-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This advice, piled with a plethora of other pieces of evidence eventually resulted in the server admins looking into the issue.
Once they correctly installed the intermediate cert *AND* had the correct alternate names in the cert, things started humming along perfectly. Thanks very much! Jeff Marvin Addison wrote: > Found the needle in the haystack: > > chain [0] = [ > [ > Version: V3 > Subject: CN=*.uni.edu, OU=Information Technology Services - > Information Systems, O=University of Northern Iowa, L=Cedar Falls, > ST=Iowa, C=US > Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 > > Key: SunPKCS11-Solaris RSA public key, 1024 bits (id 18375032, session > object) > modulus: > 150252834723561447967415045547110642718186254487638106274530683717502202186242739986401301532067909257705376376731702670798392352220276069305613608914222704280715074880254729626699122945560042771374711093102394381214967841639350759335294151180419448599809918344003825320472445869538730864301794080354316670753 > public exponent: 65537 > Validity: [From: Tue Jun 02 19:00:00 CDT 2009, > To: Fri Aug 06 18:59:59 CDT 2010] > Issuer: CN=DigiCert Global CA, OU=www.digicert.com, O=DigiCert Inc, C=US > SerialNumber: [ 03e6c037 e13346ac 82383d90 45d19d35] > > Certificate Extensions: 9 > [1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false > AuthorityInfoAccess [ > [accessMethod: 1.3.6.1.5.5.7.48.1 > accessLocation: URIName: http://ocsp.digicert.com, accessMethod: > 1.3.6.1.5.5.7.48.2 > accessLocation: URIName: > http://www.digicert.com/CACerts/DigiCertGlobalCA.crt] > ] > > [2]: ObjectId: 2.5.29.17 Criticality=false > SubjectAlternativeName [ > DNSName: accesstest.uni.edu > DNSName: zany.admin.uni.edu > DNSName: accessstage.uni.edu > DNSName: sage.admin.uni.edu > DNSName: uni.edu > DNSName: *.uni.edu > ] > > [3]: ObjectId: 2.5.29.35 Criticality=false > AuthorityKeyIdentifier [ > KeyIdentifier [ > 0000: A7 C7 13 A0 7A 01 3C 9D EF 82 48 82 48 D5 73 51 ....z.<...H.H.sQ > 0010: B6 12 56 2A ..V* > ] > > ] > > [4]: ObjectId: 2.5.29.14 Criticality=false > SubjectKeyIdentifier [ > KeyIdentifier [ > 0000: 82 5E F6 7D C8 64 CA EE C5 5E 5F 67 5F DC 18 15 .^...d...^_g_... > 0010: 57 EC DB F1 W... > ] > ] > > [5]: ObjectId: 2.5.29.32 Criticality=false > CertificatePolicies [ > [CertificatePolicyId: [2.16.840.1.114412.1.3.0.1] > [PolicyQualifierInfo: [ > qualifierID: 1.3.6.1.5.5.7.2.1 > qualifier: 0000: 16 2E 68 74 74 70 3A 2F 2F 77 77 77 2E 64 69 67 > ..http://www.dig > 0010: 69 63 65 72 74 2E 63 6F 6D 2F 73 73 6C 2D 63 70 icert.com/ssl-cp > 0020: 73 2D 72 65 70 6F 73 69 74 6F 72 79 2E 68 74 6D s-repository.htm > > ], PolicyQualifierInfo: [ > qualifierID: 1.3.6.1.5.5.7.2.2 > qualifier: 0000: 30 82 01 56 1E 82 01 52 00 41 00 6E 00 79 00 20 > 0..V...R.A.n.y. > 0010: 00 75 00 73 00 65 00 20 00 6F 00 66 00 20 00 74 .u.s.e. .o.f. .t > 0020: 00 68 00 69 00 73 00 20 00 43 00 65 00 72 00 74 .h.i.s. .C.e.r.t > 0030: 00 69 00 66 00 69 00 63 00 61 00 74 00 65 00 20 .i.f.i.c.a.t.e. > 0040: 00 63 00 6F 00 6E 00 73 00 74 00 69 00 74 00 75 .c.o.n.s.t.i.t.u > 0050: 00 74 00 65 00 73 00 20 00 61 00 63 00 63 00 65 .t.e.s. .a.c.c.e > 0060: 00 70 00 74 00 61 00 6E 00 63 00 65 00 20 00 6F .p.t.a.n.c.e. .o > 0070: 00 66 00 20 00 74 00 68 00 65 00 20 00 44 00 69 .f. .t.h.e. .D.i > 0080: 00 67 00 69 00 43 00 65 00 72 00 74 00 20 00 43 .g.i.C.e.r.t. .C > 0090: 00 50 00 2F 00 43 00 50 00 53 00 20 00 61 00 6E .P./.C.P.S. .a.n > 00A0: 00 64 00 20 00 74 00 68 00 65 00 20 00 52 00 65 .d. .t.h.e. .R.e > 00B0: 00 6C 00 79 00 69 00 6E 00 67 00 20 00 50 00 61 .l.y.i.n.g. .P.a > 00C0: 00 72 00 74 00 79 00 20 00 41 00 67 00 72 00 65 .r.t.y. .A.g.r.e > 00D0: 00 65 00 6D 00 65 00 6E 00 74 00 20 00 77 00 68 .e.m.e.n.t. .w.h > 00E0: 00 69 00 63 00 68 00 20 00 6C 00 69 00 6D 00 69 .i.c.h. .l.i.m.i > 00F0: 00 74 00 20 00 6C 00 69 00 61 00 62 00 69 00 6C .t. .l.i.a.b.i.l > 0100: 00 69 00 74 00 79 00 20 00 61 00 6E 00 64 00 20 .i.t.y. .a.n.d. > 0110: 00 61 00 72 00 65 00 20 00 69 00 6E 00 63 00 6F .a.r.e. .i.n.c.o > 0120: 00 72 00 70 00 6F 00 72 00 61 00 74 00 65 00 64 .r.p.o.r.a.t.e.d > 0130: 00 20 00 68 00 65 00 72 00 65 00 69 00 6E 00 20 . .h.e.r.e.i.n. > 0140: 00 62 00 79 00 20 00 72 00 65 00 66 00 65 00 72 .b.y. .r.e.f.e.r > 0150: 00 65 00 6E 00 63 00 65 00 2E .e.n.c.e.. > > ]] ] > ] > > [6]: ObjectId: 2.5.29.19 Criticality=true > BasicConstraints:[ > CA:false > PathLen: undefined > ] > > [7]: ObjectId: 2.5.29.37 Criticality=false > ExtendedKeyUsages [ > serverAuth > clientAuth > ] > > [8]: ObjectId: 2.5.29.31 Criticality=false > CRLDistributionPoints [ > [DistributionPoint: > [URIName: http://crl3.digicert.com/DigiCertGlobalCA-2009g.crl] > , DistributionPoint: > [URIName: http://crl4.digicert.com/DigiCertGlobalCA-2009g.crl] > ]] > > [9]: ObjectId: 2.5.29.15 Criticality=true > KeyUsage [ > DigitalSignature > Key_Encipherment > ] > > ] > Algorithm: [SHA1withRSA] > Signature: > 0000: A6 08 8E C8 79 FF D9 41 15 BB A4 05 B4 22 BA 06 ....y..A.....".. > 0010: 33 FC 34 59 C4 74 9A 98 AC 64 43 F9 C1 F0 D0 7E 3.4Y.t...dC..... > 0020: B6 73 1D 21 B9 8F 6A 4C 79 70 4A E1 70 E5 89 34 .s.!..jLypJ.p..4 > 0030: FB E2 7E 67 2B 1A 73 23 74 D8 08 08 A3 69 9D 94 ...g+.s#t....i.. > 0040: 1B C8 0F D1 67 E2 44 4C 01 36 00 92 76 95 A5 23 ....g.DL.6..v..# > 0050: 9B 9B 39 63 21 1E 91 C3 7E C4 DE 9F 15 D2 48 27 ..9c!.........H' > 0060: 4F 4D 43 AB FE 30 1F 9F 99 7E CA 03 F6 EC DC CF OMC..0.......... > 0070: 74 FF BE 0E 92 AF 0A 1A DA 94 73 CA 0B 76 75 E4 t.........s..vu. > 0080: 5D E8 EA 51 D4 F3 50 C8 E2 35 3D A1 78 3E B5 87 ]..Q..P..5=.x>.. > 0090: FA F0 B7 A7 9E 40 2E 15 CD AE 9E 79 B5 04 F4 AC .....@.....y.... > 00A0: 97 57 3C 1A AD 22 26 CD 73 28 91 AC D8 3D BF DA .W<.."&.s(...=.. > 00B0: AC DB 2A F4 1E 8B 44 10 0A A6 4B A0 94 3E 50 C5 ..*...D...K..>P. > 00C0: E6 9A 8F 96 1E F1 42 34 47 D8 E2 45 69 B0 2D FF ......B4G..Ei.-. > 00D0: 1E 14 26 EF D8 41 B1 E1 94 E7 F2 55 75 F5 60 F1 ..&..A.....Uu.`. > 00E0: 73 EC D3 89 45 3E 2E F5 D9 A5 A8 C3 BF D9 88 D5 s...E>.......... > 00F0: 50 A1 40 13 C0 A6 43 F0 81 58 E2 05 FB FE 00 CA p...@...c..x...... > > ] > > That's the cert chain immediately before the PKIX validation error. > The chain appears truncated since in the previous SSL/TLS handshakes > in the log, the full chain from *.uni.edu down to entrust is shown. > Hopefully knowing you're not sending the full chain in some cases is > enough of a hint to point you in the right direction. > > M > - -- Jeff Chapin, Assistant Systems/Applications Administrator ITS-IS, University of Northern Iowa Phone: 319-273-3162 Email: jeff.cha...@uni.edu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkvDSroACgkQQiaEUfQoY7QQ0ACfRbyS18+FKGg3RQI0c6TjeIEX 248Ani+Bq2ZTHsGxkYCiekOs5MV6jVRW =F9An -----END PGP SIGNATURE----- -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
