Try running this: c_rehash /etc/apache2/ssl/trusted_keys
This should create two hash symlinks in that directory. These hash symlinks are used by the openssl libs to locate the proper certs. HTH, -Matt On Wed, 2007-08-01 at 12:15 -0400, Paul Ortman wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I'm attempting to get mod_auth_cas working as a CAS client and can't > seem to get it to trust my CAS server (login.goshen.edu). In the > Apache error log I get: > > MOD_AUTH_CAS: Could not perform SSL handshake with > login.goshen.edu (check CASCertificatePath), referer: > http://wiki.goshen.edu/twiki/bin/view/lib/WebHome > > So I check my CASCertificatePath in my apache conf file: > > LoadModule auth_cas_module modules/mod_auth_cas.so > <IfModule mod_auth_cas.c> > CASVersion 2 > CASDebug On > CASCertificatePath /etc/apache2/ssl/trusted_keys > CASValidateServer on > CASLoginURL https://login.goshen.edu/cas/login > CASValidateURL https://login.goshen.edu/cas/serviceValidate > CASTimeout 7200 > CASIdleTimeout 7200 > </IfModule> > > And then I check the contents of CASCertificatePath in the > filesystem of the mod_auth_cas machine: > > # ls -l /etc/apache2/ssl/trusted_keys > -rw-r--r-- 1 root root 2140 Jun 9 2002 IPSCACLASEA1.crt > -rw-r--r-- 1 root root 1001 Jun 9 2002 IPSServidores.crt > > Seems sane, right? There's the root cert (IPSServidores.crt) and > the necessary chain cert (IPSCACLASEA1.crt) for my CAS server. I'm > currently using an SSL cert (free for *.edu domains) from ipsca.com. > > So now I try to figure out how I could test just a plain SSL > connection, and come up with this, testing from the same machine I > have mod_auth_cas installed on: > > # echo | openssl s_client -CApath /etc/apache2/ssl/trusted_keys -connect > login.goshen.edu:443 2>&1 > /dev/null > depth=2 /C=ES/ST=BARCELONA/L=BARCELONA/O=IPS Seguridad > CA/OU=Certificaciones/CN=IPS SERVIDORES/[EMAIL PROTECTED] > verify return:1 > depth=1 /C=ES/ST=Barcelona/L=Barcelona/O=IPS Certification Authority > s.l./[EMAIL PROTECTED] C.I.F. B-B62210695/OU=ipsCA CLASEA1 Certification > Authority/CN=ipsCA CLASEA1 Certification Authority/[EMAIL PROTECTED] > verify return:1 > depth=0 /C=US/ST=IN/L=Goshen/O=Goshen College/OU=ITS/CN=login.goshen.edu > verify return:1 > DONE > > Again, I think things look like they should work, but perhaps I'm still > missing something. I've got to admit I don't feel like any sort of > expert on what certs and their types need to go where. Any clues? > > - -- > Paul Ortman > > PGP Key: 55602C81 > - -- > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFGsLGUfw8KGlVgLIERAl+cAJ9/HQZqbaFxh3TZugo2muinE4+IZgCfQaGY > PWggC57h5cTYJ7DGP2yKY8A= > =yYm0 > -----END PGP SIGNATURE----- > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas -- Matthew J. Smith <[EMAIL PROTECTED]> University of Connecticut UITS
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
