Andrew: You are correct. I was quick to respond and wasn't paying attention. Sorry.
David On 10/22/08, Andrew Ralph Feller, afelle1 <[EMAIL PROTECTED]> wrote: > Hrmmmm, the CASCertificatePath should point to the SSL certificate of the > CAS server you are trying to communicate with and not the SSL certificate of > the machine, correct? Can you confirm the SSL certificate used is that of > the CAS server or the application being protected? > > If you have openssl and the client installed on a machine, the following > command will request the certificate being used by the machine: > > openssl s_client -showcerts -connect "example.com:443" > example.crt > > In the file, the top certificate should be the one owned by the server. I > usually just get rid of everything else and use that. > > HTH, > A- > > > On 10/22/08 7:25 AM, "David Whitehurst" <[EMAIL PROTECTED]> wrote: > > > You might setup your certificate file with Apache and see if a plain > HTTPS > > request works? I agree with Matt above that you should check > permissions > > too. > > > David > > On 10/22/08, lobatt <[EMAIL PROTECTED]> wrote: > > Thank you for your > > time. > > > > I checked my configuration, there is no space ,it's must be a typo, > > I > > replaced my domain name for security reason. > > Below is my real > > configuration: > > #******************************CAS client > > integration************** > > LoadModule auth_cas_module > > modules/mod_auth_cas.so > > CASCookiePath /tmp/cas/ > > CASloginURL > > https://sp.permis.pku.edu.cn/cas/login > > CASValidateURL > > https://sp.permis.pku.edu.cn/cas/serviceValidate > > CASCertificatePath > > > > /home/ncpku/common/httpd-2.0.59/conf/sp.permis.pku.edu.cn.crt > > <Location > > "/casprotect/"> > > AuthType CAS > > Require valid-user > > </Location> > > > > #******************************************************************* > > > > I > > turned debug level of apache to DEBUG and modified my log4j.properties > > like > > below > > log4j.logger.org.jasig.cas.web.flow=DEBUG > > > > log4j.logger.org.jasig.cas.authentication=DEBUG > > > > log4j.logger.org.jasig.cas.web.flow.TicketGrantingTicketCheckAction=DEBUG> > > log4j.logger.org.jasig.cas.services.DefaultServiceRegistry=DEBUG > > > > log4j.logger.org.jasig.cas.services=DEBUG > > > > and here is my log: > > httpd > > error_log: > > [Wed Oct 22 14:25:19 2008] [error] [client 162.105.67.102] > > MOD_AUTH_CAS: > > Could not perform SSL handshake with sp.permis.pku.edu.cn > > (check > > CASCertificatePath), referer: > > > > https://sp.permis.pku.edu.cn/cas/login?service=https%3a%2f%2fsp.permis.pku.e > > > > du.cn%2fcasprotect%2f > > > > cas.log: (also in attchment) > > 2008-10-22 > > 14:25:10,088 DEBUG > > [org.jasig.cas.web.flow.InitialFlowSetupAction] - > > Action > > 'InitialFlowSetupAction' beginning execution > > 2008-10-22 > > 14:25:10,091 INFO [org.jasig.cas.web.flow.InitialFlowSetupAction] > > - Setting > > path for cookies to: /cas > > 2008-10-22 14:25:10,099 DEBUG > > > > [org.jasig.cas.web.flow.InitialFlowSetupAction] - Placing service in > > > > FlowScope: https://sp.permis.pku.edu.cn/casprotect/ > > 2008-10-22 14:25:10,100 > > DEBUG > > [org.jasig.cas.web.flow.InitialFlowSetupAction] - Action > > > > 'InitialFlowSetupAction' completed execution; result is 'success' > > 2008-10-22 > > 14:25:10,132 DEBUG > > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - > > Action > > 'AuthenticationViaFormAction' beginning execution > > 2008-10-22 > > 14:25:10,135 DEBUG > > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - > > Executing setupForm > > 2008-10-22 14:25:10,136 DEBUG > > > > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Creating new form > > > > object with name 'credentials' > > 2008-10-22 14:25:10,136 DEBUG > > > > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Creating new instance > > > > of form object class [class > > > > org.jasig.cas.authentication.principal.UsernamePasswordCredentials] > > > > 2008-10-22 14:25:10,137 DEBUG > > > > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Putting form object > > > > of type [class > > > > org.jasig.cas.authentication.principal.UsernamePasswordCredentials] in scope > > > > Flow with name 'credentials' > > 2008-10-22 14:25:10,137 DEBUG > > > > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Creating new form > > > > errors for object with name 'credentials' > > 2008-10-22 14:25:10,148 DEBUG > > > > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - No property editor> > > registrar set, no custom editors to register > > 2008-10-22 14:25:10,152 DEBUG > > > > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Putting form errors > > > > instance in scope Flash > > 2008-10-22 14:25:10,153 DEBUG > > > > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action > > > > 'AuthenticationViaFormAction' completed execution; result is 'success' > > > > 2008-10-22 14:25:10,153 DEBUG > > > > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action > > > > 'AuthenticationViaFormAction' beginning execution > > 2008-10-22 14:25:10,153 > > DEBUG > > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action > > > > 'AuthenticationViaFormAction' completed execution; result is 'success' > > > > 2008-10-22 14:25:18,436 DEBUG > > > > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action > > > > 'AuthenticationViaFormAction' beginning execution > > 2008-10-22 14:25:18,437 > > DEBUG > > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Executing > > bind > > 2008-10-22 14:25:18,437 DEBUG > > > > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Found existing form > > > > object with name 'credentials' of type [class > > > > org.jasig.cas.authentication.principal.UsernamePasswordCredentials] in scope > > > > Flow > > 2008-10-22 14:25:18,437 DEBUG > > > > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - No property editor> > > registrar set, no custom editors to register > > 2008-10-22 14:25:18,442 DEBUG > > > > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Binding allowed > > > > request parameters in map['lt' -> > > > > '_c3E31A0C0-C329-DA8A-DDD2-9DB286EBDE0E_k20927939-E9B9-269E-9619-CE6C38036F8 > > > > 7', 'service' -> 'https://sp.permis.pku.edu.cn/casprotect/', '_eventId' -> > > > > 'submit', 'password' -> '12345', 'submit' -> '??????', 'username' -> 'roey'] > > > > to form object with name 'credentials', pre-bind formObject toString = > > > > [username: null] > > 2008-10-22 14:25:18,443 DEBUG > > > > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - (Any field is > > > > allowed) > > 2008-10-22 14:25:18,447 DEBUG > > > > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Binding completed for > > > > form object with name 'credentials', post-bind formObject toString = > > > > [username: roey] > > 2008-10-22 14:25:18,448 DEBUG > > > > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - There are [0] errors, > > > > details: [] > > 2008-10-22 14:25:18,448 DEBUG > > > > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Executing validation > > > > 2008-10-22 14:25:18,448 DEBUG > > > > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Invoking validator> > > [EMAIL PROTECTED] > > > > 2008-10-22 14:25:18,451 DEBUG > > > > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Validation completed > > > > for form object > > 2008-10-22 14:25:18,451 DEBUG > > > > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - There are [0] errors, > > > > details: [] > > 2008-10-22 14:25:18,451 DEBUG > > > > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Putting form errors > > > > instance in scope Flash > > 2008-10-22 14:25:18,451 DEBUG > > > > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action > > > > 'AuthenticationViaFormAction' completed execution; result is 'success' > > > > 2008-10-22 14:25:18,451 DEBUG > > > > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action > > > > 'AuthenticationViaFormAction' beginning execution > > 2008-10-22 14:25:18,452 > > DEBUG > > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Found existing > > form > > object with name 'credentials' of type [class > > > > org.jasig.cas.authentication.principal.UsernamePasswordCredentials] in scope > > > > Flow > > 2008-10-22 14:25:19,270 INFO > > > > [org.jasig.cas.authentication.AuthenticationManagerImpl] - > > > > AuthenticationHandler: > > > > org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler successfully > > > > authenticated the user which provided the following credentials: [username: > > > > roey] > > 2008-10-22 14:25:19,271 DEBUG > > > > [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincip > > > > alResolver] - Attempting to resolve a principal... > > 2008-10-22 14:25:19,271 > > DEBUG > > > > [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincip > > > > alResolver] - Creating SimplePrincipal for [roey] > > 2008-10-22 14:25:19,283 > > DEBUG > > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action > > > > 'AuthenticationViaFormAction' completed execution; result is 'success' > > > > 2008-10-22 14:25:19,283 DEBUG > > > > [org.jasig.cas.web.flow.SendTicketGrantingTicketAction] - Action > > > > 