SSL cert errors using mod_auth_cas

Paul Ortman portman at goshen.edu
Wed Aug 1 12:15:16 EDT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm attempting to get mod_auth_cas working as a CAS client and can't
seem to get it to trust my CAS server (login.goshen.edu).  In the
Apache error log I get:

  MOD_AUTH_CAS: Could not perform SSL handshake with
  login.goshen.edu (check CASCertificatePath), referer:
  http://wiki.goshen.edu/twiki/bin/view/lib/WebHome

So I check my CASCertificatePath in my apache conf file:

  LoadModule auth_cas_module    modules/mod_auth_cas.so
  <IfModule mod_auth_cas.c>
     CASVersion 2
     CASDebug On
     CASCertificatePath /etc/apache2/ssl/trusted_keys
     CASValidateServer on
     CASLoginURL https://login.goshen.edu/cas/login
     CASValidateURL https://login.goshen.edu/cas/serviceValidate
     CASTimeout 7200
     CASIdleTimeout 7200
  </IfModule>

And then I check the contents of CASCertificatePath in the
filesystem of the mod_auth_cas machine:

  # ls -l /etc/apache2/ssl/trusted_keys
  -rw-r--r-- 1 root root 2140 Jun  9  2002 IPSCACLASEA1.crt
  -rw-r--r-- 1 root root 1001 Jun  9  2002 IPSServidores.crt

Seems sane, right?  There's the root cert (IPSServidores.crt) and
the necessary chain cert (IPSCACLASEA1.crt) for my CAS server.  I'm
currently using an SSL cert (free for *.edu domains) from ipsca.com.

So now I try to figure out how I could test just a plain SSL
connection, and come up with this, testing from the same machine I
have mod_auth_cas installed on:

  # echo | openssl s_client -CApath /etc/apache2/ssl/trusted_keys -connect login.goshen.edu:443 2>&1 > /dev/null
  depth=2 /C=ES/ST=BARCELONA/L=BARCELONA/O=IPS Seguridad CA/OU=Certificaciones/CN=IPS SERVIDORES/emailAddress=ips at mail.ips.es
  verify return:1
  depth=1 /C=ES/ST=Barcelona/L=Barcelona/O=IPS Certification Authority s.l./O=general at ipsca.com C.I.F.  B-B62210695/OU=ipsCA CLASEA1 Certification Authority/CN=ipsCA CLASEA1 Certification Authority/emailAddress=general at ipsca.com
  verify return:1
  depth=0 /C=US/ST=IN/L=Goshen/O=Goshen College/OU=ITS/CN=login.goshen.edu
  verify return:1
  DONE

Again, I think things look like they should work, but perhaps I'm still
missing something.  I've got to admit I don't feel like any sort of
expert on what certs and their types need to go where. Any clues?

- -- 
Paul Ortman

PGP Key: 55602C81
- --
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGsLGUfw8KGlVgLIERAl+cAJ9/HQZqbaFxh3TZugo2muinE4+IZgCfQaGY
PWggC57h5cTYJ7DGP2yKY8A=
=yYm0
-----END PGP SIGNATURE-----

More information about the cas mailing list