I'm not sure how mod_auth_cas differs from mod_cas for configuration,
but we specify the specific CA Root cert in our config. It looks like:
CASTrustedCerts /etc/httpd/conf/entrust_ca.pem
Not sure if that will help you out.
Dallas
On Wed, 1 Aug 2007, Paul Ortman wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I'm attempting to get mod_auth_cas working as a CAS client and can't
> seem to get it to trust my CAS server (login.goshen.edu). In the
> Apache error log I get:
>
> MOD_AUTH_CAS: Could not perform SSL handshake with
> login.goshen.edu (check CASCertificatePath), referer:
> http://wiki.goshen.edu/twiki/bin/view/lib/WebHome
>
> So I check my CASCertificatePath in my apache conf file:
>
> LoadModule auth_cas_module modules/mod_auth_cas.so
> <IfModule mod_auth_cas.c>
> CASVersion 2
> CASDebug On
> CASCertificatePath /etc/apache2/ssl/trusted_keys
> CASValidateServer on
> CASLoginURL https://login.goshen.edu/cas/login
> CASValidateURL https://login.goshen.edu/cas/serviceValidate
> CASTimeout 7200
> CASIdleTimeout 7200
> </IfModule>
>
> And then I check the contents of CASCertificatePath in the
> filesystem of the mod_auth_cas machine:
>
> # ls -l /etc/apache2/ssl/trusted_keys
> -rw-r--r-- 1 root root 2140 Jun 9 2002 IPSCACLASEA1.crt
> -rw-r--r-- 1 root root 1001 Jun 9 2002 IPSServidores.crt
>
> Seems sane, right? There's the root cert (IPSServidores.crt) and
> the necessary chain cert (IPSCACLASEA1.crt) for my CAS server. I'm
> currently using an SSL cert (free for *.edu domains) from ipsca.com.
>
> So now I try to figure out how I could test just a plain SSL
> connection, and come up with this, testing from the same machine I
> have mod_auth_cas installed on:
>
> # echo | openssl s_client -CApath /etc/apache2/ssl/trusted_keys -connect
> login.goshen.edu:443 2>&1 > /dev/null
> depth=2 /C=ES/ST=BARCELONA/L=BARCELONA/O=IPS Seguridad
> CA/OU=Certificaciones/CN=IPS SERVIDORES/[EMAIL PROTECTED]
> verify return:1
> depth=1 /C=ES/ST=Barcelona/L=Barcelona/O=IPS Certification Authority
> s.l./[EMAIL PROTECTED] C.I.F. B-B62210695/OU=ipsCA CLASEA1 Certification
> Authority/CN=ipsCA CLASEA1 Certification Authority/[EMAIL PROTECTED]
> verify return:1
> depth=0 /C=US/ST=IN/L=Goshen/O=Goshen College/OU=ITS/CN=login.goshen.edu
> verify return:1
> DONE
>
> Again, I think things look like they should work, but perhaps I'm still
> missing something. I've got to admit I don't feel like any sort of
> expert on what certs and their types need to go where. Any clues?
>
> - --
> Paul Ortman
>
> PGP Key: 55602C81
> - --
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFGsLGUfw8KGlVgLIERAl+cAJ9/HQZqbaFxh3TZugo2muinE4+IZgCfQaGY
> PWggC57h5cTYJ7DGP2yKY8A=
> =yYm0
> -----END PGP SIGNATURE-----
> _______________________________________________
> Yale CAS mailing list
> [email protected]
> http://tp.its.yale.edu/mailman/listinfo/cas
>
--
Dallas Wisehaupt Senior Systems Administrator
[EMAIL PROTECTED] The University of Scranton
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