'SendTicketGrantingTicketAction' beginning execution > > 2008-10-22 14:25:19,284 > > DEBUG > > [org.jasig.cas.web.flow.SendTicketGrantingTicketAction] - Action > > > > 'SendTicketGrantingTicketAction' completed execution; result is 'success'> > > 2008-10-22 14:25:19,284 DEBUG > > > > [org.jasig.cas.web.flow.GenerateServiceTicketAction] - Action > > > > 'GenerateServiceTicketAction' beginning execution > > 2008-10-22 14:25:19,286 > > INFO > > [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service > > ticket > > [ST-1-ZDZ5aL4YpjVdRxWJenD3-cas] for service > > > > [https://sp.permis.pku.edu.cn/casprotect/] for user [roey] > > 2008-10-22 > > 14:25:19,287 DEBUG > > [org.jasig.cas.web.flow.GenerateServiceTicketAction] - > > Action > > 'GenerateServiceTicketAction' completed execution; result is > > 'success' > > > > > > -----邮件原件----- > > 发件人: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] 代 > > 表 Smith, Matthew J. > > 发送时间: 2008年10 > > 月21日 20:27 > > 收件人: Yale CAS mailing list > > 主题: Re: MOD_AUTH_CAS: Could not > > perform SSL handshake > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > > > Perhaps it is simply the copy & paste into the email, but I notice a few > > > > spaces in the paths of your config. Could you verify that those are not > > in > > your real configuration? > > > > Is mydomain.crt the signing CA for your CAS > > server's certificate? > > > > Is mydomain.crt readable by the user the Apache > > daemon is running as? > > > > Could you enable CAS debugging and Apache debugging, > > and send the extra > > debugging information here? > > > > > > - -Matt > > > > lobatt > > wrote: > > > Dear list: > > > > > > I have deployed a testing CAS server to > > protect a httpd > > > Location, I can login in CAS server successfully, but > > after being > > > automatically redirected to the protect location, it always > > return a 401 > > > error page to me. > > > > > > > > > > > > I checked my log: > > > > > > > > In http log: > > > > > > - - [21/Oct/2008:14:07:40 +0800] "GET > > > > > /casprotect/?ticket=ST-24-L3WtJybA9GIJNa4ASyYJ-cas HTTP/1.1" 401 564 > > > > > > > > In cas log: > > > > > > 2008-10-21 14:07:40,151 INFO > > > > > [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service > > > ticket > > [ST-24-L3WtJybA9GIJNa4 > > > > > > ASyYJ-cas] for service > > [https://sp.permis.pku.edu.cn/casprotect/] for > > > user [Roey] > > > > > > > > 2008-10-21 14:22:08,272 INFO > > > > > [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - > > > > > Starting cleaning of expi > > > > > > red tickets from ticket registry at [Tue Oct > > 21 14:22:08 CST 2008] > > > > > > > > > > > > my mod_auth_cas configuration: > > > > > > > > LoadModule auth_cas_module modules/mod_auth_cas.so > > > > > > CASCookiePath > > /tmp/cas/ > > > > > > CASloginURL https://mydomain /cas/login > > > > > > > > CASValidateURL https:// mydomain /cas/serviceValidate > > > > > > > > CASCertificatePath /home/ncpku/common/httpd-2.0.59/conf/ mydomain.crt > > > > > > > > <Location "/casprotect/"> > > > > > > AuthType CAS > > > > > > Require valid-user > > > > > > > > </Location> > > > > > > > > > > > > I checked my CertificatePath, and I am sure > > that is right. > > > > > > Is there any other possibility? > > > > > > > > > > > > Best > > regards, > > > > > > Li Cheng > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > _______________________________________________ > > > Yale CAS mailing list > > > > > [email protected] > > > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > > - > > -- > > Matthew J. Smith > > University of Connecticut ITS > > [EMAIL PROTECTED] > > > > PGP KeyID: 0xE9C5244E > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.6 > > (GNU/Linux) > > > > > > iD8DBQFI/cqmGP63pOnFJE4RApgoAKCvr6dwN9JJ9UoB6Kswyz46G04ptwCfchdd > > > > kISrC2dQDweyubCquluMLLU= > > =VZuH > > -----END PGP SIGNATURE----- > > > > _______________________________________________ > > Yale CAS mailing list > > > > [email protected] > > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > > _______________________________________________ > > Yale CAS mailing list > > > > [email protected] > > > > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > > > ____________________________ > > ___________________ > Yale CAS mailing > > list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > > -- > Andrew R. Feller, Analyst > Information Technology Services > 200 Fred Frey Building > Louisiana State University > Baton Rouge, LA 70803 > (225) 578-3737 (Office) > (225) 578-6400 (Fax) > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
