SSL cert errors using mod_auth_cas

Smith, Matt matt.smith at uconn.edu
Thu Aug 2 11:54:23 EDT 2007 

Just a note for the list -- when dealing with CA certificates that need
to be access by OpenSSL libraries (such as mod_ssl or mod_auth_cas),
correct use of OpenSSL's c_rehash is important.  c_rehash creates
symlinks in the same directory as the certificates like this:

uconnCA.pem
3a43781c.0 -> uconnCA.pem

But, from my stumblings, OpenSSL seems a bit picky.  First, until very
recent versions of c_rehash, the certificate files must end with a "pem"
extension for c_rehash to find and link them properly.  Second, if the
certificates are not in OpenSSL's default CA directory
(generally /etc/ssl/certs), then a magic combination of environment
variables, configuration directives, and command line parameters is
necessary.

My advice:  put all CA certs in /etc/ssl/certs (or as appropriate for
your distro), make sure they are all named with a "pem" extension, run
c_rehash, check the directory to make sure a new hash symlink has been
created for your CA, then use that directory in all relevant
configuration directives (such as CASCertificatePath).


HTH anybody else with certificate-inspired migraines,
-Matt

On Thu, 2007-08-02 at 10:25 -0400, Paul Ortman wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Smith, Matt wrote:
> > Did c_rehash properly create the hash symlinks in that directory?
> 
> It didn't seem to do anything:
> 
>   # c_rehash /etc/apache2/ssl/trusted_keys/
>   Doing /etc/apache2/ssl/trusted_keys/
>   #
> 
> There was no output, at least not like when just calling c_rehash
> w/o arguments.
> 
> > Generally, I put my CA certs in OpenSSL's default CA directory
> > (usually /etc/ssl/certs), with a "pem" extension, and run c_rehash
> > with no parameters.  Then, for good measure, I restart apache.
> > But, I have never done this with a chain cert.
> 
> This is what I did in the end to get things to work based on your
> suggestions and Phillip's work:
> 
> Download the root CA cert and the chain cert from IPS to
> /etc/ssl/certs/ and changed their extensions from .crt to .pem.  I
> then ran c_rehash with no arguments.
> 
> I then downloaded the most recent version of mod_auth_cas (0.9.6)
> and edited my mod_auth_cas config file to read:
> 
>    1 LoadModule auth_cas_module    modules/mod_auth_cas.so
>    2 <IfModule mod_auth_cas.c>
>    3    CASVersion 2
>    4    CASDebug On
>    5
>    6    # Validate the authenticity of the login.goshen.edu SSL
>    7    # cert by checking its chain of authority from the root CA.
>    8    CASCertificatePath /etc/ssl/certs
>    9    CASValidateServer On
>   10    CASValidateDepth 9
>   11
>   12    CASLoginURL https://login.goshen.edu/cas/login
>   13    CASValidateURL https://login.goshen.edu/cas/serviceValidate
>   14    CASTimeout 7200
>   15    CASIdleTimeout 7200
>   16 </IfModule>
> 
> > Also, could you supply a bit more info for troubleshooting:
> > What OS and platform?
> 
> Gentoo Linux, x86 on Xen virtual host.
> 
> > What version of Apache?
> 
> 2.0.58-r2
> 
> > And could you try to set "CASValidateServer off", just to make
> > sure things work without validation?
> 
> I had previously, and that was working just fine.
> 
> > Hopefully Phil (this mod_auth_cas author) can comment on how well
> > chain certs are handled -- though, I don't think that is something
> > we've tested yet.
> 
> He did.  Between the two of you, you folks really helped me out.
> Thanks for all your help.
> 
> - --
> Paul Ortman
> 
> PGP Key: 55602C81
> - --
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> 
> iD8DBQFGseljfw8KGlVgLIERAk5lAJ90LqLtdCJmXe2JbhsAJQk0SgzGTACfagkX
> zcp3GjYqLBLQObLl+gtpilo=
> =V7pk
> -----END PGP SIGNATURE-----
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
-- 
Matthew J. Smith <matt.smith at uconn.edu>
University of Connecticut UITS
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://tp.its.yale.edu/pipermail/cas/attachments/20070802/36913a20/attachment.bin

More information about the cas mailing list