After reading through the cURL man pages for a while, I finally determined that I can set `CASCertificatePath` to a PEM encoded file *if* it includes the entire cert chain from the server cert up through and including the root CA.
This is a bit different from working with (for example) a Java trust store, where importing just the server certificate seems to be sufficient. I still wasn't able to get using a folder of PEM files to work. Thanks, Carl ----- Original Message ----- From: "Carl Waldbieser" <[email protected]> To: [email protected] Sent: Wednesday, August 12, 2015 7:17:29 PM Subject: Re: [cas-user] mod_auth_cas - trust question Through lots of trial and error, I have determined that I can point `CASCertificatePath` to *any directory*, even an empty one, and the certificate will be recognized as long as Apache can see '/etc/pki/tls/certs' (which I think was installed as part of libcurl). If I rename '/etc/pki/tls/certs' to something else, the certificate validation seems to fail no matter what I do. Thanks, Carl ----- Original Message ----- From: "David Hawes" <[email protected]> To: [email protected] Sent: Wednesday, August 12, 2015 7:02:04 PM Subject: Re: [cas-user] mod_auth_cas - trust question On Wed, Aug 12, 2015 at 2:59 PM, Waldbieser, Carl <[email protected]> wrote: > > I have mod_auth_cas protecting a web site. > If I *don't* set `CASCertificatePath`, then everything works how I would > expect (CAS authenticates user, service ticket validated, user identifed to > site via REMOTE_USER). > However, if I set `CASCertificatePath` to the full path of a PEM file > containing the certificate of my CAS server, I get an "Authorization > Required" error. The debug logs show: > > MOD_AUTH_CAS: curl_easy_perform() failed (Peer certificate cannot be > authenticated with known CA certificates) > > I am using MOD_AUTH_CAS 1.0.10 according to the README. > I am using Apache 2.2.x > > Am I missing something? I thought that if I set that directive to the actual > CAS certificate, it would validate it. I get the same behavior. It appears that curl is requiring the root CA, at least on my test server. > I am also bewildered as to why the process works when I *don't* specify the > directive, as I can't seem to find the complete trust chain in the default > certs folder ('/etc/ssl/certs/'). Is the root CA in there? Point CASCertificatePath to an empty directory if you want to see it just fail. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
