Irvan, It looks like mod_auth_cas is unable to find the cert at that location (/etc/ssl/certs), or it is not an x509 cert, or it is not readable.
Ray On Mon, 2021-01-11 at 12:08 -0800, irvan suryadi wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Ray, I have done your recommendation above, I think a little more might work. Now I find the following error message: MOD_AUTH_CAS: curl_easy_perform() failed (error setting certificate verify locations:\n CAfile: /etc/ssl/certs/cas.cer\n CApath: /etc/ssl/certs). What can I do? (I have imported cas.cer to cacert in jvm ... / security / cacerts). Thanks, Irvan Pada Selasa, 12 Januari 2021 pukul 02.24.08 UTC+7 Ray Bon menulis: Irvan, Try moving the certificate from /etc/cas/ to the system cert store, somewhere like, /etc/ssl/certs/, so that the host Curl can find it. (And update mod auth cas confg to point there.) Ray On Mon, 2021-01-11 at 11:09 -0800, irvan suryadi wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hai ray, I've been tried what you recommended before. But I still get the same error. After I check the error log in the apache2 log. I find this error message : [client 127.0.0.1:51490<http://127.0.0.1:51490>] MOD_AUTH_CAS: curl_easy_perform() failed (SSL certificate problem: self signed certificate) I think this because I use the self-signed Keystore and certificate using "./gradlew createKeystore in the cas-server files. Can I use the self-signed or turn off the self-signed certificate checker on apache? Thanks, Irvan Pada Kamis, 07 Januari 2021 pukul 04.31.07 UTC+7 Ray Bon menulis: Irvan, The embedded container properties might be for tomcat. You may have to add the cert to the java keystore, usually in <JAVA_HOME>/jre/lib/security/cacerts. Ray On Wed, 2021-01-06 at 12:06 -0800, irvan suryadi wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hello Ray, I have done several experiments based on your suggestions. Previously, I'd like to answer about cas.example.org<http://cas.example.org> and localhost. Yes, it is true that they are the same domain on ip (127.0.0.1). I have added the certificate to "auth_cas.conf" using the command "CasCertificatePath" But the problem is still the same. is there anything i missed? Thanks, Irvan auth_cas.conf : <directory "/ var / www / html / secured-by-cas"> <IfModule mod_auth_cas.c> AuthType CAS CASAuthNHeader On </IfModule> Require valid-user </directory> <IfModule mod_auth_cas.c> CASLoginUrl https://cas.example.org:8443/cas/login CASValidateUrl https://cas.example.org:8443/cas/serviceValidate CASCookiePath / var / cache / apache2 / mod_auth_cas / CASSSOEnabled On CASDebug On Debug logLevel CASCertificatePath /etc/cas/cas.crt </IfModule> ------------------------- Based on your directions here is what my apache server "access.log" looks like when I try to run cas: :: 1 - - [07 / Jan / 2021: 02: 20: 30 +0700] "GET / secured-by-cas HTTP / 1.1" 302 668 "-" "Mozilla / 5.0 (X11; Linux x86_64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 87.0.4280.88 Safari / 537.36 " :: 1 - - [07 / Jan / 2021: 02: 21: 22 +0700] "-" 408 0 "-" "-" :: 1 - - [07 / Jan / 2021: 02: 30: 41 +0700] "GET / secured-by-cas HTTP / 1.1" 302 668 "-" "Mozilla / 5.0 (X11; Linux x86_64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 87.0.4280.88 Safari / 537.36 " :: 1 - - [07 / Jan / 2021: 02: 38: 18 +0700] "GET / secured-by-cas HTTP / 1.1" 302 668 "-" "Mozilla / 5.0 (X11; Linux x86_64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 87.0.4280.88 Safari / 537.36 " :: 1 - - [07 / Jan / 2021: 02: 39: 10 +0700] "-" 408 0 "-" "-" 127.0.0.1 - - [07 / Jan / 2021: 02: 41: 54 +0700] "GET / secured-by-cas? Ticket = ST-1 - sZOsx9-Yf4rt4RwvMt6cJnYsNs-Irvan HTTP / 1.1" 401 682 "-" "Mozilla / 5.0 (X11; Linux x86_64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 87.0.4280.88 Safari / 537.36" 127.0.0.1 - - [07 / Jan / 2021: 02: 41: 54 +0700] "GET /favicon.ico HTTP / 1.1" 404 493 "http://cas.example.org/secured-by-cas?ticket = ST-1 - sZOsx9-Yf4rt4RwvMt6cJnYsNs-Irvan "" Mozilla / 5.0 (X11; Linux x86_64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 87.0.4280.88 Safari / 537.36 " ------------------------ Here's the log from