Just a note for the list -- when dealing with CA certificates that need to be access by OpenSSL libraries (such as mod_ssl or mod_auth_cas), correct use of OpenSSL's c_rehash is important. c_rehash creates symlinks in the same directory as the certificates like this:
uconnCA.pem 3a43781c.0 -> uconnCA.pem But, from my stumblings, OpenSSL seems a bit picky. First, until very recent versions of c_rehash, the certificate files must end with a "pem" extension for c_rehash to find and link them properly. Second, if the certificates are not in OpenSSL's default CA directory (generally /etc/ssl/certs), then a magic combination of environment variables, configuration directives, and command line parameters is necessary. My advice: put all CA certs in /etc/ssl/certs (or as appropriate for your distro), make sure they are all named with a "pem" extension, run c_rehash, check the directory to make sure a new hash symlink has been created for your CA, then use that directory in all relevant configuration directives (such as CASCertificatePath). HTH anybody else with certificate-inspired migraines, -Matt On Thu, 2007-08-02 at 10:25 -0400, Paul Ortman wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Smith, Matt wrote: > > Did c_rehash properly create the hash symlinks in that directory? > > It didn't seem to do anything: > > # c_rehash /etc/apache2/ssl/trusted_keys/ > Doing /etc/apache2/ssl/trusted_keys/ > # > > There was no output, at least not like when just calling c_rehash > w/o arguments. > > > Generally, I put my CA certs in OpenSSL's default CA directory > > (usually /etc/ssl/certs), with a "pem" extension, and run c_rehash > > with no parameters. Then, for good measure, I restart apache. > > But, I have never done this with a chain cert. > > This is what I did in the end to get things to work based on your > suggestions and Phillip's work: > > Download the root CA cert and the chain cert from IPS to > /etc/ssl/certs/ and changed their extensions from .crt to .pem. I > then ran c_rehash with no arguments. > > I then downloaded the most recent version of mod_auth_cas (0.9.6) > and edited my mod_auth_cas config file to read: > > 1 LoadModule auth_cas_module modules/mod_auth_cas.so > 2 <IfModule mod_auth_cas.c> > 3 CASVersion 2 > 4 CASDebug On > 5 > 6 # Validate the authenticity of the login.goshen.edu SSL > 7 # cert by checking its chain of authority from the root CA. > 8 CASCertificatePath /etc/ssl/certs > 9 CASValidateServer On > 10 CASValidateDepth 9 > 11 > 12 CASLoginURL https://login.goshen.edu/cas/login > 13 CASValidateURL https://login.goshen.edu/cas/serviceValidate > 14 CASTimeout 7200 > 15 CASIdleTimeout 7200 > 16 </IfModule> > > > Also, could you supply a bit more info for troubleshooting: > > What OS and platform? > > Gentoo Linux, x86 on Xen virtual host. > > > What version of Apache? > > 2.0.58-r2 > > > And could you try to set "CASValidateServer off", just to make > > sure things work without validation? > > I had previously, and that was working just fine. > > > Hopefully Phil (this mod_auth_cas author) can comment on how well > > chain certs are handled -- though, I don't think that is something > > we've tested yet. > > He did. Between the two of you, you folks really helped me out. > Thanks for all your help. > > - -- > Paul Ortman > > PGP Key: 55602C81 > - -- > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFGseljfw8KGlVgLIERAk5lAJ90LqLtdCJmXe2JbhsAJQk0SgzGTACfagkX > zcp3GjYqLBLQObLl+gtpilo= > =V7pk > -----END PGP SIGNATURE----- > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas -- Matthew J. Smith <[EMAIL PROTECTED]> University of Connecticut UITS
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
