Bryan- Run your openssl s_client command again, but specify -CApath to point to the same location as CASCertificatePath. If that doesn't clear up your error:num=20, then something is amiss with your root cert.
-Matt On Fri, 2010-08-27 at 15:24 -0400, Bryan Wooten wrote: > Thanks for the reply. > > Our cas server is ulogin.utah.edu, it's cert's CN is *.utah.edu. > > It didn't even occur to me that java was doing the server validation behind > the scenes... > > Now I am even more curious as to why our java CASified apps can talk to our > CAS server with no problem but my apache server with mod_auth_cas gets the > name validation error. > > I wonder if there is something amiss in my openssl installation (or > mod_auth_cas build?) on the apache server (running on windows server). > > There is probably a clue in here somewhere: > > C:\OPENSS~1>openssl s_client -host ulogin.utah.edu -port 443 > Loading 'screen' into random state - done > CONNECTED(000000E0) > depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Glo > > verify error:num=20:unable to get local issuer certificate > verify return:0 > --- > Certificate chain > 0 s:/C=US/ST=Utah/L=Salt Lake City/O=The University of Utah/OU=Office of > ation Technology/CN=*.utah.edu > i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global CA > 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global CA > i:/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits li > U=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification > ity > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIIG9TCCBd2gAwIBAgIQD9hvzFZFS/efZthhYRN+UzANBgkqhkiG9w0BAQUFADBc > MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 > d3cuZGlnaWNlcnQuY29tMRswGQYDVQQDExJEaWdpQ2VydCBHbG9iYWwgQ0EwHhcN > MDcwNTE4MDAwMDAwWhcNMTAwOTE3MjM1OTU5WjCBljELMAkGA1UEBhMCVVMxDTAL > BgNVBAgTBFV0YWgxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR8wHQYDVQQKExZU > aGUgVW5pdmVyc2l0eSBvZiBVdGFoMSkwJwYDVQQLEyBPZmZpY2Ugb2YgSW5mb3Jt > YXRpb24gVGVjaG5vbG9neTETMBEGA1UEAxQKKi51dGFoLmVkdTCCASIwDQYJKoZI > hvcNAQEBBQADggEPADCCAQoCggEBALCoBRXKMHgCPnBRbmHwsdmPDU9lkaJWfKz4 > UmdvHn7szjAVxKeKV/N7V1LGB0jtK6NJKZLmnyPAV/JX9LOpzx0pbVzmWKR+skH6 > ouPpsb6Gcm0Mb+mAHzduN0Q/CMzJk5lMn+x3yfWZgB/YfYq70YYz8u1qQdYXcvgp > LHermWNNWuaSJ+hGF4jVg0aStOP0f1T6OgnCBfcnXPtYUSfSWqJknqBZfRo2/5dR > F3idEYktAfJwsvHcx+zy1oGDfOQyg9Ny6PvTiNyE47i+GTSf2iCGYWqmky/V4MIb > rQRSJ9qfLvYeejl+OsCMJazU/ieiSQFjN8v4mVyMJmwt8EVVe9kCAwEAAaOCA3Yw > ggNyMB8GA1UdIwQYMBaAFKfHE6B6ATyd74JIgkjVc1G2ElYqMB0GA1UdDgQWBBRU > HUeNjB7VadyhpNpYbKmRjluHVzAwBgNVHREEKTAngg91bG9naW4udXRhaC5lZHWC > CHV0YWguZWR1ggoqLnV0YWguZWR1MHYGCCsGAQUFBwEBBGowaDAkBggrBgEFBQcw > AYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEAGCCsGAQUFBzAChjRodHRwOi8v > d3d3LmRpZ2ljZXJ0LmNvbS9DQUNlcnRzL0RpZ2lDZXJ0R2xvYmFsQ0EuY3J0MA4G > A1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMH8GA1UdHwR4MHYwOaA3oDWGM2h0 > dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbENBLTIwMDlkLmNy > bDA5oDegNYYzaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFs > Q0EtMjAwOWQuY3JsMIIBxgYDVR0gBIIBvTCCAbkwggG1BgtghkgBhv1sAQMAATCC > AaQwOgYIKwYBBQUHAgEWLmh0dHA6Ly93d3cuZGlnaWNlcnQuY29tL3NzbC1jcHMt > cmVwb3NpdG9yeS5odG0wggFkBggrBgEFBQcCAjCCAVYeggFSAEEAbgB5ACAAdQBz > AGUAIABvAGYAIAB0AGgAaQBzACAAQwBlAHIAdABpAGYAaQBjAGEAdABlACAAYwBv > AG4AcwB0AGkAdAB1AHQAZQBzACAAYQBjAGMAZQBwAHQAYQBuAGMAZQAgAG8AZgAg > AHQAaABlACAARABpAGcAaQBDAGUAcgB0ACAAQwBQAC8AQwBQAFMAIABhAG4AZAAg > AHQAaABlACAAUgBlAGwAeQBpAG4AZwAgAFAAYQByAHQAeQAgAEEAZwByAGUAZQBt > AGUAbgB0ACAAdwBoAGkAYwBoACAAbABpAG0AaQB0ACAAbABpAGEAYgBpAGwAaQB0 > AHkAIABhAG4AZAAgAGEAcgBlACAAaQBuAGMAbwByAHAAbwByAGEAdABlAGQAIABo > AGUAcgBlAGkAbgAgAGIAeQAgAHIAZQBmAGUAcgBlAG4AYwBlAC4wHQYDVR0lBBYw > FAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQCNaLCCXrnZ > /Vu7FndfY3hLyKXaM4t7PtEJ5jTP2TGSmP22GfEhFhkd4K+aZNuUGzowOWoeMeej > Ky8WZYCJMqY6uEg7ctRL8X2TrKsYdNfmtVC2JbDjnMQmg2NaGYuuYA0o2o4I/sHf > venO3js1ndbvrAU5uUnOWAu7wwGgINDpLAfuRYTkv6ShmPkdg0tF02/DGF3O+HSC > TuFIwWvjgZg9G1kO5JMQY+MnWC5HVg/9Rbs0512pya7XipfQfkV7kNodAXKcw0ds > edI84fQPeLlFqKD7UfrN+KSF8ayFh7T77okz+XSFKz7GpxsPY6Vue524bEkIKNm5 > /iZ49nsHBAww > -----END CERTIFICATE----- > subject=/C=US/ST=Utah/L=Salt Lake City/O=The University of Utah/OU=Office > ormation Technology/CN=*.utah.edu > issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global CA > --- > No client certificate CA names sent > --- > SSL handshake has read 3642 bytes and written 408 bytes > --- > New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA > Server public key is 2048 bit > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1 > Cipher : DHE-RSA-AES256-SHA > Session-ID: 8CFE7193B8EBAF1013713A905659FF8F69629007483979B613ADBDC4DF > > Session-ID-ctx: > Master-Key: 73EF831DDA972CA70A1F6CE8FFAA6BADAC72C9E7B63F382164E8046307 > 7CF60CDA2E0FBCAD0506228DDD3D4537 > Key-Arg : None > PSK identity: None > PSK identity hint: None > Start Time: 1281466250 > Timeout : 300 (sec) > Verify return code: 20 (unable to get local issuer certificate) > --- > closed > > -- Matthew J. Smith <[email protected]> University Information Technology Services -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
