You might setup your certificate file with Apache and see if a plain HTTPS request works? I agree with Matt above that you should check permissions too.
David On 10/22/08, lobatt <[EMAIL PROTECTED]> wrote: > Thank you for your time. > > I checked my configuration, there is no space ,it's must be a typo, I > replaced my domain name for security reason. > Below is my real configuration: > #******************************CAS client integration************** > LoadModule auth_cas_module modules/mod_auth_cas.so > CASCookiePath /tmp/cas/ > CASloginURL https://sp.permis.pku.edu.cn/cas/login > CASValidateURL https://sp.permis.pku.edu.cn/cas/serviceValidate > CASCertificatePath > /home/ncpku/common/httpd-2.0.59/conf/sp.permis.pku.edu.cn.crt > <Location "/casprotect/"> > AuthType CAS > Require valid-user > </Location> > #******************************************************************* > > I turned debug level of apache to DEBUG and modified my log4j.properties > like below > log4j.logger.org.jasig.cas.web.flow=DEBUG > log4j.logger.org.jasig.cas.authentication=DEBUG > log4j.logger.org.jasig.cas.web.flow.TicketGrantingTicketCheckAction=DEBUG > log4j.logger.org.jasig.cas.services.DefaultServiceRegistry=DEBUG > log4j.logger.org.jasig.cas.services=DEBUG > > and here is my log: > httpd error_log: > [Wed Oct 22 14:25:19 2008] [error] [client 162.105.67.102] MOD_AUTH_CAS: > Could not perform SSL handshake with sp.permis.pku.edu.cn (check > CASCertificatePath), referer: > https://sp.permis.pku.edu.cn/cas/login?service=https%3a%2f%2fsp.permis.pku.e > du.cn%2fcasprotect%2f > > cas.log: (also in attchment) > 2008-10-22 14:25:10,088 DEBUG > [org.jasig.cas.web.flow.InitialFlowSetupAction] - Action > 'InitialFlowSetupAction' beginning execution > 2008-10-22 14:25:10,091 INFO [org.jasig.cas.web.flow.InitialFlowSetupAction] > - Setting path for cookies to: /cas > 2008-10-22 14:25:10,099 DEBUG > [org.jasig.cas.web.flow.InitialFlowSetupAction] - Placing service in > FlowScope: https://sp.permis.pku.edu.cn/casprotect/ > 2008-10-22 14:25:10,100 DEBUG > [org.jasig.cas.web.flow.InitialFlowSetupAction] - Action > 'InitialFlowSetupAction' completed execution; result is 'success' > 2008-10-22 14:25:10,132 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action > 'AuthenticationViaFormAction' beginning execution > 2008-10-22 14:25:10,135 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Executing setupForm > 2008-10-22 14:25:10,136 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Creating new form > object with name 'credentials' > 2008-10-22 14:25:10,136 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Creating new instance > of form object class [class > org.jasig.cas.authentication.principal.UsernamePasswordCredentials] > 2008-10-22 14:25:10,137 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Putting form object > of type [class > org.jasig.cas.authentication.principal.UsernamePasswordCredentials] in scope > Flow with name 'credentials' > 2008-10-22 14:25:10,137 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Creating new form > errors for object with name 'credentials' > 2008-10-22 14:25:10,148 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - No property editor > registrar set, no custom editors to register > 2008-10-22 14:25:10,152 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Putting form errors > instance in scope Flash > 2008-10-22 14:25:10,153 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action > 'AuthenticationViaFormAction' completed execution; result is 'success' > 2008-10-22 14:25:10,153 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action > 'AuthenticationViaFormAction' beginning execution > 2008-10-22 14:25:10,153 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action > 'AuthenticationViaFormAction' completed execution; result is 'success' > 2008-10-22 14:25:18,436 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action > 'AuthenticationViaFormAction' beginning execution > 2008-10-22 14:25:18,437 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Executing bind > 2008-10-22 14:25:18,437 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Found existing form > object with name 'credentials' of type [class > org.jasig.cas.authentication.principal.UsernamePasswordCredentials] in scope > Flow > 2008-10-22 14:25:18,437 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - No property editor > registrar set, no custom editors to register > 2008-10-22 14:25:18,442 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Binding allowed > request parameters in map['lt' -> > '_c3E31A0C0-C329-DA8A-DDD2-9DB286EBDE0E_k20927939-E9B9-269E-9619-CE6C38036F8 > 7', 'service' -> 'https://sp.permis.pku.edu.cn/casprotect/', '_eventId' -> > 'submit', 'password' -> '12345', 'submit' -> '??????', 'username' -> 'roey'] > to form object with name 'credentials', pre-bind formObject toString = > [username: null] > 2008-10-22 14:25:18,443 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - (Any field is > allowed) > 2008-10-22 14:25:18,447 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Binding completed for > form object with name 'credentials', post-bind formObject toString = > [username: roey] > 2008-10-22 14:25:18,448 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - There are [0] errors, > details: [] > 2008-10-22 14:25:18,448 