Fixed it. The openssl s_client was a really neat tool...didn't know about it. I'm a rookie about this :)
I was so fixed on the client-side, but the error was actually at the cas-end. I use JDK6 temporairly due to a dependency, and it turns out, OpenJDK6 got a bug. I installed Suns JDK instead of OpenJDK and everything works like charm. On Tue, Oct 1, 2013 at 5:27 PM, Michael Herring <[email protected]>wrote: > Correct, MOD_AUTH_CAS is looking to verify your CAS server via > CASCertificatePath. > > -Michael > > > On Tue, Oct 1, 2013 at 11:10 AM, Henrik Alstad <[email protected]>wrote: > >> Yes, that is correct. >> fet(front-end test) is the apache server. >> bet(back-end test) is the cas-server. >> >> So I assume Marvin meant that CASCertificatePath should point to a >> directory or file with a certificate from bet, not fet? :) >> >> Cheers, >> henrik >> >> >> On Tue, Oct 1, 2013 at 3:37 PM, Michael Herring <[email protected]>wrote: >> >>> I see a slight difference between hostnames, is that expected? >>> apache: svg-comp-fet.example.no >>> cas: svg-comp-bet.example.no >>> >>> -Michael >>> >>> >>> On Tue, Oct 1, 2013 at 9:19 AM, Marvin S. Addison < >>> [email protected]> wrote: >>> >>>> I couldnt make much sense of the log. >>>>> >>>> >>>> I'll try to point out some things. >>>> >>>> >>>> [Tue Oct 01 11:26:47 2013] [debug] ssl_engine_init.c(807): Configuring >>>>> RSA server certificate >>>>> [Tue Oct 01 11:26:47 2013] [debug] ssl_engine_init.c(846): Configuring >>>>> RSA server private key >>>>> [Tue Oct 01 11:26:48 2013] [info] Loading certificate & private key of >>>>> SSL-aware server >>>>> [Tue Oct 01 11:26:48 2013] [info] svg-comp-fet.example.no:443 >>>>> >>>> >>>> That appears to be your Apache host. >>>> >>>> [Tue Oct 01 11:27:34 2013] [debug] src/mod_auth_cas.c(1406): [client >>>>> xxx.xx.xxx.xxx] entering getResponseFromServer() >>>>> [Tue Oct 01 11:27:34 2013] [error] [client xxx.xx.xxx.xxx] >>>>> MOD_AUTH_CAS: >>>>> Could not perform SSL handshake with svg-comp-bet.example.no >>>>> <http://svg-comp-bet.example.**no <http://svg-comp-bet.example.no>> >>>>> (check CASCertificatePath) >>>>> >>>>> [Tue Oct 01 11:27:34 2013] [debug] src/mod_auth_cas.c(1184): [client >>>>> xxx.xx.xxx.xxx] entering isValidCASTicket() >>>>> >>>> >>>> You should ensure that CASCertificatePath points to a directory >>>> containing the server certificate for svg-comp-fet.example.no or the >>>> CA that issued it. I know you said you already verified that, but you >>>> should use openssl s_client to confirm that the certificate you think you >>>> trust is actually the one you trust. It's pretty clear this is a >>>> certificate trust problem of some kind. >>>> >>>> M >>>> >>>> -- >>>> You are currently subscribed to [email protected] as: >>>> [email protected] >>>> >>>> To unsubscribe, change settings or access archives, see >>>> http://www.ja-sig.org/wiki/**display/JSG/cas-user<http://www.ja-sig.org/wiki/display/JSG/cas-user> >>>> >>> >>> >>> >>> -- >>> Michael Herring >>> Information Technology Services >>> Web Developer >>> Denison University >>> 740-587-6360 >>> [email protected] >>> >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> >>> >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> >> >> >> -- >> Henrik Kjus Alstad >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > > > -- > Michael Herring > Information Technology Services > Web Developer > Denison University > 740-587-6360 > [email protected] > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- Henrik Kjus Alstad -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
