On November 4, 2013 at 19:43 , Brian Arthur
<brianpatrickart...@gmail.com> wrote:
I am trying to set up a Dev CoSign server (CentOS/Apache) by cloning
an existing server (VMware) and am getting the follow error in the
Apache logs:
mod_cosign: connect_sn: cn=login.example.com
<http://login.example.com> & host=login-dev.example.com
<http://login-dev.example.com> don't match!
mod_cosign: cosign_cookie_valid: Unable to connect to any Cosign server.
(example.com <http://example.com> replacing real domain name).
I've updated Apache to reflect the new hostname (login-dev) but am
more than a little lost when it comes to the cosign internals.
This is saying that mod_cosign on your web server is trying to connect
to the central weblogin server, login-dev.example.com, in order to
validate a cosign cookie, but that the certificate that the central
weblogin server is presenting belongs to a different machine,
login.example.com. Since mod_cosign cannot verify that it is talking to
a legitimate central weblogin server rather than an imposter, mod_cosign
returns an error.
To solve this problem, either rename your central weblogin server to be
login.example.com (and change the configuration in both cosign.conf as
well as for all cosign clients), or replace the certificate used by
cosignd on the central weblogin server with a certificate that has the
common name login-dev.example.com. Check your configuration in
cosign.conf carefully, as there may be other discrepancies that you also
have to resolve.
Note well: this is a problem with cosignd, not with Apache HTTP
Server. It can be confusing because both the central weblogin server
and other cosign-protected web servers will run Apache HTTP Server, and
because Apache HTTP Server, cosignd, and mod_cosign each use
certificates, which are often the same certificates (at least when
looking only at a single host) but which do not have to be the same
certificates (if you have a special need and know what you are doing).
Also note: you posted to cosign-discuss without joining the list (at
least not with the email address you posted from). This causes your
posts to be held for approval of a human moderator, as a spam protection
measure. Also, if anyone just replies to the list instead of replying
to all, you won't see their responses.
I hope this helps.
--
Mark Montague
m...@catseye.org
------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