my apache server: ================================================== ========== WHO: audit: unknown WHAT: [event = success, timestamp = Thu Jan 07 02:41:48 WIB 2021, source = RankedMultifactorAuthenticationProviderWebflowEventResolver] ACTION: AUTHENTICATION_EVENT_TRIGGERED APPLICATION: CAS WHEN: Thu Jan 07 02:41:48 WIB 2021 CLIENT IP ADDRESS: 127.0.0.1 SERVER IP ADDRESS: 127.0.0.1 ================================================== =========== > 2021-01-07 02: 41: 53,860 INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authenticated principal [irvan] with attributes [{}] via credentials [[UsernamePasswordCredential (username = irvan, source = null, customFields = {})]].> 2021-01-07 02: 41: 53,878 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ================================================== =========== WHO: irvan WHAT: Supplied credentials: [UsernamePasswordCredential (username = irvan, source = null, customFields = {})] ACTION: AUTHENTICATION_SUCCESS APPLICATION: CAS WHEN: Thu Jan 07 02:41:53 WIB 2021 CLIENT IP ADDRESS: 127.0.0.1 SERVER IP ADDRESS: 127.0.0.1 ================================================== =========== > 2021-01-07 02: 41: 53,898 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ================================================== =========== WHO: irvan WHAT: [result = Service Access Granted, service = http: //cas.example.org/secured-by-cas,principal=SimplePrincipal<http://cas.example.org/secured-by-cas,principal=SimplePrincipal> (id = irvan, attributes = {}), requiredAttributes = {}] ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED APPLICATION: CAS WHEN: Thu Jan 07 02:41:53 WIB 2021 CLIENT IP ADDRESS: 127.0.0.1 SERVER IP ADDRESS: 127.0.0.1 ================================================== =========== > 2021-01-07 02: 41: 53,979 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ================================================== =========== WHO: irvan WHAT: [result = Service Access Granted, service = http: //cas.example.org/secured-by-cas,principal=SimplePrincipal<http://cas.example.org/secured-by-cas,principal=SimplePrincipal> (id = irvan, attributes = {}), requiredAttributes = {}] ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED APPLICATION: CAS WHEN: Thu Jan 07 02:41:53 WIB 2021 CLIENT IP ADDRESS: 127.0.0.1 SERVER IP ADDRESS: 127.0.0.1 ================================================== =========== > 2021-01-07 02: 41: 54,031 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ================================================== =========== WHO: irvan WHAT: TGT-1 - ***** xRhS4ALrTY-Irvan ACTION: TICKET_GRANTING_TICKET_CREATED APPLICATION: CAS WHEN: Thu Jan 07 02:41:54 WIB 2021 CLIENT IP ADDRESS: 127.0.0.1 SERVER IP ADDRESS: 127.0.0.1 ================================================== =========== > 2021-01-07 02: 41: 54,092 INFO Pada Rabu, 06 Januari 2021 pukul 04.08.31 UTC+7 Ray Bon menulis: Irvan, In your cas config you use cas.example.org<http://cas.example.org> but in your auth_cas.conf you have localhost. Are they on the same host? Check your cas client / apache logs. Make sure apache knows about the cas certificate. Ray On Tue, 2021-01-05 at 11:47 -0800, irvan suryadi wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hi Everyone, I am currently trying to create a client application for my cas server using Apache2 on ubuntu 20.04 LTS. But at this time I encountered an obstacle. After successfully logging in using sso cas. The following problems arise: // Unauthorized This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required. Apache / 2.4.41 (Ubuntu) Server at cas.example.org<http://cas.example.org> Port 80 // Is there a cas configuration that I missed? Here is the configuration I have made on my server. I hope this helps make it easier to answer this question. Apache / 2.4.41 (Ubuntu) Server at cas.example.org<http://cas.example.org> Port 80 // Is there a cas configuration that I missed? Here is the configuration I have made on my server. I hope this helps make it easier to answer this question. ----------------------------------------------------------- Service Registry Files (/etc/cas/services/ApacheSecuredByCAS-1609235681.json) : { "@class" : "org.apereo.cas.services.RegexRegisteredService", "serviceId":"^http://cas.example.org/secured-by-cas";, "name" : "Apache", "id" : 1609235681, "evaluationOrder" : 1, "authenticationPolicy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy", "requiredAuthenticationHandlers" : ["java.util.TreeSet", [ "Radius" ]] } } ------------------- cas.properties (/etc/cas/config) : cas.server.name<http://cas.server.name>=https://cas.example.org:8443 cas.server.prefix=${cas.server.name<http://cas.server.name>}/cas logging.config=file:/etc/cas/config/log4j2.xml cas.service-registry.json.location=file:/etc/cas/services cas.authn.accept.users= #cas.authn.accept.enabled= server.port = 8443 #cas.adminPagesSecurity.ip=127\.0\.0\.1 # SSL server.ssl.enabled=true server.ssl.keyStore=file:/etc/cas/thekeystore server.ssl.keyStorePassword=changeit server.ssl.keyPassword=changeit # AUTHENTICATION PROPERTIES #cas.authn.radius.server.nasIpAddress=192.168.1.2 #EAP_MSCHAPv2 cas.authn.radius.name<http://cas.authn.radius.name>=Radius cas.authn.radius.server.protocol=PAP cas.authn.radius.server.retries=1 cas.authn.radius.client.authenticationPort=1812 cas.authn.radius.client.sharedSecret=casserver cas.authn.radius.client.inetAddress=192.168.56.2 cas.authn.radius.client.accountingPort=1813 # TICKETING PROPERTIES # Enable the backing map to be cacheable cas.ticket.registry.in-memory.cache=true cas.ticket.registry.in-memory.load-factor=1 cas.ticket.registry.in-memory.concurrency=20 cas.ticket.registry.in-memory.initial-capacity=1000 --------------- Dependencies (build.gradle) : dependencies { // Other CAS dependencies/modules may be listed here... implementation "org.apereo.cas:cas-server-support-json-service-registry:${casServerVersion}" implementation "org.apereo.cas:cas-server-support-radius:${project.'cas.version'}" } --------- APACHE2 CONFIG (/etc/apache2) (I'm not using httpd) auth_cas.conf : <IfModule mod_auth_cas.c> CASLoginUrl https://localhost:8443/cas/login CASValidateUrl https://localhost:8443/cas/serviceValidate CASCookiePath /var/cache/apache2/mod_auth_cas/ CASSSOEnabled On CASDebug On logLevel Debug </IfModule> /etc/apache2/sites-enabled/000-default.conf : <VirtualHost *:80> # The ServerName directive sets the request scheme, hostname and port that # the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly. ServerName cas.example.org<http://cas.example.org> ServerAdmin webmaster@localhost DocumentRoot /var/www/html # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, # error, crit, alert, emerg. # It is also possible to configure the loglevel for particular # modules, e.g. # LogLevel info ssl:warn ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined # For most configuration files from conf-available/, which are # enabled or disabled at a global level, it is possible to # include a line for only one particular virtual host. For example the # following line enables the CGI configuration for this host only # after it has been globally disabled with "a2disconf". #Include conf-available/serve-cgi-bin.conf <location /secured-by-cas> // I've been change to <Directory "/var/www/html/secured-by-cas"> but still same. <IfModule mod_auth_cas.c> AuthType CAS CASAuthNHeader On </IfModule> Require valid-user </location> </VirtualHost> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet ------------------------------------ I hope you guys understand about this email, im not that good english guys. Than you, Irvan -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831<tel:(250)%20721-8831> | CLE 019 | rb...@uvic.ca I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations. -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831<tel:(250)%20721-8831> | CLE 019 | rb...@uvic.ca I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations. -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831<tel:(250)%20721-8831> | CLE 019 | rb...@uvic.ca I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations. -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | r...@uvic.ca<mailto:r...@uvic.ca> I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f02dc02676c65f8721eb16d2b60508550683a9d9.camel%40uvic.ca.
