Correct, MOD_AUTH_CAS is looking to verify your CAS server via CASCertificatePath.
-Michael On Tue, Oct 1, 2013 at 11:10 AM, Henrik Alstad <[email protected]>wrote: > Yes, that is correct. > fet(front-end test) is the apache server. > bet(back-end test) is the cas-server. > > So I assume Marvin meant that CASCertificatePath should point to a > directory or file with a certificate from bet, not fet? :) > > Cheers, > henrik > > > On Tue, Oct 1, 2013 at 3:37 PM, Michael Herring <[email protected]>wrote: > >> I see a slight difference between hostnames, is that expected? >> apache: svg-comp-fet.example.no >> cas: svg-comp-bet.example.no >> >> -Michael >> >> >> On Tue, Oct 1, 2013 at 9:19 AM, Marvin S. Addison < >> [email protected]> wrote: >> >>> I couldnt make much sense of the log. >>>> >>> >>> I'll try to point out some things. >>> >>> >>> [Tue Oct 01 11:26:47 2013] [debug] ssl_engine_init.c(807): Configuring >>>> RSA server certificate >>>> [Tue Oct 01 11:26:47 2013] [debug] ssl_engine_init.c(846): Configuring >>>> RSA server private key >>>> [Tue Oct 01 11:26:48 2013] [info] Loading certificate & private key of >>>> SSL-aware server >>>> [Tue Oct 01 11:26:48 2013] [info] svg-comp-fet.example.no:443 >>>> >>> >>> That appears to be your Apache host. >>> >>> [Tue Oct 01 11:27:34 2013] [debug] src/mod_auth_cas.c(1406): [client >>>> xxx.xx.xxx.xxx] entering getResponseFromServer() >>>> [Tue Oct 01 11:27:34 2013] [error] [client xxx.xx.xxx.xxx] MOD_AUTH_CAS: >>>> Could not perform SSL handshake with svg-comp-bet.example.no >>>> <http://svg-comp-bet.example.**no <http://svg-comp-bet.example.no>> >>>> (check CASCertificatePath) >>>> >>>> [Tue Oct 01 11:27:34 2013] [debug] src/mod_auth_cas.c(1184): [client >>>> xxx.xx.xxx.xxx] entering isValidCASTicket() >>>> >>> >>> You should ensure that CASCertificatePath points to a directory >>> containing the server certificate for svg-comp-fet.example.no or the CA >>> that issued it. I know you said you already verified that, but you should >>> use openssl s_client to confirm that the certificate you think you trust is >>> actually the one you trust. It's pretty clear this is a certificate trust >>> problem of some kind. >>> >>> M >>> >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/**display/JSG/cas-user<http://www.ja-sig.org/wiki/display/JSG/cas-user> >>> >> >> >> >> -- >> Michael Herring >> Information Technology Services >> Web Developer >> Denison University >> 740-587-6360 >> [email protected] >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> >> >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > > > -- > Henrik Kjus Alstad > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- Michael Herring Information Technology Services Web Developer Denison University 740-587-6360 [email protected] -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
