Matt (or anyone else), Any chance we can get some of this useful information included in the wiki with the mod_auth_cas documentation?
Thanks -Scott On 8/2/07, Smith, Matt <[EMAIL PROTECTED]> wrote: > > Just a note for the list -- when dealing with CA certificates that need > to be access by OpenSSL libraries (such as mod_ssl or mod_auth_cas), > correct use of OpenSSL's c_rehash is important. c_rehash creates > symlinks in the same directory as the certificates like this: > > uconnCA.pem > 3a43781c.0 -> uconnCA.pem > > But, from my stumblings, OpenSSL seems a bit picky. First, until very > recent versions of c_rehash, the certificate files must end with a "pem" > extension for c_rehash to find and link them properly. Second, if the > certificates are not in OpenSSL's default CA directory > (generally /etc/ssl/certs), then a magic combination of environment > variables, configuration directives, and command line parameters is > necessary. > > My advice: put all CA certs in /etc/ssl/certs (or as appropriate for > your distro), make sure they are all named with a "pem" extension, run > c_rehash, check the directory to make sure a new hash symlink has been > created for your CA, then use that directory in all relevant > configuration directives (such as CASCertificatePath). > > > HTH anybody else with certificate-inspired migraines, > -Matt > > On Thu, 2007-08-02 at 10:25 -0400, Paul Ortman wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Smith, Matt wrote: > > > Did c_rehash properly create the hash symlinks in that directory? > > > > It didn't seem to do anything: > > > > # c_rehash /etc/apache2/ssl/trusted_keys/ > > Doing /etc/apache2/ssl/trusted_keys/ > > # > > > > There was no output, at least not like when just calling c_rehash > > w/o arguments. > > > > > Generally, I put my CA certs in OpenSSL's default CA directory > > > (usually /etc/ssl/certs), with a "pem" extension, and run c_rehash > > > with no parameters. Then, for good measure, I restart apache. > > > But, I have never done this with a chain cert. > > > > This is what I did in the end to get things to work based on your > > suggestions and Phillip's work: > > > > Download the root CA cert and the chain cert from IPS to > > /etc/ssl/certs/ and changed their extensions from .crt to .pem. I > > then ran c_rehash with no arguments. > > > > I then downloaded the most recent version of mod_auth_cas (0.9.6) > > and edited my mod_auth_cas config file to read: > > > > 1 LoadModule auth_cas_module modules/mod_auth_cas.so > > 2 <IfModule mod_auth_cas.c> > > 3 CASVersion 2 > > 4 CASDebug On > > 5 > > 6 # Validate the authenticity of the login.goshen.edu SSL > > 7 # cert by checking its chain of authority from the root CA. > > 8 CASCertificatePath /etc/ssl/certs > > 9 CASValidateServer On > > 10 CASValidateDepth 9 > > 11 > > 12 CASLoginURL https://login.goshen.edu/cas/login > > 13 CASValidateURL https://login.goshen.edu/cas/serviceValidate > > 14 CASTimeout 7200 > > 15 CASIdleTimeout 7200 > > 16 </IfModule> > > > > > Also, could you supply a bit more info for troubleshooting: > > > What OS and platform? > > > > Gentoo Linux, x86 on Xen virtual host. > > > > > What version of Apache? > > > > 2.0.58-r2 > > > > > And could you try to set "CASValidateServer off", just to make > > > sure things work without validation? > > > > I had previously, and that was working just fine. > > > > > Hopefully Phil (this mod_auth_cas author) can comment on how well > > > chain certs are handled -- though, I don't think that is something > > > we've tested yet. > > > > He did. Between the two of you, you folks really helped me out. > > Thanks for all your help. > > > > - -- > > Paul Ortman > > > > PGP Key: 55602C81 > > - -- > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.6 (GNU/Linux) > > > > iD8DBQFGseljfw8KGlVgLIERAk5lAJ90LqLtdCJmXe2JbhsAJQk0SgzGTACfagkX > > zcp3GjYqLBLQObLl+gtpilo= > > =V7pk > > -----END PGP SIGNATURE----- > > _______________________________________________ > > Yale CAS mailing list > > [email protected] > > http://tp.its.yale.edu/mailman/listinfo/cas > -- > Matthew J. Smith <[EMAIL PROTECTED]> > University of Connecticut UITS > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > > -- -Scott Battaglia LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
