Is the PTR record for the IP the same as the A record's hostname? I can't think of how that would affect this (it certainly would affect Kerberos, but that's not at play here). But you're looking for a hostname problem which makes me wonder.
On 07/19/2016 09:51 AM, Andrew Miller wrote: > I’ve run that command a few times and I don’t see any ssl connection errors > in the output. > >> On Jul 19, 2016, at 6:18 AM, Jorj Bauer <j...@temple.edu> wrote: >> >> In that case, what's the output of >> >> openssl s_client -connect cosign-test.example.com:6663 -cert >> /etc/apache/certs/cosign-test.cert -key /etc/apache/certs/cosign-test.key >> -CApath /var/cosign/certs/CA -showcerts -state -debug -crlf -starttls smtp >> >> ... with appropriate paths and hostnames, of course. :) >> >> >> >> On 7/18/16 9:03 PM, Andrew Miller wrote: >>> No, SHA-256. >>> >>> --Andrew >>> >>>> On Jul 18, 2016, at 8:53 PM, Jorj Bauer <j...@temple.edu> wrote: >>>> >>>> I would guess it's that your server cert is SHA/1, and El Capitan refuses >>>> to let you use it. >>>> >>>> -- Jorj >>>> >>>> Sent from my iPhone >>>> >>>> On Jul 18, 2016, at 11:12, Andrew Miller <ajmil...@engr.psu.edu> wrote: >>>> >>>>> I had mod_cosign working fine with Mac OS X Yosemite Server, but after >>>>> upgrade to El Capitan I’m seeing ssl errors with certificate validation. >>>>> The certs are all valid because they worked under the previous OS. >>>>> >>>>> >>>>> Initially I saw these five error messages: >>>>> [Sun Jul 17 16:35:32.090667 2016] [:error] [pid 13173] mod_cosign: >>>>> snet_starttls: error:14090086:SSL >>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >>>>> [Sun Jul 17 16:35:32.111515 2016] [:error] [pid 13173] mod_cosign: >>>>> snet_starttls: error:14090086:SSL >>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >>>>> [Sun Jul 17 16:35:32.133292 2016] [:error] [pid 13173] mod_cosign: >>>>> snet_starttls: error:14090086:SSL >>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >>>>> [Sun Jul 17 16:35:32.152370 2016] [:error] [pid 13173] mod_cosign: >>>>> snet_starttls: error:14090086:SSL >>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >>>>> [Sun Jul 17 16:35:32.152474 2016] [:error] [pid 13173] mod_cosign: >>>>> cosign_cookie_valid: Unable to connect to any Cosign server. >>>>> >>>>> >>>>> After adding my CosignHostName server to my /etc/hosts file there are >>>>> only two error messages: >>>>> >>>>> [Sun Jul 17 16:37:44.480698 2016] [:error] [pid 13264] mod_cosign: >>>>> snet_starttls: error:14090086:SSL >>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >>>>> [Sun Jul 17 16:37:44.480810 2016] [:error] [pid 13264] mod_cosign: >>>>> cosign_cookie_valid: Unable to connect to any Cosign server. >>>>> >>>>> It seems like maybe some security feature in El Capitan is blocking >>>>> Cosign from doing DNS lookups. I cannot determine what other name is >>>>> being looked up by Cosign. I tried adding all the server names that might >>>>> appear in any of my certificates to no avail. >>>>> >>>>> Any ideas of how to fix this? >>>>> >>>>> --Andrew >>>>> >>>>> =================================================== >>>>> Andrew J. Miller >>>>> Programmer/Analyst >>>>> Department of Engineering Science & Mechanics >>>>> Pennsylvania State University >>>>> 212 Earth and Engineering Sciences Building >>>>> University Park, PA 16802 >>>>> =================================================== >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> What NetFlow Analyzer can do for you? Monitors network bandwidth and >>>>> traffic >>>>> patterns at an interface-level. Reveals which users, apps, and protocols >>>>> are >>>>> consuming the most bandwidth. Provides multi-vendor support for NetFlow, >>>>> J-Flow, sFlow and other flows. Make informed decisions using capacity >>>>> planning >>>>> reports.http://sdm.link/zohodev2dev >>>>> _______________________________________________ >>>>> Cosign-discuss mailing list >>>>> Cosign-discuss@lists.sourceforge.net >>>>> https://lists.sourceforge.net/lists/listinfo/cosign-discuss >>> >> > ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports.http://sdm.link/zohodev2dev _______________________________________________ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss
