Dmitry, Your CAS-using-application's JVM does not trust your CAS-server's SSL certificate. It neither trusts the cert explicitly (has its public key locally installed) nor does it trust a certifying authority that in turn signed the public key of the cas-server-SSL-cert that the SSL protocol is offering the client application. (Your application's JVM could trust the certifying authority if 1) there is such a certifying authority and 2) you installed the public key of that certifying authority's signing certificate into your application's JVM).
Short version: you need to install the public key of your CAS-server's SSL cert into your CAS-using-application's JVM. You will need to do this for every application you configure to use CAS, unless you 1) use a commercial cert, 2) use a certifying authority and instead install the certifying authority public key into the CAS-using-application JVMs, or 3) opt out of security by not using SSL. These SSL issues are coming up over and over and they have been covered on this list many many times before. I don't mean that as a criticism of you, Dmitry -- clearly these must be widely confusing issues to generate so much repeated traffic. What can be done to make this issue less arduous? A better README distributed with the client? Explicit detection of this error and better error messaging in the logs, with a hyperlink out to a wiki page discussing this issue in excruciating detail? That wiki page? A video tutorial on certificate installation tasks? Not only has this issue come up before, but I've asked this "what can be done about it" question before. At this point, I guess I'm asking that something actually be done about it. Very nice stack trace paste, by the way. Normally this stack trace doesn't include those sun.security portions and is therefore more confusing than it has to be. I've been kicking myself assuming I'm the one who introduced the stack-trimming behavior with that CASReceipt bit once upon a time and have been meaning to revisit that code and release a patch fixing it to include more stack context. Yet here you go with useful stack traces. Anything you're doing differently likely to be causing those? Andrew > Hello, > > I've deployed my application and CAS to one server (server1) and > created certificate as it is described on the site. It works > perfectly. > > Now, I'm trying to move my application to another server (server2). > And I've started to get errors: > > 13:36:44,587 ERROR [CASReceipt:55] > edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to > validate ProxyTicketValidator [[ed > u.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] > [edu.yale.its.tp.cas.client.ServiceTicketValidator > casValidateUrl=[http > s://server1:8443/cas-web/serviceValidate] > ticket=[ST-15-zsELoNcF6QJAQ1ig7lvS7PcKPFFAaIN21f4-20] > service=[http%3A%2F%2Fserver2%3A8080%2Fc%2Fportal%2Flogin] > renew=false]]] > 13:36:44,587 ERROR [CASFilter:380] > edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to > validate ProxyTicketValidator [[ed > u.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] > [edu.yale.its.tp.cas.client.ServiceTicketValidator > casValidateUrl=[http > s://server1:8443/cas-web/serviceValidate] > ticket=[ST-15-zsELoNcF6QJAQ1ig7lvS7PcKPFFAaIN21f4-20] > service=[http%3A%2F%2Fserver2%3A8080%2Fc%2Fportal%2Flogin] > renew=false]]] > 13:36:44,587 ERROR [[MainServlet]:253] Servlet.service() for servlet > MainServlet threw exception > edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to > validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicke > tValidator proxyList=[null] > [edu.yale.its.tp.cas.client.ServiceTicketValidator > casValidateUrl=[https://server1:8443/cas-web/ > serviceValidate] ticket=[ST-15-zsELoNcF6QJAQ1ig7lvS7PcKPFFAaIN21f4-20] > service=[http%3A%2F%2Fserver2%3A8080%2Fc%2Fportal%2Flogin] > renew=false]]] > at > edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52) > ... > Caused by: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.pro > vider.certpath.SunCertPathBuilderException: unable to find valid > certification path to requested target > at > com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150) > ... > Caused by: sun.security.validator.ValidatorException: PKIX path > building failed: sun.security.provider.certpath.SunCertPathBuilderExce > ption: unable to find valid certification path to requested target > at > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221) > ... > > What can be these errors caused by? > > _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
