SSL cert errors using mod_auth_cas

Scott Battaglia scott.battaglia at gmail.com
Thu Aug 2 12:16:59 EDT 2007 

Matt (or anyone else),

Any chance we can get some of this useful information included in the wiki
with the mod_auth_cas documentation?

Thanks
-Scott

On 8/2/07, Smith, Matt <matt.smith at uconn.edu> wrote:
>
> Just a note for the list -- when dealing with CA certificates that need
> to be access by OpenSSL libraries (such as mod_ssl or mod_auth_cas),
> correct use of OpenSSL's c_rehash is important.  c_rehash creates
> symlinks in the same directory as the certificates like this:
>
> uconnCA.pem
> 3a43781c.0 -> uconnCA.pem
>
> But, from my stumblings, OpenSSL seems a bit picky.  First, until very
> recent versions of c_rehash, the certificate files must end with a "pem"
> extension for c_rehash to find and link them properly.  Second, if the
> certificates are not in OpenSSL's default CA directory
> (generally /etc/ssl/certs), then a magic combination of environment
> variables, configuration directives, and command line parameters is
> necessary.
>
> My advice:  put all CA certs in /etc/ssl/certs (or as appropriate for
> your distro), make sure they are all named with a "pem" extension, run
> c_rehash, check the directory to make sure a new hash symlink has been
> created for your CA, then use that directory in all relevant
> configuration directives (such as CASCertificatePath).
>
>
> HTH anybody else with certificate-inspired migraines,
> -Matt
>
> On Thu, 2007-08-02 at 10:25 -0400, Paul Ortman wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Smith, Matt wrote:
> > > Did c_rehash properly create the hash symlinks in that directory?
> >
> > It didn't seem to do anything:
> >
> >   # c_rehash /etc/apache2/ssl/trusted_keys/
> >   Doing /etc/apache2/ssl/trusted_keys/
> >   #
> >
> > There was no output, at least not like when just calling c_rehash
> > w/o arguments.
> >
> > > Generally, I put my CA certs in OpenSSL's default CA directory
> > > (usually /etc/ssl/certs), with a "pem" extension, and run c_rehash
> > > with no parameters.  Then, for good measure, I restart apache.
> > > But, I have never done this with a chain cert.
> >
> > This is what I did in the end to get things to work based on your
> > suggestions and Phillip's work:
> >
> > Download the root CA cert and the chain cert from IPS to
> > /etc/ssl/certs/ and changed their extensions from .crt to .pem.  I
> > then ran c_rehash with no arguments.
> >
> > I then downloaded the most recent version of mod_auth_cas (0.9.6)
> > and edited my mod_auth_cas config file to read:
> >
> >    1 LoadModule auth_cas_module    modules/mod_auth_cas.so
> >    2 <IfModule mod_auth_cas.c>
> >    3    CASVersion 2
> >    4    CASDebug On
> >    5
> >    6    # Validate the authenticity of the login.goshen.edu SSL
> >    7    # cert by checking its chain of authority from the root CA.
> >    8    CASCertificatePath /etc/ssl/certs
> >    9    CASValidateServer On
> >   10    CASValidateDepth 9
> >   11
> >   12    CASLoginURL https://login.goshen.edu/cas/login
> >   13    CASValidateURL https://login.goshen.edu/cas/serviceValidate
> >   14    CASTimeout 7200
> >   15    CASIdleTimeout 7200
> >   16 </IfModule>
> >
> > > Also, could you supply a bit more info for troubleshooting:
> > > What OS and platform?
> >
> > Gentoo Linux, x86 on Xen virtual host.
> >
> > > What version of Apache?
> >
> > 2.0.58-r2
> >
> > > And could you try to set "CASValidateServer off", just to make
> > > sure things work without validation?
> >
> > I had previously, and that was working just fine.
> >
> > > Hopefully Phil (this mod_auth_cas author) can comment on how well
> > > chain certs are handled -- though, I don't think that is something
> > > we've tested yet.
> >
> > He did.  Between the two of you, you folks really helped me out.
> > Thanks for all your help.
> >
> > - --
> > Paul Ortman
> >
> > PGP Key: 55602C81
> > - --
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.6 (GNU/Linux)
> >
> > iD8DBQFGseljfw8KGlVgLIERAk5lAJ90LqLtdCJmXe2JbhsAJQk0SgzGTACfagkX
> > zcp3GjYqLBLQObLl+gtpilo=
> > =V7pk
> > -----END PGP SIGNATURE-----
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> --
> Matthew J. Smith <matt.smith at uconn.edu>
> University of Connecticut UITS
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>


-- 
-Scott Battaglia

LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070802/d16c2130/attachment.html

More information about the cas mailing list