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Executing validation > 2008-10-22 14:25:18,448 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Invoking validator > [EMAIL PROTECTED] > 2008-10-22 14:25:18,451 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Validation completed > for form object > 2008-10-22 14:25:18,451 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - There are [0] errors, > details: [] > 2008-10-22 14:25:18,451 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Putting form errors > instance in scope Flash > 2008-10-22 14:25:18,451 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action > 'AuthenticationViaFormAction' completed execution; result is 'success' > 2008-10-22 14:25:18,451 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action > 'AuthenticationViaFormAction' beginning execution > 2008-10-22 14:25:18,452 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Found existing form > object with name 'credentials' of type [class > org.jasig.cas.authentication.principal.UsernamePasswordCredentials] in scope > Flow > 2008-10-22 14:25:19,270 INFO > [org.jasig.cas.authentication.AuthenticationManagerImpl] - > AuthenticationHandler: > org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler successfully > authenticated the user which provided the following credentials: [username: > roey] > 2008-10-22 14:25:19,271 DEBUG > [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincip > alResolver] - Attempting to resolve a principal... > 2008-10-22 14:25:19,271 DEBUG > [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincip > alResolver] - Creating SimplePrincipal for [roey] > 2008-10-22 14:25:19,283 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action > 'AuthenticationViaFormAction' completed execution; result is 'success' > 2008-10-22 14:25:19,283 DEBUG > [org.jasig.cas.web.flow.SendTicketGrantingTicketAction] - Action > 'SendTicketGrantingTicketAction' beginning execution > 2008-10-22 14:25:19,284 DEBUG > [org.jasig.cas.web.flow.SendTicketGrantingTicketAction] - Action > 'SendTicketGrantingTicketAction' completed execution; result is 'success' > 2008-10-22 14:25:19,284 DEBUG > [org.jasig.cas.web.flow.GenerateServiceTicketAction] - Action > 'GenerateServiceTicketAction' beginning execution > 2008-10-22 14:25:19,286 INFO > [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket > [ST-1-ZDZ5aL4YpjVdRxWJenD3-cas] for service > [https://sp.permis.pku.edu.cn/casprotect/] for user [roey] > 2008-10-22 14:25:19,287 DEBUG > [org.jasig.cas.web.flow.GenerateServiceTicketAction] - Action > 'GenerateServiceTicketAction' completed execution; result is 'success' > > > -----邮件原件----- > 发件人: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 代 > 表 Smith, Matthew J. > 发送时间: 2008年10月21日 20:27 > 收件人: Yale CAS mailing list > 主题: Re: MOD_AUTH_CAS: Could not perform SSL handshake > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Perhaps it is simply the copy & paste into the email, but I notice a few > spaces in the paths of your config. Could you verify that those are not > in your real configuration? > > Is mydomain.crt the signing CA for your CAS server's certificate? > > Is mydomain.crt readable by the user the Apache daemon is running as? > > Could you enable CAS debugging and Apache debugging, and send the extra > debugging information here? > > > - -Matt > > lobatt wrote: > > Dear list: > > > > I have deployed a testing CAS server to protect a httpd > > Location, I can login in CAS server successfully, but after being > > automatically redirected to the protect location, it always return a 401 > > error page to me. > > > > > > > > I checked my log: > > > > In http log: > > > > - - [21/Oct/2008:14:07:40 +0800] "GET > > /casprotect/?ticket=ST-24-L3WtJybA9GIJNa4ASyYJ-cas HTTP/1.1" 401 564 > > > > In cas log: > > > > 2008-10-21 14:07:40,151 INFO > > [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service > > ticket [ST-24-L3WtJybA9GIJNa4 > > > > ASyYJ-cas] for service [https://sp.permis.pku.edu.cn/casprotect/] for > > user [Roey] > > > > 2008-10-21 14:22:08,272 INFO > > [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - > > Starting cleaning of expi > > > > red tickets from ticket registry at [Tue Oct 21 14:22:08 CST 2008] > > > > > > > > my mod_auth_cas configuration: > > > > LoadModule auth_cas_module modules/mod_auth_cas.so > > > > CASCookiePath /tmp/cas/ > > > > CASloginURL https://mydomain /cas/login > > > > CASValidateURL https:// mydomain /cas/serviceValidate > > > > CASCertificatePath /home/ncpku/common/httpd-2.0.59/conf/ mydomain.crt > > > > <Location "/casprotect/"> > > > > AuthType CAS > > > > Require valid-user > > > > </Location> > > > > > > > > I checked my CertificatePath, and I am sure that is right. > > > > Is there any other possibility? > > > > > > > > Best regards, > > > > Li Cheng > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Yale CAS mailing list > > [email protected] > > http://tp.its.yale.edu/mailman/listinfo/cas > > > - -- > Matthew J. Smith > University of Connecticut ITS > [EMAIL PROTECTED] > PGP KeyID: 0xE9C5244E > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFI/cqmGP63pOnFJE4RApgoAKCvr6dwN9JJ9UoB6Kswyz46G04ptwCfchdd > kISrC2dQDweyubCquluMLLU= > =VZuH > -----END PGP SIGNATURE----- > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > > _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
