Re: [Cosign-discuss] cosign integration in development
On August 16, 2012 14:43 , Shawn Rahl sr...@umich.edu wrote: We are getting the 503 Service Temporarily Unavailable message after authenticating with weblogin. [...] Differences between production and this config: - site name is mitools-dev instead of mitools - IPs are different - certs are self-signed instead of GeoTrust certs Here is what we are seeing: In the error log (mitools-ssl-error_log), we see: [Thu Aug 16 14:39:50 2012] [error] mod_cosign: snet_starttls: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed The above error suggests to me that mod_cosign is not able to verify the certificate that the central weblogin servers use to identify themselves. Run the command openssl s_client -connect weblogin.umich.edu:6663 -cert /etc/pki/tls/certs/minos.lsa.umich.edu.crt -key /etc/pki/tls/private/minos.lsa.umich.edu.key -CApath /etc/pki/tls/certs -starttls smtp -showcerts in order to see what certificate your central weblogin servers use, and who signed it. Change weblogin.umich.edu above to be the name of your organization's central weblogin servers, and change the certificate filename, the key filename, and the CApath (path to the directory containing the certificate authority root and intermediate certificates and hashes) as appropriate for your web server. In the output, you should see lines similar to the following: Server certificate subject=/C=US/ST=Michigan/L=Ann Arbor/O=University of Michigan/OU=ITCS/CN=weblogin.umich.edu/emailAddress=webmas...@umich.edu issuer=/C=US/ST=Michigan/L=Ann Arbor/O=University of Michigan/OU=ITCS/CN=UM Web CA/emailAddress=webmas...@umich.edu In this case, the central weblogin server certificates have been signed by the certificate authority UM Web CA. Make sure you have the root certificate for this CA installed (from the information you included in your original message, you do have it installed). ALSO make sure that you have created a hash for the certificate in the same directory -- from your original message, you seem to be missing this, and this is likely the cause of your problem; let us know if you need instructions on how to create / manage certificate hashes. Finally, the central weblogin servers at most (all?) institutions won't accept self-signed certificates from client web servers. Find out what certificate authorities your institution's central weblogin servers trust, and get a certificate for use with cosign that is signed by one of these CAs. If you really want to, you can use a self-signed certificate for HTTPS, but you almost certainly will need a non-self-signed one for the mod_cosign CosignCrypto directive, even though this is a development server. Many institutions will provide a no-cost option for this (your institution happens to provide two no-cost options: the InCommon certificate service [commercially signed and widely trusted], and UM Web CA [locally signed]). I hope this helps. If addressing these two things (creating a hash for the root CA certificate for the certificate used by your central weblogin servers, plus using a non-self-signed certificate in the CosignCrypto directive) do not get everything working, please let us know. -- Mark Montague m...@catseye.org -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss
Re: [Cosign-discuss] cosign integration in development
I used c_rehash to generate the symlinks as documented in the Cosign implementation docs. Info - [root@molar cosign-ca-dir]# sha512sum umwebCA.pem e8de2020db961a1d20ef17752945ebdfdc089ceeb9d9370d6cbbac29f3c65711994e5e54a03338d3d6b03b711faa197c229b9eb9832be982fa0cd3eb65a79a04 umwebCA.pem [root@molar cosign-ca-dir]# yum list authconfig Loaded plugins: rhnplugin, security Installed Packages authconfig.x86_64 5.3.21-7.el5 installed - I just removed them and used what you suggested, which generated as follows: - [root@molar cosign-ca-dir]# rm -f *.0 [root@molar cosign-ca-dir]# ls -la total 60 drwxr-x--- 3 apache apache 4096 Aug 17 10:40 . drwxr-xr-x 10 root root 4096 Aug 14 14:33 .. drwx-- 2 root root 