Thank you for the information. Can you direct me to any documentation on
how to replace the certificate used by cosignd to match my new common name?
I'm guessing this is located under /etc/cosign/certs as the first couple
lines of cosign.conf are:
set cosigncadir /etc/cosign/certs/ca/
set cosigncert /etc/cosign/certs/cgi.crt
set cosignkey /etc/cosign/certs/cgi.key
set cosigntmpldir /var/www/html/login-templates
cgi login-dev.example.com
Should I be looking here:
http://webapps.itcs.umich.edu/cosign/index.php/Cosign_Wiki:Test_install_HOWTO#Certificates_generation
but
replace "cgi-1" with login-dev.example.com
Thanks again,
Brian
On Tue, Nov 5, 2013 at 4:58 AM, Mark Montague <m...@catseye.org> wrote:
> On November 4, 2013 at 19:43 , Brian Arthur
> <brianpatrickart...@gmail.com> <brianpatrickart...@gmail.com> wrote:
>
> I am trying to set up a Dev CoSign server (CentOS/Apache) by cloning an
> existing server (VMware) and am getting the follow error in the Apache
> logs:
> mod_cosign: connect_sn: cn=login.example.com & host=login-dev.example.com
> don't
> match!
> mod_cosign: cosign_cookie_valid: Unable to connect to any Cosign server.
>
> (example.com replacing real domain name).
>
> I've updated Apache to reflect the new hostname (login-dev) but am more
> than a little lost when it comes to the cosign internals.
>
>
> This is saying that mod_cosign on your web server is trying to connect to
> the central weblogin server, login-dev.example.com, in order to validate
> a cosign cookie, but that the certificate that the central weblogin server
> is presenting belongs to a different machine, login.example.com. Since
> mod_cosign cannot verify that it is talking to a legitimate central
> weblogin server rather than an imposter, mod_cosign returns an error.
>
> To solve this problem, either rename your central weblogin server to be
> login.example.com (and change the configuration in both cosign.conf as
> well as for all cosign clients), or replace the certificate used by cosignd
> on the central weblogin server with a certificate that has the common name
> login-dev.example.com. Check your configuration in cosign.conf
> carefully, as there may be other discrepancies that you also have to
> resolve.
>
> Note well: this is a problem with cosignd, not with Apache HTTP Server.
> It can be confusing because both the central weblogin server and other
> cosign-protected web servers will run Apache HTTP Server, and because
> Apache HTTP Server, cosignd, and mod_cosign each use certificates, which
> are often the same certificates (at least when looking only at a single
> host) but which do not have to be the same certificates (if you have a
> special need and know what you are doing).
>
> Also note: you posted to cosign-discuss without joining the list (at
> least not with the email address you posted from). This causes your posts
> to be held for approval of a human moderator, as a spam protection
> measure. Also, if anyone just replies to the list instead of replying to
> all, you won't see their responses.
>
> I hope this helps.
>
> --
> Mark Montague
> m...@catseye.org
>
>
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
