Re: [Cosign-discuss] cosign integration in development

Mark Montague Fri, 17 Aug 2012 07:23:01 -0700

On August 17, 2012 10:10 , Shawn Rahl <sr...@umich.edu> wrote:
> [root@molar ~]# cat /dev/null | openssl s_client -connect 
> weblogin.umich.edu:6663 <http://weblogin.umich.edu:6663> -CApath 
> /etc/httpd/cosign-ca-dir -cert 
> /etc/httpd/certs/current/mitools-dev.dent.umich.edu.crt -key 
> /etc/httpd/certs/current/mitools-dev.dent.umich.edu.key -starttls smtp 
> -showcerts
> CONNECTED(00000003)
> didn't found starttls in server response, try anyway...
> depth=1 /C=US/ST=Michigan/L=Ann Arbor/O=University of 
> Michigan/OU=ITCS/CN=UM Web CA/emailAddress=webmas...@umich.edu 
> <mailto:webmas...@umich.edu>
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> ---


> Note, we do not have self-signed certificates being used at all, so I 
> am not sure where the return code 19 and message is coming from.

What is the output of "ls -la /etc/httpd/cosign-ca-dir" ?

Be sure you have the following in that directory (note that this will be 
different for people from other institutions):

lrwxrwxrwx. 1 root root     11 Jul 10 11:22 5cc1e784.0 -> umwebCA.pem
-rw-r--r--. 1 root root   1334 Mar 19 10:56 umwebCA.pem

Also make sure you have the correct CA root certificate:

[root@minos certs]# sha512sum umwebCA.pem
e8de2020db961a1d20ef17752945ebdfdc089ceeb9d9370d6cbbac29f3c65711994e5e54a03338d3d6b03b711faa197c229b9eb9832be982fa0cd3eb65a79a04
  
umwebCA.pem
[root@minos certs]#

The output you should see from the "openssl s_client -showcerts" command is:

[root@minos certs]# openssl s_client -connect weblogin.umich.edu:6663 
-cert /etc/pki/tls/certs/minos.lsa.umich.edu.crt -key 
/etc/pki/tls/private/minos.lsa.umich.edu.key -CApath /etc/pki/tls/certs 
-starttls smtp -showcerts
CONNECTED(00000003)
didn't found starttls in server response, try anyway...
depth=1 C = US, ST = Michigan, L = Ann Arbor, O = University of 
Michigan, OU = ITCS, CN = UM Web CA, emailAddress = webmas...@umich.edu
verify return:1
depth=0 C = US, ST = Michigan, L = Ann Arbor, O = University of 
Michigan, OU = ITCS, CN = weblogin.umich.edu, emailAddress = 
webmas...@umich.edu
verify return:1
---
Certificate chain
  0 s:/C=US/ST=Michigan/L=Ann Arbor/O=University of 
Michigan/OU=ITCS/CN=weblogin.umich.edu/emailAddress=webmas...@umich.edu
    i:/C=US/ST=Michigan/L=Ann Arbor/O=University of 
Michigan/OU=ITCS/CN=UM Web CA/emailAddress=webmas...@umich.edu
[...remainder of output omitted...]

--
   Mark Montague
   m...@catseye.org


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss

Re: [Cosign-discuss] cosign integration in development

Reply via email to