply the credentials > required. > > Apache / 2.4.41 (Ubuntu) Server at cas.example.org Port 80 > // > > Is there a cas configuration that I missed? > > Here is the configuration I have made on my server. I hope this helps make > it easier to answer this question. > > Apache / 2.4.41 (Ubuntu) Server at cas.example.org Port 80 > // > > Is there a cas configuration that I missed? > > Here is the configuration I have made on my server. I hope this helps make > it easier to answer this question. > > ----------------------------------------------------------- > > Service Registry Files > (/etc/cas/services/ApacheSecuredByCAS-1609235681.json) : > > { > "@class" : "org.apereo.cas.services.RegexRegisteredService", > "serviceId":"^http://cas.example.org/secured-by-cas";, > "name" : "Apache", > "id" : 1609235681, > "evaluationOrder" : 1, > "authenticationPolicy" : { > "@class" : > "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy", > "requiredAuthenticationHandlers" : ["java.util.TreeSet", [ "Radius" ]] > } > } > > ------------------- > cas.properties (/etc/cas/config) : > > cas.server.name=https://cas.example.org:8443 > cas.server.prefix=${cas.server.name}/cas > > logging.config=file:/etc/cas/config/log4j2.xml > > cas.service-registry.json.location=file:/etc/cas/services > > cas.authn.accept.users= > #cas.authn.accept.enabled= > server.port = 8443 > > #cas.adminPagesSecurity.ip=127\.0\.0\.1 > > # SSL > server.ssl.enabled=true > > server.ssl.keyStore=file:/etc/cas/thekeystore > server.ssl.keyStorePassword=changeit > server.ssl.keyPassword=changeit > > # AUTHENTICATION PROPERTIES > #cas.authn.radius.server.nasIpAddress=192.168.1.2 > #EAP_MSCHAPv2 > cas.authn.radius.name=Radius > cas.authn.radius.server.protocol=PAP > > cas.authn.radius.server.retries=1 > cas.authn.radius.client.authenticationPort=1812 > cas.authn.radius.client.sharedSecret=casserver > cas.authn.radius.client.inetAddress=192.168.56.2 > cas.authn.radius.client.accountingPort=1813 > > # TICKETING PROPERTIES > # Enable the backing map to be cacheable > cas.ticket.registry.in-memory.cache=true > > cas.ticket.registry.in-memory.load-factor=1 > cas.ticket.registry.in-memory.concurrency=20 > cas.ticket.registry.in-memory.initial-capacity=1000 > > --------------- > Dependencies (build.gradle) : > dependencies { > // Other CAS dependencies/modules may be listed here... > implementation > "org.apereo.cas:cas-server-support-json-service-registry:${casServerVersion}" > implementation > "org.apereo.cas:cas-server-support-radius:${project.'cas.version'}" > } > > --------- > > APACHE2 CONFIG (/etc/apache2) (I'm not using httpd) > > auth_cas.conf : > <IfModule mod_auth_cas.c> > CASLoginUrl https://localhost:8443/cas/login > CASValidateUrl https://localhost:8443/cas/serviceValidate > CASCookiePath /var/cache/apache2/mod_auth_cas/ > CASSSOEnabled On > CASDebug On > logLevel Debug > </IfModule> > > /etc/apache2/sites-enabled/000-default.conf : > <VirtualHost *:80> > # The ServerName directive sets the request scheme, hostname and port that > # the server uses to identify itself. This is used when creating > # redirection URLs. In the context of virtual hosts, the ServerName > # specifies what hostname must appear in the request's Host: header to > # match this virtual host. For the default virtual host (this file) this > # value is not decisive as it is used as a last resort host regardless. > # However, you must set it for any further virtual host explicitly. > ServerName cas.example.org > ServerAdmin webmaster@localhost > DocumentRoot /var/www/html > > # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, > # error, crit, alert, emerg. > # It is also possible to configure the loglevel for particular > # modules, e.g. > # LogLevel info ssl:warn > > ErrorLog ${APACHE_LOG_DIR}/error.log > CustomLog ${APACHE_LOG_DIR}/access.log combined > # For most configuration files from conf-available/, which are > # enabled or disabled at a global level, it is possible to > # include a line for only one particular virtual host. For example the > # following line enables the CGI configuration for this host only > # after it has been globally disabled with "a2disconf". > #Include conf-available/serve-cgi-bin.conf > <location /secured-by-cas> // I've been change to <Directory > "/var/www/html/secured-by-cas"> but still same. > <IfModule mod_auth_cas.c> > AuthType CAS > CASAuthNHeader On > </IfModule> > Require valid-user > > </location> > </VirtualHost> > > # vim: syntax=apache ts=4 sw=4 sts=4 sr noet > > ------------------------------------ > > I hope you guys understand about this email, im not that good english guys. > > Than you, > Irvan > > -- > > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 <(250)%20721-8831> | CLE 019 | [email protected] > > I respectfully acknowledge that my place of work is located within the > ancestral, traditional and unceded territory of the Songhees, Esquimalt and > WSÁNEĆ Nations. > > -- > > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 <(250)%20721-8831> | CLE 019 | [email protected] > > I respectfully acknowledge that my place of work is located within the > ancestral, traditional and unceded territory of the Songhees, Esquimalt and > WSÁNEĆ Nations. > > -- > > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 <(250)%20721-8831> | CLE 019 | [email protected] > > I respectfully acknowledge that my place of work is located within the > ancestral, traditional and unceded territory of the Songhees, Esquimalt and > WSÁNEĆ Nations. > > -- > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 <(250)%20721-8831> | CLE 019 | [email protected] > > I respectfully acknowledge that my place of work is located within the > ancestral, traditional and unceded territory of the Songhees, Esquimalt and > WSÁNEĆ Nations. > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c011899e-6efe-4738-a7a9-91d1467462ban%40apereo.org.
