Hai ray, I've been tried what you recommended before. But I still get the same error. After I check the error log in the apache2 log.
I find this error message : [client 127.0.0.1:51490] MOD_AUTH_CAS: curl_easy_perform() failed (SSL certificate problem: self signed certificate) I think this because I use the self-signed Keystore and certificate using "./gradlew createKeystore in the cas-server files. Can I use the self-signed or turn off the self-signed certificate checker on apache? Thanks, Irvan Pada Kamis, 07 Januari 2021 pukul 04.31.07 UTC+7 Ray Bon menulis: > Irvan, > > The embedded container properties might be for tomcat. > You may have to add the cert to the java keystore, usually in > <JAVA_HOME>/jre/lib/security/cacerts. > > Ray > > On Wed, 2021-01-06 at 12:06 -0800, irvan suryadi wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > Hello Ray, > > I have done several experiments based on your suggestions. Previously, I'd > like to answer about cas.example.org and localhost. Yes, it is true that > they are the same domain on ip (127.0.0.1). > > I have added the certificate to "auth_cas.conf" using the command > "CasCertificatePath" But the problem is still the same. > > is there anything i missed? > > Thanks, > Irvan > > auth_cas.conf : > > <directory "/ var / www / html / secured-by-cas"> > <IfModule mod_auth_cas.c> > AuthType CAS > CASAuthNHeader On > </IfModule> > Require valid-user > </directory> > > <IfModule mod_auth_cas.c> > CASLoginUrl https://cas.example.org:8443/cas/login > CASValidateUrl https://cas.example.org:8443/cas/serviceValidate > CASCookiePath / var / cache / apache2 / mod_auth_cas / > CASSSOEnabled On > CASDebug On > Debug logLevel > CASCertificatePath /etc/cas/cas.crt > </IfModule> > > ------------------------- > > Based on your directions here is what my apache server "access.log" looks > like when I try to run cas: > :: 1 - - [07 / Jan / 2021: 02: 20: 30 +0700] "GET / secured-by-cas HTTP / > 1.1" 302 668 "-" "Mozilla / 5.0 (X11; Linux x86_64) AppleWebKit / 537.36 > (KHTML, like Gecko) Chrome / 87.0.4280.88 Safari / 537.36 " > :: 1 - - [07 / Jan / 2021: 02: 21: 22 +0700] "-" 408 0 "-" "-" > :: 1 - - [07 / Jan / 2021: 02: 30: 41 +0700] "GET / secured-by-cas HTTP / > 1.1" 302 668 "-" "Mozilla / 5.0 (X11; Linux x86_64) AppleWebKit / 537.36 > (KHTML, like Gecko) Chrome / 87.0.4280.88 Safari / 537.36 " > :: 1 - - [07 / Jan / 2021: 02: 38: 18 +0700] "GET / secured-by-cas HTTP / > 1.1" 302 668 "-" "Mozilla / 5.0 (X11; Linux x86_64) AppleWebKit / 537.36 > (KHTML, like Gecko) Chrome / 87.0.4280.88 Safari / 537.36 " > :: 1 - - [07 / Jan / 2021: 02: 39: 10 +0700] "-" 408 0 "-" "-" > 127.0.0.1 - - [07 / Jan / 2021: 02: 41: 54 +0700] "GET / secured-by-cas? > Ticket = ST-1 - sZOsx9-Yf4rt4RwvMt6cJnYsNs-Irvan HTTP / 1.1" 401 682 "-" > "Mozilla / 5.0 (X11; Linux x86_64) AppleWebKit / 537.36 (KHTML, like Gecko) > Chrome / 87.0.4280.88 Safari / 537.36" > 127.0.0.1 - - [07 / Jan / 2021: 02: 41: 54 +0700] "GET /favicon.ico HTTP / > 1.1" 404 493 "http://cas.example.org/secured-by-cas?ticket = ST-1 - > sZOsx9-Yf4rt4RwvMt6cJnYsNs-Irvan "" Mozilla / 5.0 (X11; Linux x86_64) > AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 87.0.4280.88 Safari / > 537.36 " > > ------------------------ > Here's the log from my apache server: > > ================================================== ========== > WHO: audit: unknown > WHAT: [event = success, timestamp = Thu Jan 07 02:41:48 WIB 2021, source = > RankedMultifactorAuthenticationProviderWebflowEventResolver] > ACTION: AUTHENTICATION_EVENT_TRIGGERED > APPLICATION: CAS > WHEN: Thu Jan 07 02:41:48 WIB 2021 > CLIENT IP ADDRESS: 127.0.0.1 > SERVER IP ADDRESS: 127.0.0.1 > ================================================== =========== > > > > 2021-01-07 02: 41: 53,860 INFO > [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - > <Authenticated principal [irvan] with attributes [{}] via credentials > [[UsernamePasswordCredential (username = irvan, source = null, customFields > = {})]].