CONNECTED(00000003) depth=0 /C=CN/ST=Beijing/L=Beijing/O=PERMIS, Peking Univ./OU=Computer Center/CN=sp.permis.pku.edu.cn/[EMAIL PROTECTED] verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=CN/ST=Beijing/L=Beijing/O=PERMIS, Peking Univ./OU=Computer Center/CN=sp.permis.pku.edu.cn/[EMAIL PROTECTED] verify error:num=27:certificate not trusted verify return:1 depth=0 /C=CN/ST=Beijing/L=Beijing/O=PERMIS, Peking Univ./OU=Computer Center/CN=sp.permis.pku.edu.cn/[EMAIL PROTECTED] verify error:num=21:unable to verify the first certificate verify return:1
I am totally a dumb to certificates. The certificate I am using was a testing certificate generated and signed using openssl, is that ok? I have been using this certificate with shibboleth sp and it looks fine. -----邮件原件----- 发件人: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 代 表 Smith, Matthew J. 发送时间: 2008年10月23日 20:34 收件人: Yale CAS mailing list 主题: Re: 答复: 答复: MOD_AUTH_CAS: Could not perform SSL handshake -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Running on the same server should be fine. Can you try the following from your server (all one line): openssl s_client -connect localhost:443 -CAfile /home/ncpku/common/httpd-2.0.59/conf/sp.permis.pku.edu.cn.crt - From that output, please send us the final "Verify return code". Thanks, - -Matt lobatt wrote: > Thank you Andrew, sorry I didn't make it clear earlier, I deployed my CAS > Server and mod_auth_cas in the same server, is that a problem? > > And I am using apache and jk to proxy requests to CAS server, is there any > specific configuration I need to apply? > > Best Regards, > > Li Cheng > > -----邮件原件----- > 发件人: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 代 > 表 Andrew Ralph Feller, afelle1 > 发送时间: 2008年10月22日 20:41 > 收件人: Yale CAS mailing list > 主题: Re: 答复: MOD_AUTH_CAS: Could not perform SSL handshake > > Hrmmmm, the CASCertificatePath should point to the SSL certificate of the > CAS server you are trying to communicate with and not the SSL certificate of > the machine, correct? Can you confirm the SSL certificate used is that of > the CAS server or the application being protected? > > If you have openssl and the client installed on a machine, the following > command will request the certificate being used by the machine: > > openssl s_client -showcerts -connect "example.com:443" > example.crt > > In the file, the top certificate should be the one owned by the server. I > usually just get rid of everything else and use that. > > HTH, > A- > > > On 10/22/08 7:25 AM, "David Whitehurst" <[EMAIL PROTECTED]> wrote: > >> You might setup your certificate file with Apache and see if a plain > HTTPS >> request works? I agree with Matt above that you should check > permissions >> too. > > > David > > On 10/22/08, lobatt <[EMAIL PROTECTED]> wrote: >> Thank you for your >> time. >> >> I checked my configuration, there is no space ,it's must be a typo, >> I >> replaced my domain name for security reason. >> Below is my real >> configuration: >> #******************************CAS client >> integration************** >> LoadModule auth_cas_module >> modules/mod_auth_cas.so >> CASCookiePath /tmp/cas/ >> CASloginURL >> https://sp.permis.pku.edu.cn/cas/login >> CASValidateURL >> https://sp.permis.pku.edu.cn/cas/serviceValidate >> CASCertificatePath >> >> /home/ncpku/common/httpd-2.0.59/conf/sp.permis.pku.edu.cn.crt >> <Location >> "/casprotect/"> >> AuthType CAS >> Require valid-user >> </Location> >> >> #******************************************************************* >> >> I >> turned debug level of apache to DEBUG and modified my log4j.properties >> like >> below >> log4j.logger.org.jasig.cas.web.flow=DEBUG >> >> log4j.logger.org.jasig.cas.authentication=DEBUG >> >> log4j.logger.org.jasig.cas.web.flow.TicketGrantingTicketCheckAction=DEBUG> >> log4j.logger.org.jasig.cas.services.DefaultServiceRegistry=DEBUG >> >> log4j.logger.org.jasig.cas.services=DEBUG >> >> and here is my log: >> httpd >> error_log: >> [Wed Oct 22 14:25:19 2008] [error] [client 162.105.67.102] >> MOD_AUTH_CAS: >> Could not perform SSL handshake with sp.permis.pku.edu.cn >> (check >> CASCertificatePath), referer: >> >> > https://sp.permis.pku.edu.cn/cas/login?service=https%3a%2f%2fsp.permis.pku.e >> du.cn%2fcasprotect%2f >> >> cas.log: (also in attchment) >> 2008-10-22 >> 14:25:10,088 DEBUG >> [org.jasig.cas.web.flow.InitialFlowSetupAction] - >> Action >> 'InitialFlowSetupAction' beginning execution >> 2008-10-22 >> 14:25:10,091 INFO [org.jasig.cas.web.flow.InitialFlowSetupAction] >> - Setting >> path for cookies to: /cas >> 2008-10-22 14:25:10,099 DEBUG >> >> [org.jasig.cas.web.flow.InitialFlowSetupAction] - Placing service in >> >> FlowScope: https://sp.permis.pku.edu.cn/casprotect/ >> 2008-10-22 14:25:10,100 >> DEBUG >> [org.jasig.cas.web.flow.InitialFlowSetupAction] - Action >> >> 'InitialFlowSetupAction' completed execution; result is 'success' >> 2008-10-22 >> 14:25:10,132 DEBUG >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - >> Action >> 'AuthenticationViaFormAction' beginning execution >> 2008-10-22 >> 14:25:10,135 DEBUG >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - >> Executing setupForm >> 2008-10-22 14:25:10,136 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Creating new form >> >> object with name 'credentials' >> 2008-10-22 14:25:10,136 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Creating new > instance >> of form object class [class >> >> org.jasig.cas.authentication.principal.UsernamePasswordCredentials] >> >> 2008-10-22 14:25:10,137 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Putting form object >> >> of type [class >> >> org.jasig.cas.authentication.principal.UsernamePasswordCredentials] in > scope >> Flow with name 'credentials' >> 2008-10-22 14:25:10,137 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Creating new form >> >> errors for object with name 'credentials' >> 2008-10-22 14:25:10,148 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - No property editor> >> registrar set, no custom editors to register >> 2008-10-22 14:25:10,152 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Putting form errors >> >> instance in scope Flash >> 2008-10-22 14:25:10,153 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action >> >> 'AuthenticationViaFormAction' completed execution; result is 'success' >> >> 2008-10-22 14:25:10,153 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action >> >> 'AuthenticationViaFormAction' beginning execution >> 2008-10-22 14:25:10,153 >> DEBUG >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action >> >> 'AuthenticationViaFormAction' completed execution; result is 'success' >> >> 2008-10-22 14:25:18,436 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action >> >> 'AuthenticationViaFormAction' beginning execution >> 2008-10-22 14:25:18,437 >> DEBUG >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Executing >> bind >> 2008-10-22 14:25:18,437 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Found existing form >> >> object with name 'credentials' of type [class >> >> org.jasig.cas.authentication.principal.UsernamePasswordCredentials] in > scope >> Flow >> 2008-10-22 14:25:18,437 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - No property editor> >> registrar set, no custom editors to register >> 2008-10-22 14:25:18,442 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Binding allowed >> >> request parameters in map['lt' -> >> >> > '_c3E31A0C0-C329-DA8A-DDD2-9DB286EBDE0E_k20927939-E9B9-269E-9619-CE6C38036F8 >> 7', 'service' -> 'https://sp.permis.pku.edu.cn/casprotect/', '_eventId' -> >> >> 'submit', 'password' -> '12345', 'submit' -> '??????', 'username' -> > 'roey'] >> to form object with name 'credentials', pre-bind formObject toString = >> >> [username: null] >> 2008-10-22 14:25:18,443 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - (Any field is >> >> allowed) >> 2008-10-22 14:25:18,447 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Binding completed > for >> form object with name 'credentials', post-bind formObject toString = >> >> [username: roey] >> 2008-10-22 14:25:18,448 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - There are [0] > errors, >> details: [] >> 2008-10-22 14:25:18,448 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Executing > validation >> 2008-10-22 14:25:18,448 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Invoking validator> >> [EMAIL PROTECTED] >> >> 2008-10-22 14:25:18,451 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Validation > completed >> for form object >> 2008-10-22 14:25:18,451 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - There are [0] > errors, >> details: [] >> 2008-10-22 14:25:18,451 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Putting form errors >> >> instance in scope Flash >> 2008-10-22 14:25:18,451 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action >> >> 'AuthenticationViaFormAction' completed execution; result is 'success' >> >> 2008-10-22 14:25:18,451 DEBUG >> >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action >> >> 'AuthenticationViaFormAction' beginning execution >> 2008-10-22 14:25:18,452 >> DEBUG >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Found existing >> form >> object with name 'credentials' of type [class >> >> org.jasig.cas.authentication.principal.UsernamePasswordCredentials] in > scope >> Flow >> 2008-10-22 14:25:19,270 INFO >> >> [org.jasig.cas.authentication.AuthenticationManagerImpl] - >> >> AuthenticationHandler: >> >> org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler > successfully >> authenticated the user which provided the following credentials: > [username: >> roey] >> 2008-10-22 14:25:19,271 DEBUG >> >> > [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincip >> alResolver] - Attempting to resolve a principal... >> 2008-10-22 14:25:19,271 >> DEBUG >> >> > [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincip >> alResolver] - Creating SimplePrincipal for [roey] >> 2008-10-22 14:25:19,283 >> DEBUG >> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action >> >> 'AuthenticationViaFormAction' completed execution; result is 'success' >> >> 2008-10-22 14:25:19,283 DEBUG >> >> [org.jasig.cas.web.flow.SendTicketGrantingTicketAction] - Action >> >> 'SendTicketGrantingTicketAction' beginning execution >> 2008-10-22 14:25:19,284 >> DEBUG >> [org.jasig.cas.web.flow.SendTicketGrantingTicketAction] - Action >> >> 'SendTicketGrantingTicketAction' completed execution; result is 'success'> >> 2008-10-22 14:25:19,284 DEBUG >> >> [org.jasig.cas.web.flow.GenerateServiceTicketAction] - Action >> >> 'GenerateServiceTicketAction' beginning execution >> 2008-10-22 14:25:19,286 >> INFO >> [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service >> ticket >> [ST-1-ZDZ5aL4YpjVdRxWJenD3-cas] for service >> >> [https://sp.permis.pku.edu.cn/casprotect/] for user [roey] >> 2008-10-22 >> 14:25:19,287 DEBUG >> [org.jasig.cas.web.flow.GenerateServiceTicketAction] - >> Action >> 'GenerateServiceTicketAction' completed execution; result is >> 'success' >> >> >> -----邮件原件----- >> 发件人: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] 代 >> 表 Smith, Matthew J. >> 发送时间: 2008年10 >> 月21日 20:27 >> 收件人: Yale CAS mailing list >> 主题: Re: MOD_AUTH_CAS: Could not >> perform SSL handshake >> > > Perhaps it is simply the copy & paste into the email, but I notice a few > > spaces in the paths of your config. Could you verify that those are not > in > your real configuration? > > Is mydomain.crt the signing CA for your CAS > server's certificate? > > Is mydomain.crt readable by the user the Apache > daemon is running as? > > Could you enable CAS debugging and Apache debugging, > and send the extra > debugging information here? > > > -Matt > > lobatt > wrote: >>>> Dear list: >>>> >>>> I have deployed a testing CAS server to > protect a httpd >>>> Location, I can login in CAS server successfully, but > after being >>>> automatically redirected to the protect location, it always > return a 401 >>>> error page to me. >>>> >>>> >>>> >>>> I checked my log: >>>> >>>> > In http log: >>>> - - [21/Oct/2008:14:07:40 +0800] "GET >>>> > /casprotect/?ticket=ST-24-L3WtJybA9GIJNa4ASyYJ-cas HTTP/1.1" 401 564 >>>> > In cas log: >>>> 2008-10-21 14:07:40,151 INFO >>>> > [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service >>>> ticket > [ST-24-L3WtJybA9GIJNa4 >>>> ASyYJ-cas] for service > [https://sp.permis.pku.edu.cn/casprotect/] for >>>> user [Roey] >>>> >>>> > 2008-10-21 14:22:08,272 INFO > [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - > Starting cleaning of expi >>>> red tickets from ticket registry at [Tue Oct > 21 14:22:08 CST 2008] >>>> >>>> >>>> my mod_auth_cas configuration: >>>> >>>> > LoadModule auth_cas_module modules/mod_auth_cas.so >>>> CASCookiePath > /tmp/cas/ >>>> CASloginURL https://mydomain /cas/login >>>> >>>> > CASValidateURL https:// mydomain /cas/serviceValidate >>>> > CASCertificatePath /home/ncpku/common/httpd-2.0.59/conf/ mydomain.crt >>>> > <Location "/casprotect/"> >>>> AuthType CAS >>>> >>>> Require valid-user >>>> </Location> >>>> >>>> >>>> >>>> I checked my CertificatePath, and I am sure > that is right. >>>> Is there any other possibility? >>>> >>>> >>>> >>>> Best > regards, >>>> Li Cheng >>>> >>>> >>>> > ------------------------------------------------------------------------ >>>> _______________________________________________ >>>> Yale CAS mailing list >>>> [email protected] >>>> http://tp.its.yale.edu/mailman/listinfo/cas > > - >> _______________________________________________ Yale CAS mailing list >> [email protected] http://tp.its.yale.edu/mailman/listinfo/cas >> >> _______________________________________________ Yale CAS mailing list >> [email protected] >> http://tp.its.yale.edu/mailman/listinfo/cas >> >> >> > ____________________________ ___________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > ------------------------------------------------------------------------ > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas - -- Matthew J. Smith University of Connecticut ITS [EMAIL PROTECTED] PGP KeyID: 0xE9C5244E -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJAG9JGP63pOnFJE4RAs/uAJ4roAiNi0nd+FHCvV6KaIqtdyCB0wCgv1wo 2fE92cU08gAt6ByPCu7mVUQ= =qXOt -----END PGP SIGNATURE-----
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
