On April 18, 2012 11:49 , "Taylor, Dion" <di...@umich.edu> wrote: > [error] mod_cosign: snet_starttls: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > When I visit the website in question, I'm able to authenticate to Cosign, but > then I'm taken to a "Service Temporarily Unavailable" page.
This error occurs when mod_cosign is unable to verify the certificate used by your institution's central weblogin servers. Make sure you have the root and any intermediate CA certificates installed for the CA that signed the certificate used by your central weblogin server. Also make sure you have a hash symlink for that certificate in the same directory. Under Red Hat Enterprise Linux, I usually install *all* certificates, including the server's SSL certificate and all CA certificates, in /etc/pki/tls/certs For example: [root@schrodingers certs]# ls -l total 1224 lrwxrwxrwx. 1 root root 27 Nov 10 12:48 081aa176.0 -> ecat-test.lsa.umich.edu.crt lrwxrwxrwx. 1 root root 13 Nov 10 12:48 381ce4dd.0 -> ca-bundle.crt lrwxrwxrwx. 1 root root 11 Mar 20 03:40 5cc1e784.0 -> umwebCA.pem lrwxrwxrwx. 1 root root 20 Nov 10 12:48 9ef5f911.0 -> InCommonServerCA.crt lrwxrwxrwx. 1 root root 30 Nov 10 12:48 a9e4b937.0 -> schrodingers.lsa.umich.edu.crt -rw-r--r--. 1 root root 571442 Apr 7 2010 ca-bundle.crt -rw-r--r--. 1 root root 651075 Apr 7 2010 ca-bundle.trust.crt -rw-r--r--. 1 root root 2240 Nov 10 12:47 ecat-test.lsa.umich.edu.crt lrwxrwxrwx. 1 root root 13 Nov 10 12:48 ecfd737a.0 -> localhost.crt -rw-r--r--. 1 root root 1712 Nov 10 12:39 InCommonServerCA.crt -rw-------. 1 root root 1212 Oct 21 13:23 localhost.crt -rwxr-xr-x. 1 root root 610 Mar 19 12:28 make-dummy-cert -rw-r--r--. 1 root root 2242 Mar 19 12:28 Makefile -rw-r--r--. 1 root root 2244 Nov 10 12:47 schrodingers.lsa.umich.edu.crt -rw-r--r--. 1 root root 1334 Mar 19 10:56 umwebCA.pem [root@schrodingers certs]# The best way to create the hash symlinks is to run "c_rehash /path/to/directory/containing/certificates". The c_rehash script is distributed with the source code of OpenSSL, but it is not included in the RPM for OpenSSL for some (many?) versions of Red Hat Enterprise Linux. If you don't have c_rehash, an alternative that will work as long as you don't have any hash collisions is: cd /etc/pki/tls/certs for i in *.pem *.crt *.cert ; do ln -s $i `openssl x509 -hash -noout -in $i`.0 done I then use the following CosignCrypto directive: CosignCrypto /etc/pki/tls/private/ecat-test.lsa.umich.edu.key /etc/pki/tls/certs/ecat-test.lsa.umich.edu.crt /etc/pki/tls/certs At my institution, incidentally, the certificate used by my central weblogin servers is in the file umwebCA.pem in the directory listing above. You can verify things (both the correct diagnosis of the problem as well as potential fixes) by following the instructions for the FAQ "My certificate is verified, but I'm still getting vague and unhelpful SSL errors. What else can I do?" at http://webapps.itcs.umich.edu/cosign/index.php/Cosign_Wiki:CosignFAQ#Configuration I hope this helps. -- Mark Montague m...@catseye.org ------------------------------------------------------------------------------ Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev _______________________________________________ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss
