SSL cert errors using mod_auth_cas

Paul Ortman portman at goshen.edu
Thu Aug 2 10:25:39 EDT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Smith, Matt wrote:
> Did c_rehash properly create the hash symlinks in that directory?

It didn't seem to do anything:

  # c_rehash /etc/apache2/ssl/trusted_keys/
  Doing /etc/apache2/ssl/trusted_keys/
  #

There was no output, at least not like when just calling c_rehash
w/o arguments.

> Generally, I put my CA certs in OpenSSL's default CA directory
> (usually /etc/ssl/certs), with a "pem" extension, and run c_rehash
> with no parameters.  Then, for good measure, I restart apache.
> But, I have never done this with a chain cert.

This is what I did in the end to get things to work based on your
suggestions and Phillip's work:

Download the root CA cert and the chain cert from IPS to
/etc/ssl/certs/ and changed their extensions from .crt to .pem.  I
then ran c_rehash with no arguments.

I then downloaded the most recent version of mod_auth_cas (0.9.6)
and edited my mod_auth_cas config file to read:

   1 LoadModule auth_cas_module    modules/mod_auth_cas.so
   2 <IfModule mod_auth_cas.c>
   3    CASVersion 2
   4    CASDebug On
   5
   6    # Validate the authenticity of the login.goshen.edu SSL
   7    # cert by checking its chain of authority from the root CA.
   8    CASCertificatePath /etc/ssl/certs
   9    CASValidateServer On
  10    CASValidateDepth 9
  11
  12    CASLoginURL https://login.goshen.edu/cas/login
  13    CASValidateURL https://login.goshen.edu/cas/serviceValidate
  14    CASTimeout 7200
  15    CASIdleTimeout 7200
  16 </IfModule>

> Also, could you supply a bit more info for troubleshooting:
> What OS and platform?

Gentoo Linux, x86 on Xen virtual host.

> What version of Apache?

2.0.58-r2

> And could you try to set "CASValidateServer off", just to make
> sure things work without validation?

I had previously, and that was working just fine.

> Hopefully Phil (this mod_auth_cas author) can comment on how well
> chain certs are handled -- though, I don't think that is something
> we've tested yet.

He did.  Between the two of you, you folks really helped me out.
Thanks for all your help.

- --
Paul Ortman

PGP Key: 55602C81
- --
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGseljfw8KGlVgLIERAk5lAJ90LqLtdCJmXe2JbhsAJQk0SgzGTACfagkX
zcp3GjYqLBLQObLl+gtpilo=
=V7pk
-----END PGP SIGNATURE-----

More information about the cas mailing list