Phil Pishioneri helped me with an alternative configuration for the CosignCrypto directive that avoids the use of hashes, so we got my server working with cosign. He can share the details.
We did not determine the cause of my original problem, but I was able to remove the entries in my /etc/hosts file and cosign still works. Thanks to all for your helpful suggestions. —Andrew > On Jul 19, 2016, at 9:52 AM, Jorj Bauer <j...@temple.edu> wrote: > > Is the PTR record for the IP the same as the A record's hostname? I can't > think of how that would affect this (it certainly would affect Kerberos, but > that's not at play here). But you're looking for a hostname problem which > makes me wonder. > > > > On 07/19/2016 09:51 AM, Andrew Miller wrote: >> I’ve run that command a few times and I don’t see any ssl connection errors >> in the output. >> >>> On Jul 19, 2016, at 6:18 AM, Jorj Bauer <j...@temple.edu> wrote: >>> >>> In that case, what's the output of >>> >>> openssl s_client -connect cosign-test.example.com:6663 -cert >>> /etc/apache/certs/cosign-test.cert -key /etc/apache/certs/cosign-test.key >>> -CApath /var/cosign/certs/CA -showcerts -state -debug -crlf -starttls smtp >>> >>> ... with appropriate paths and hostnames, of course. :) >>> >>> >>> >>> On 7/18/16 9:03 PM, Andrew Miller wrote: >>>> No, SHA-256. >>>> >>>> --Andrew >>>> >>>>> On Jul 18, 2016, at 8:53 PM, Jorj Bauer <j...@temple.edu> wrote: >>>>> >>>>> I would guess it's that your server cert is SHA/1, and El Capitan refuses >>>>> to let you use it. >>>>> >>>>> -- Jorj >>>>> >>>>> Sent from my iPhone >>>>> >>>>> On Jul 18, 2016, at 11:12, Andrew Miller <ajmil...@engr.psu.edu> wrote: >>>>> >>>>>> I had mod_cosign working fine with Mac OS X Yosemite Server, but after >>>>>> upgrade to El Capitan I’m seeing ssl errors with certificate validation. >>>>>> The certs are all valid because they worked under the previous OS. >>>>>> >>>>>> >>>>>> Initially I saw these five error messages: >>>>>> [Sun Jul 17 16:35:32.090667 2016] [:error] [pid 13173] mod_cosign: >>>>>> snet_starttls: error:14090086:SSL >>>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >>>>>> [Sun Jul 17 16:35:32.111515 2016] [:error] [pid 13173] mod_cosign: >>>>>> snet_starttls: error:14090086:SSL >>>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >>>>>> [Sun Jul 17 16:35:32.133292 2016] [:error] [pid 13173] mod_cosign: >>>>>> snet_starttls: error:14090086:SSL >>>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >>>>>> [Sun Jul 17 16:35:32.152370 2016] [:error] [pid 13173] mod_cosign: >>>>>> snet_starttls: error:14090086:SSL >>>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >>>>>> [Sun Jul 17 16:35:32.152474 2016] [:error] [pid 13173] mod_cosign: >>>>>> cosign_cookie_valid: Unable to connect to any Cosign server. >>>>>> >>>>>> >>>>>> After adding my CosignHostName server to my /etc/hosts file there are >>>>>> only two error messages: >>>>>> >>>>>> [Sun Jul 17 16:37:44.480698 2016] [:error] [pid 13264] mod_cosign: >>>>>> snet_starttls: error:14090086:SSL >>>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >>>>>> [Sun Jul 17 16:37:44.480810 2016] [:error] [pid 13264] mod_cosign: >>>>>> cosign_cookie_valid: Unable to connect to any Cosign server. >>>>>> >>>>>> It seems like maybe some security feature in El Capitan is blocking >>>>>> Cosign from doing DNS lookups. I cannot determine what other name is >>>>>> being looked up by Cosign. I tried adding all the server names that >>>>>> might appear in any of my certificates to no avail. >>>>>> >>>>>> Any ideas of how to fix this? >>>>>> >>>>>> --Andrew >>>>>> >>>>>> =================================================== >>>>>> Andrew J. Miller >>>>>> Programmer/Analyst >>>>>> Department of Engineering Science & Mechanics >>>>>> Pennsylvania State University >>>>>> 212 Earth and Engineering Sciences Building >>>>>> University Park, PA 16802 >>>>>> =================================================== >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> What NetFlow Analyzer can do for you? Monitors network bandwidth and >>>>>> traffic >>>>>> patterns at an interface-level. Reveals which users, apps, and protocols >>>>>> are >>>>>> consuming the most bandwidth. Provides multi-vendor support for NetFlow, >>>>>> J-Flow, sFlow and other flows. Make informed decisions using capacity >>>>>> planning >>>>>> reports.http://sdm.link/zohodev2dev >>>>>> _______________________________________________ >>>>>> Cosign-discuss mailing list >>>>>> Cosign-discuss@lists.sourceforge.net >>>>>> https://lists.sourceforge.net/lists/listinfo/cosign-discuss >>>> >>> >> > ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports.http://sdm.link/zohodev2dev _______________________________________________ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss
