I am trying to configure cosign to authenticate against the UM cosign services. I have a cert signed by umwebCA, however it appears that I still am getting certificate problems!
The site that is connecting to cosign is on a private network, and request are being proxied to it from another apache server. I have tried any of the troubleshooting suggestions that I could find, all of which are attached below, including the error messages I am seeing, and the relevant part of the virtual-host config. Any help would be much appreciated. Thanks, Nathaniel relevant apache virtualhost config: SSLEngine on SSLCertificateFile /var/www/etc/ssl/server.crt SSLCertificateKeyFile /var/www/etc/ssl/private/server.key CosignProtected On CosignHostname weblogin.umich.edu CosignRedirect https://weblogin.umich.edu/ CosignPostErrorRedirect https://weblogin.umich.edu/post_error.html CosignService wirelessguest.umtri CosignCrypto /var/www/etc/ssl/private/wirelessguest.key / var/www/etc/ssl/wirelessguest.crt /var/www/etc/ssl/cosignCA CosignSiteEntry https://wirelessguest.umtri.umich.edu apache error log: [Mon Apr 28 10:19:10 2008] [error] mod_cosign: snet_starttls: error: 14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed [Mon Apr 28 10:19:10 2008] [error] mod_cosign: snet_starttls: error: 14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed [Mon Apr 28 10:19:10 2008] [error] mod_cosign: snet_starttls: error: 14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed [Mon Apr 28 10:19:10 2008] [error] mod_cosign: snet_starttls: error: 14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed [Mon Apr 28 10:19:10 2008] [error] mod_cosign: cosign_cookie_valid: Unable to connect to any Cosign server. # ls -l var/cosign/ total 4 drwxr-xr-x 2 www daemon 512 Apr 23 15:45 filter # openssl verify -CApath etc/ssl/cosignCA -purpose sslclient etc/ssl/ wirelessguest.crt etc/ssl/wirelessguest.crt: OK # openssl version OpenSSL 0.9.7j 04 May 2006 # cat /dev/null | openssl s_client -connect weblogin.umich.edu:6663 - CApath etc/ssl/cosignCA -cert etc/ssl/wirelessguest.crt -key etc/ssl/ private/wirelessguest.key -starttls smtp CONNECTED(00000004) depth=1 /C=US/ST=Michigan/L=Ann Arbor/O=University of Michigan/OU=ITCS/ CN=UM Web CA/[EMAIL PROTECTED] verify return:1 depth=0 /C=US/ST=Michigan/L=Ann Arbor/O=University of Michigan/OU=ITCS/ CN=weblogin.umich.edu/[EMAIL PROTECTED] verify return:1 --- Certificate chain 0 s:/C=US/ST=Michigan/L=Ann Arbor/O=University of Michigan/OU=ITCS/ CN=weblogin.umich.edu/[EMAIL PROTECTED] i:/C=US/ST=Michigan/L=Ann Arbor/O=University of Michigan/OU=ITCS/ CN=UM Web CA/[EMAIL PROTECTED] 1 s:/C=US/ST=Michigan/L=Ann Arbor/O=University of Michigan/OU=ITCS/ CN=UM Web CA/[EMAIL PROTECTED] i:/C=US/ST=Michigan/L=Ann Arbor/O=University of Michigan/OU=ITCS/ CN=UM Web CA/[EMAIL PROTECTED] --- Server certificate -----BEGIN CERTIFICATE----- MIICszCCAhwCAgDzMA0GCSqGSIb3DQEBBAUAMIGcMQswCQYDVQQGEwJVUzERMA8G A1UECBMITWljaGlnYW4xEjAQBgNVBAcTCUFubiBBcmJvcjEfMB0GA1UEChMWVW5p dmVyc2l0eSBvZiBNaWNoaWdhbjENMAsGA1UECxMESVRDUzESMBAGA1UEAxMJVU0g V2ViIENBMSIwIAYJKoZIhvcNAQkBFhN3ZWJtYXN0ZXJAdW1pY2guZWR1MB4XDTAz MTAxMjAxMTEzMloXDTA4MTAxMDAxMTEzMlowgaUxCzAJBgNVBAYTAlVTMREwDwYD VQQIEwhNaWNoaWdhbjESMBAGA1UEBxMJQW5uIEFyYm9yMR8wHQYDVQQKExZVbml2 ZXJzaXR5IG9mIE1pY2hpZ2FuMQ0wCwYDVQQLEwRJVENTMRswGQYDVQQDExJ3ZWJs b2dpbi51bWljaC5lZHUxIjAgBgkqhkiG9w0BCQEWE3dlYm1hc3RlckB1bWljaC5l ZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOB9xDh+7N+mL1zO3KzycVej 0yhR1fLP+B/qLgZjq4daOoCMhmOuEIkYWmglUuttmcdF9/eWU6699q7GHOZcdgf+ cSzsZnC2pVLgB4gsWiGVZ96epDiOCT3Gp4yg2I/C8hd0UMnXiv9ZqOg/naxvy5Vw jEX5Jqn65C17E9lbv+xHAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAWuMF8HDzso1Q G/o2i+QqwwBfa7kR6P4gb0So1UldS/yk1lRlJ0bir7S37BxlkVEkRtAhjPs/vljE 08nDD5lfwMPBipXrA/dPpLihsoW5vJ40RQ/KitSSw85mHR9rYW+EAHbvFleZMGox ipHSLviNHjjylkJ4A6foEfszqaXUdlE= -----END CERTIFICATE----- subject=/C=US/ST=Michigan/L=Ann Arbor/O=University of Michigan/OU=ITCS/ CN=weblogin.umich.edu/[EMAIL PROTECTED] issuer=/C=US/ST=Michigan/L=Ann Arbor/O=University of Michigan/OU=ITCS/ CN=UM Web CA/[EMAIL PROTECTED] --- No client certificate CA names sent --- SSL handshake has read 1911 bytes and written 2558 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 6F05919474D0D6AE4F50CE2F2E7F59202BBF1AA96FB48CA4FA4369E01DA96F7E Session-ID-ctx: Master-Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Key-Arg : None Start Time: 1209392865 Timeout : 300 (sec) Verify return code: 0 (ok) --- 220 2 Collaborative Web Single Sign-On 500 Command EHLO unregcognized DONE ----- Nathaniel Madura Engineer in Research UMTRI - Biosciences 734-936-1109 [EMAIL PROTECTED] ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone _______________________________________________ Cosign-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/cosign-discuss