> > 2021-01-07 02: 41: 53,878 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > ================================================== =========== > WHO: irvan > WHAT: Supplied credentials: [UsernamePasswordCredential (username = irvan, > source = null, customFields = {})] > ACTION: AUTHENTICATION_SUCCESS > APPLICATION: CAS > WHEN: Thu Jan 07 02:41:53 WIB 2021 > CLIENT IP ADDRESS: 127.0.0.1 > SERVER IP ADDRESS: 127.0.0.1 > ================================================== =========== > > > > 2021-01-07 02: 41: 53,898 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > ================================================== =========== > WHO: irvan > WHAT: [result = Service Access Granted, service = http: // > cas.example.org/secured-by-cas,principal=SimplePrincipal (id = irvan, > attributes = {}), requiredAttributes = {}] > ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED > APPLICATION: CAS > WHEN: Thu Jan 07 02:41:53 WIB 2021 > CLIENT IP ADDRESS: 127.0.0.1 > SERVER IP ADDRESS: 127.0.0.1 > ================================================== =========== > > > > 2021-01-07 02: 41: 53,979 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > ================================================== =========== > WHO: irvan > WHAT: [result = Service Access Granted, service = http: // > cas.example.org/secured-by-cas,principal=SimplePrincipal (id = irvan, > attributes = {}), requiredAttributes = {}] > ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED > APPLICATION: CAS > WHEN: Thu Jan 07 02:41:53 WIB 2021 > CLIENT IP ADDRESS: 127.0.0.1 > SERVER IP ADDRESS: 127.0.0.1 > ================================================== =========== > > > > 2021-01-07 02: 41: 54,031 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > ================================================== =========== > WHO: irvan > WHAT: TGT-1 - ***** xRhS4ALrTY-Irvan > ACTION: TICKET_GRANTING_TICKET_CREATED > APPLICATION: CAS > WHEN: Thu Jan 07 02:41:54 WIB 2021 > CLIENT IP ADDRESS: 127.0.0.1 > SERVER IP ADDRESS: 127.0.0.1 > ================================================== =========== > > > > 2021-01-07 02: 41: 54,092 INFO > > Pada Rabu, 06 Januari 2021 pukul 04.08.31 UTC+7 Ray Bon menulis: > > Irvan, > > In your cas config you use cas.example.org but in your auth_cas.conf you > have localhost. > Are they on the same host? > > Check your cas client / apache logs. > > Make sure apache knows about the cas certificate. > > Ray > > On Tue, 2021-01-05 at 11:47 -0800, irvan suryadi wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > Hi Everyone, > > I am currently trying to create a client application for my cas server > using Apache2 on ubuntu 20.04 LTS. > > But at this time I encountered an obstacle. After successfully logging in > using sso cas. The following problems arise: > > // > Unauthorized > > This server could not verify that you are authorized to access the > document requested. Either you supplied the wrong credentials (e.g., bad > password), or your browser doesn't understand how to supply the credentials > required. > > Apache / 2.4.41 (Ubuntu) Server at cas.example.org Port 80 > // > > Is there a cas configuration that I missed? > > Here is the configuration I have made on my server. I hope this helps make > it easier to answer this question. > > Apache / 2.4.41 (Ubuntu) Server at cas.example.org Port 80 > // > > Is there a cas configuration that I missed? > > Here is the configuration I have made on my server. I hope this helps make > it easier to answer this question. > > ----------------------------------------------------------- > > Service Registry Files > (/etc/cas/services/ApacheSecuredByCAS-1609235681.json) : > > { > "@class" : "org.apereo.cas.services.RegexRegisteredService", > "serviceId":"^http://cas.example.org/secured-by-cas", > "name" : "Apache", > "id" : 1609235681, > "evaluationOrder" : 1, > "authenticationPolicy" : { > "@class" : > "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy", > "requiredAuthenticationHandlers" : ["java.util.TreeSet", [ "Radius" ]] > } > } > > ------------------- > cas.properties (/etc/cas/config) : > > cas.server.name=https://cas.example.org:8443 > cas.server.prefix=${cas.server.name}/cas > > logging.config=file:/etc/cas/config/log4j2.xml > > cas.service-registry.json.location=file:/etc/cas/services > > cas.authn.accept.users= > #cas.authn.accept.enabled= > server.port = 8443 > > #cas.adminPagesSecurity.ip=127\.0\.0\.1 > > # SSL > server.ssl.enabled=true > > server.ssl.keyStore=file:/etc/cas/thekeystore > server.ssl.keyStorePassword=changeit > server.ssl.keyPassword=changeit > > # AUTHENTICATION PROPERTIES > #cas.authn.radius.server.nasIpAddress=192.168.1.2 > #EAP_MSCHAPv2 > cas.authn.radius.name=Radius > cas.authn.radius.server.protocol=PAP > > cas.authn.radius.server.retries=1 > cas.authn.radius.client.authenticationPort=1812 > cas.authn.radius.client.sharedSecret=casserver > cas.authn.radius.client.inetAddress=192.168.56.2 > cas.authn.radius.client.accountingPort=1813 > > # TICKETING PROPERTIES > # Enable the backing map to be cacheable > cas.ticket.registry.in-memory.cache=true > > cas.ticket.registry.in-memory.load-factor=1 > cas.ticket.registry.in-memory.concurrency=20 > cas.ticket.registry.in-memory.initial-capacity=1000 > > --------------- > Dependencies (build.gradle) : > dependencies { > // Other CAS dependencies/modules may be listed here... > implementation > "org.apereo.cas:cas-server-support-json-service-registry:${casServerVersion}" > implementation > "org.apereo.cas:cas-server-support-radius:${project.'cas.version'}" > } > > --------- > > APACHE2 CONFIG (/etc/apache2) (I'm not using httpd) > > auth_cas.conf : > <IfModule mod_auth_cas.c> > CASLoginUrl https://localhost:8443/cas/login > CASValidateUrl https://localhost:8443/cas/serviceValidate > CASCookiePath /var/cache/apache2/mod_auth_cas/ > CASSSOEnabled On > CASDebug On > logLevel Debug > </IfModule> > > /etc/apache2/sites-enabled/000-default.conf : > <VirtualHost *:80> > # The ServerName directive sets the request scheme, hostname and port that > # the server uses to identify itself. This is used when creating > # redirection URLs. In the context of virtual hosts, the ServerName > # specifies what hostname must appear in the request's Host: header to > # match this virtual host. For the default virtual host (this file) this > # value is not decisive as it is used as a last resort host regardless. > # However, you must set it for any further virtual host explicitly. > ServerName cas.example.org > ServerAdmin webmaster@localhost > DocumentRoot /var/www/html > > # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, > # error, crit, alert, emerg. > # It is also possible to configure the loglevel for particular > # modules, e.g. > # LogLevel info ssl:warn > > ErrorLog ${APACHE_LOG_DIR}/error.log > CustomLog ${APACHE_LOG_DIR}/access.log combined > # For most configuration files from conf-available/, which are > # enabled or disabled at a global level, it is possible to > # include a line for only one particular virtual host. For example the > # following line enables the CGI configuration for this host only > # after it has been globally disabled with "a2disconf". > #Include conf-available/serve-cgi-bin.conf > <location /secured-by-cas> // I've been change to <Directory > "/var/www/html/secured-by-cas"> but still same. > <IfModule mod_auth_cas.c> > AuthType CAS > CASAuthNHeader On > </IfModule> > Require valid-user > > </location> > </VirtualHost> > > # vim: syntax=apache ts=4 sw=4 sts=4 sr noet > > ------------------------------------ > > I hope you guys understand about this email, im not that good english guys. > > Than you, > Irvan > > -- > > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 <(250)%20721-8831> | CLE 019 | rb...@uvic.ca > > I respectfully acknowledge that my place of work is located within the > ancestral, traditional and unceded territory of the Songhees, Esquimalt and > WSÁNEĆ Nations. > > -- > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 <(250)%20721-8831> | CLE 019 | rb...@uvic.ca > > I respectfully acknowledge that my place of work is located within the > ancestral, traditional and unceded territory of the Songhees, Esquimalt and > WSÁNEĆ Nations. > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4eabb700-95ac-43b7-be5d-bcbbd8c17604n%40apereo.org.