-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Smith, Matt wrote: > Did c_rehash properly create the hash symlinks in that directory?
It didn't seem to do anything: # c_rehash /etc/apache2/ssl/trusted_keys/ Doing /etc/apache2/ssl/trusted_keys/ # There was no output, at least not like when just calling c_rehash w/o arguments. > Generally, I put my CA certs in OpenSSL's default CA directory > (usually /etc/ssl/certs), with a "pem" extension, and run c_rehash > with no parameters. Then, for good measure, I restart apache. > But, I have never done this with a chain cert. This is what I did in the end to get things to work based on your suggestions and Phillip's work: Download the root CA cert and the chain cert from IPS to /etc/ssl/certs/ and changed their extensions from .crt to .pem. I then ran c_rehash with no arguments. I then downloaded the most recent version of mod_auth_cas (0.9.6) and edited my mod_auth_cas config file to read: 1 LoadModule auth_cas_module modules/mod_auth_cas.so 2 <IfModule mod_auth_cas.c> 3 CASVersion 2 4 CASDebug On 5 6 # Validate the authenticity of the login.goshen.edu SSL 7 # cert by checking its chain of authority from the root CA. 8 CASCertificatePath /etc/ssl/certs 9 CASValidateServer On 10 CASValidateDepth 9 11 12 CASLoginURL https://login.goshen.edu/cas/login 13 CASValidateURL https://login.goshen.edu/cas/serviceValidate 14 CASTimeout 7200 15 CASIdleTimeout 7200 16 </IfModule> > Also, could you supply a bit more info for troubleshooting: > What OS and platform? Gentoo Linux, x86 on Xen virtual host. > What version of Apache? 2.0.58-r2 > And could you try to set "CASValidateServer off", just to make > sure things work without validation? I had previously, and that was working just fine. > Hopefully Phil (this mod_auth_cas author) can comment on how well > chain certs are handled -- though, I don't think that is something > we've tested yet. He did. Between the two of you, you folks really helped me out. Thanks for all your help. - -- Paul Ortman PGP Key: 55602C81 - -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGseljfw8KGlVgLIERAk5lAJ90LqLtdCJmXe2JbhsAJQk0SgzGTACfagkX zcp3GjYqLBLQObLl+gtpilo= =V7pk -----END PGP SIGNATURE----- _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
