-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm attempting to get mod_auth_cas working as a CAS client and can't seem to get it to trust my CAS server (login.goshen.edu). In the Apache error log I get:
MOD_AUTH_CAS: Could not perform SSL handshake with login.goshen.edu (check CASCertificatePath), referer: http://wiki.goshen.edu/twiki/bin/view/lib/WebHome So I check my CASCertificatePath in my apache conf file: LoadModule auth_cas_module modules/mod_auth_cas.so <IfModule mod_auth_cas.c> CASVersion 2 CASDebug On CASCertificatePath /etc/apache2/ssl/trusted_keys CASValidateServer on CASLoginURL https://login.goshen.edu/cas/login CASValidateURL https://login.goshen.edu/cas/serviceValidate CASTimeout 7200 CASIdleTimeout 7200 </IfModule> And then I check the contents of CASCertificatePath in the filesystem of the mod_auth_cas machine: # ls -l /etc/apache2/ssl/trusted_keys -rw-r--r-- 1 root root 2140 Jun 9 2002 IPSCACLASEA1.crt -rw-r--r-- 1 root root 1001 Jun 9 2002 IPSServidores.crt Seems sane, right? There's the root cert (IPSServidores.crt) and the necessary chain cert (IPSCACLASEA1.crt) for my CAS server. I'm currently using an SSL cert (free for *.edu domains) from ipsca.com. So now I try to figure out how I could test just a plain SSL connection, and come up with this, testing from the same machine I have mod_auth_cas installed on: # echo | openssl s_client -CApath /etc/apache2/ssl/trusted_keys -connect login.goshen.edu:443 2>&1 > /dev/null depth=2 /C=ES/ST=BARCELONA/L=BARCELONA/O=IPS Seguridad CA/OU=Certificaciones/CN=IPS SERVIDORES/[EMAIL PROTECTED] verify return:1 depth=1 /C=ES/ST=Barcelona/L=Barcelona/O=IPS Certification Authority s.l./[EMAIL PROTECTED] C.I.F. B-B62210695/OU=ipsCA CLASEA1 Certification Authority/CN=ipsCA CLASEA1 Certification Authority/[EMAIL PROTECTED] verify return:1 depth=0 /C=US/ST=IN/L=Goshen/O=Goshen College/OU=ITS/CN=login.goshen.edu verify return:1 DONE Again, I think things look like they should work, but perhaps I'm still missing something. I've got to admit I don't feel like any sort of expert on what certs and their types need to go where. Any clues? - -- Paul Ortman PGP Key: 55602C81 - -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGsLGUfw8KGlVgLIERAl+cAJ9/HQZqbaFxh3TZugo2muinE4+IZgCfQaGY PWggC57h5cTYJ7DGP2yKY8A= =yYm0 -----END PGP SIGNATURE----- _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
