SSL cert errors using mod_auth_cas

Smith, Matt matt.smith at uconn.edu
Wed Aug 1 13:24:21 EDT 2007 

Try running this:

 c_rehash /etc/apache2/ssl/trusted_keys

This should create two hash symlinks in that directory.  These hash
symlinks are used by the openssl libs to locate the proper certs.

HTH,
-Matt

On Wed, 2007-08-01 at 12:15 -0400, Paul Ortman wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I'm attempting to get mod_auth_cas working as a CAS client and can't
> seem to get it to trust my CAS server (login.goshen.edu).  In the
> Apache error log I get:
> 
>   MOD_AUTH_CAS: Could not perform SSL handshake with
>   login.goshen.edu (check CASCertificatePath), referer:
>   http://wiki.goshen.edu/twiki/bin/view/lib/WebHome
> 
> So I check my CASCertificatePath in my apache conf file:
> 
>   LoadModule auth_cas_module    modules/mod_auth_cas.so
>   <IfModule mod_auth_cas.c>
>      CASVersion 2
>      CASDebug On
>      CASCertificatePath /etc/apache2/ssl/trusted_keys
>      CASValidateServer on
>      CASLoginURL https://login.goshen.edu/cas/login
>      CASValidateURL https://login.goshen.edu/cas/serviceValidate
>      CASTimeout 7200
>      CASIdleTimeout 7200
>   </IfModule>
> 
> And then I check the contents of CASCertificatePath in the
> filesystem of the mod_auth_cas machine:
> 
>   # ls -l /etc/apache2/ssl/trusted_keys
>   -rw-r--r-- 1 root root 2140 Jun  9  2002 IPSCACLASEA1.crt
>   -rw-r--r-- 1 root root 1001 Jun  9  2002 IPSServidores.crt
> 
> Seems sane, right?  There's the root cert (IPSServidores.crt) and
> the necessary chain cert (IPSCACLASEA1.crt) for my CAS server.  I'm
> currently using an SSL cert (free for *.edu domains) from ipsca.com.
> 
> So now I try to figure out how I could test just a plain SSL
> connection, and come up with this, testing from the same machine I
> have mod_auth_cas installed on:
> 
>   # echo | openssl s_client -CApath /etc/apache2/ssl/trusted_keys -connect login.goshen.edu:443 2>&1 > /dev/null
>   depth=2 /C=ES/ST=BARCELONA/L=BARCELONA/O=IPS Seguridad CA/OU=Certificaciones/CN=IPS SERVIDORES/emailAddress=ips at mail.ips.es
>   verify return:1
>   depth=1 /C=ES/ST=Barcelona/L=Barcelona/O=IPS Certification Authority s.l./O=general at ipsca.com C.I.F.  B-B62210695/OU=ipsCA CLASEA1 Certification Authority/CN=ipsCA CLASEA1 Certification Authority/emailAddress=general at ipsca.com
>   verify return:1
>   depth=0 /C=US/ST=IN/L=Goshen/O=Goshen College/OU=ITS/CN=login.goshen.edu
>   verify return:1
>   DONE
> 
> Again, I think things look like they should work, but perhaps I'm still
> missing something.  I've got to admit I don't feel like any sort of
> expert on what certs and their types need to go where. Any clues?
> 
> - -- 
> Paul Ortman
> 
> PGP Key: 55602C81
> - --
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> 
> iD8DBQFGsLGUfw8KGlVgLIERAl+cAJ9/HQZqbaFxh3TZugo2muinE4+IZgCfQaGY
> PWggC57h5cTYJ7DGP2yKY8A=
> =yYm0
> -----END PGP SIGNATURE-----
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
-- 
Matthew J. Smith <matt.smith at uconn.edu>
University of Connecticut UITS
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://tp.its.yale.edu/pipermail/cas/attachments/20070801/50c71262/attachment.bin

More information about the cas mailing list