Good afternoon.
We have a new development server hosting dev versions of our MiTools site.
All is working except for the cosign integration. Any assistance would be
greatly appreciated.
We are getting the 503 Service Temporarily Unavailable message after
authenticating with weblogin. We have followed the cosign documentation
for UM as well as the general docs on weblogin.org. Attached is a text
file containing our VirtualHost entry that is configured with Cosign.
Whether we point there or at production, we get the same results.
Differences between production and this config:
- site name is mitools-dev instead of mitools
- IPs are different
- certs are self-signed instead of GeoTrust certs
Here is what we are seeing:
In the error log (mitools-ssl-error_log), we see:
[Thu Aug 16 14:39:50 2012] [error] mod_cosign: snet_starttls:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
[Thu Aug 16 14:39:50 2012] [error] mod_cosign: snet_starttls:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
[Thu Aug 16 14:39:50 2012] [error] mod_cosign: snet_starttls:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
[Thu Aug 16 14:39:50 2012] [error] mod_cosign: snet_starttls:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
[Thu Aug 16 14:39:50 2012] [error] mod_cosign: snet_starttls:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
[Thu Aug 16 14:39:50 2012] [error] mod_cosign: snet_starttls:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
[Thu Aug 16 14:39:50 2012] [error] mod_cosign: cosign_cookie_valid: Unable
to connect to any Cosign server.
In our browser, afterauthentication from weblogin or weblogin-test, we see:
- 503 Service Temporarily Unavailable error
- URL in browser address bar:
*
*
<https://mitools-dev.dent.umich.edu/cosign/valid/?cosign-mitools-dev.dent.umich.edu=ax5iep+IPRQCnE4dc1YcfTdwsV7oceGO6a+FJSN5VfTeALP344oxftO-yIiJrBg7wYEtAsboBjds4CcHbNEbO6DmuiyvLzNuAUa9LriR2Y3dXzj4bnuvy9G-DpIh&https://mitools-dev.dent.umich.edu/>
https://mitools-dev.dent.umich.edu/cosign/valid/?cosign-mitools-dev.dent.umich.edu=U10jam-8ApjjZXs0gNUNMo1xPAGCYiqvU7cl2sDu3A2nWw4F9-hTjJd2zPF2dT4SlWyh1o9hZTF04xEI1Mpvf6HUqMANCsrK618i5wpjJhGbWDsUibkfmo5THawu&https://mitools-dev.dent.umich.edu/
listing of the cosign-ca-dir shows the following:
[root@molar httpd]# ls -l cosign-ca-dir/
total 48
lrwxrwxrwx 1 root root 13 Aug 15 17:15 3c58f906.0 -> extCAroot.pem
lrwxrwxrwx 1 root root 16 Aug 15 17:15 4b841d5f.0 -> intermediate.pem
lrwxrwxrwx 1 root root 14 Aug 15 17:15 84df5188.0 -> incommonCA.pem
-rw-r--r-- 1 root root 1521 Apr 16 12:11 extCAroot.pem
lrwxrwxrwx 1 root root 11 Aug 15 17:15 fa84f4ea.0 -> umwebCA.pem
-rw-r--r-- 1 root root 1712 Aug 15 17:14 incommonCA.pem
-rw-r--r-- 1 root root 2664 Jun 14 09:18 intermediate.pem
-rw-r--r-- 1 root root 1927 Aug 7 09:08 umwebCA.pem
Thanks,
Shawn Rahl
Unix Administrator
Dental Informatics, School of Dentistry
University of Michigan
sr...@umich.edu
<VirtualHost ${mitools}:443>
# Ensure that expected ways to get at the mitools document root
# are redirected to the mitools virtual host to avoid browser
# security warnings
RewriteEngine On
RewriteCond %{HTTP_HOST} ^tripledub [OR]
RewriteCond %{HTTP_HOST} ^intranet [OR]
RewriteCond %{HTTP_HOST} ^${hname}
#RewriteRule /(.*) https://${mit_nm}.dent.umich.edu/$1 [R]
RewriteRule /(.*) https://mitools-dev.dent.umich.edu/$1 [R]
DocumentRoot /usr/local/apache/mitools
#ServerName ${mit_nm}.dent.umich.edu
ServerName mitools-dev.dent.umich.edu
DirectoryIndex index.php index.html index.htm
ErrorLog logs/mitools-ssl-error_log
CustomLog logs/mitools-ssl-access_log common
SSLEngine On
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile certs/current/mitools-dev.dent.umich.edu.crt
SSLCertificateKeyFile certs/current/mitools-dev.dent.umich.edu.key
SSLCertificateChainFile certs/current/intermediate.crt
<Location />
SSLRequireSSL On
SSLVerifyClient none
#SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars +StrictRequire
</Location>
CosignProtected on
#CosignHostname weblogin-test.itcs.umich.edu
CosignHostname weblogin.umich.edu
CosignFilterDB /usr/local/apache/cosign/filterdb
CosignProxyDB /usr/local/apache/cosign/proxy
CosignValidReference https://mitools-dev\.dent\.umich\.edu/.*
#CosignValidationErrorRedirect
http://weblogin-test.itcs.umich.edu/cosign/validation_error.html
CosignValidationErrorRedirect
http://weblogin.umich.edu/cosign/validation_error.html
#CosignRedirect https://weblogin-test.itcs.umich.edu/
CosignRedirect https://weblogin.umich.edu/
#CosignPostErrorRedirect
https://weblogin-test.itcs.umich.edu/post_error.html
CosignPostErrorRedirect https://weblogin.umich.edu/post_error.html
#CosignService ${mit_nm}.dent.umich.edu
CosignService mitools-dev.dent.umich.edu
#CosignService ${mit_nm}.dent
#CosignService mitools-dev.dent
CosignCrypto /etc/httpd/certs/current/mitools-dev.dent.umich.edu.key
/etc/httpd/certs/current/mitools-dev-cosign.crt /etc/httpd/cosign-ca-dir
<Location /cosign/valid>
SetHandler cosign
CosignProtected Off
Allow from all
Satisfy any
</Location>
</VirtualHost>------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