4096 Aug 17 07:44 archive -rw--- 1 root root 1521 Aug 17 07:45 extCAroot.pem -rw--- 1 root root 5379 Aug 17 07:43 incommonCA.pem -rw--- 1 root root 3309 Aug 17 07:45 intermediate.pem -rw-r--r-- 1 root root 1334 Aug 17 08:52 umwebCA.pem [root@molar cosign-ca-dir]# cacertdir_rehash . unable to load certificate 16755:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE [root@molar cosign-ca-dir]# ls -la total 76 drwxr-x--- 3 apache apache 4096 Aug 17 10:40 . drwxr-xr-x 10 root root 4096 Aug 14 14:33 .. lrwxrwxrwx 1 root root 13 Aug 17 10:40 3c58f906.0 - extCAroot.pem lrwxrwxrwx 1 root root 11 Aug 17 10:40 4700e8dd.0 - umwebCA.pem lrwxrwxrwx 1 root root 14 Aug 17 10:40 84df5188.0 - incommonCA.pem drwx-- 2 root root 4096 Aug 17 07:44 archive lrwxrwxrwx 1 root root 16 Aug 17 10:40 b0de3e19.0 - intermediate.pem -rw--- 1 root root 1521 Aug 17 07:45 extCAroot.pem -rw--- 1 root root 5379 Aug 17 07:43 incommonCA.pem -rw--- 1 root root 3309 Aug 17 07:45 intermediate.pem -rw-r--r-- 1 root root 1334 Aug 17 08:52 umwebCA.pem - Also, it seems that the hash output for the umwebCA is not what you are saying it should be: [root@molar cosign-ca-dir]# openssl x509 -hash -noout -in ./umwebCA.pem 4700e8dd Thanks, Shawn Rahl Unix Administrator Dental Informatics, School of Dentistry University of Michigan sr...@umich.edu On Fri, Aug 17, 2012 at 10:35 AM, Mark Montague m...@catseye.org wrote: On August 17, 2012 10:27 , Shawn Rahl sr...@umich.edu wrote: Output [root@molar cosign-ca-dir]# ls -la /etc/httpd/cosign-ca-dir [...] lrwxrwxrwx 1 root root 11 Aug 17 07:51 fa84f4ea.0 - umwebCA.pem [...] -rw-r--r-- 1 root root 1334 Aug 17 08:52 umwebCA.pem [root@molar cosign-ca-dir]# sha512sum umwebCA.pem e8de2020db961a1d20ef17752945eb**dfdc089ceeb9d9370d6cbbac29f3c6** 5711994e5e54a03338d3d6b03b711f**aa197c229b9eb9832be982fa0cd3eb**65a79a04 umwebCA.pem Be sure you have the following in that directory (note that this will be different for people from other institutions): lrwxrwxrwx. 1 root root 11 Jul 10 11:22 5cc1e784.0 - umwebCA.pem -rw-r--r--. 1 root root 1334 Mar 19 10:56 umwebCA.pem Also make sure you have the correct CA root certificate: [root@minos certs]# sha512sum umwebCA.pem e8de2020db961a1d20ef17752945eb**dfdc089ceeb9d9370d6cbbac29f3c6** 5711994e5e54a03338d3d6b03b711f**aa197c229b9eb9832be982fa0cd3eb**65a79a04 umwebCA.pem [root@minos certs]# If you have the wrong hash -- as you seem to -- mod_cosign will not be able to find the CA root certificate for UM Web CA. How did you generate the hash symlink? If this is a Red Hat Enterprise Linux box, make sure you have the authconfig RPM installed, then run: cd /etc/httpd/cosign-ca-dir ; /usr/sbin/cacertdir_rehash . Or, if you have the c_rehash script from the OpenSSL source code distribution, run: cd /etc/httpd/cosign-ca-dir ; c_rehash . Also, you should be able to see the same output for: [root@minos certs]# openssl x509 -hash -noout -in ./umwebCA.pem 5cc1e784 [root@minos certs]# Short form: fixing the hash symlink should solve the problem. -- Mark Montague m...@catseye.org -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and
Re: [Cosign-discuss] cosign integration in development
On 8/17/12 10:49 AM, Shawn Rahl wrote: Also, it seems that the hash output for the umwebCA is not what you are saying it should be: [root@molar cosign-ca-dir]# openssl x509 -hash -noout -in ./umwebCA.pem 4700e8dd Starting with version 1 of openssl, it uses a different algorithm to compute the hash. You can get the old and new values from it: pgp$ /opt/local/bin/openssl x509 -subject_hash -subject_hash_old -noout -in umwebCA.pem 5cc1e784 4700e8dd -Phil -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss
Re: [Cosign-discuss] cosign integration in development
[root@molar cosign-ca-dir]# curl -O http://www.umich.edu/~umweb/umwebCA.pem % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 1334 100 13340 0 20540 0 --:--:-- --:--:-- --:--:-- 0 [root@molar cosign-ca-dir]# ls -la total 60 drwxr-x--- 3 apache apache 4096 Aug 17 11:04 . drwxr-xr-x 10 root root 4096 Aug 14 14:33 .. drwx-- 2 root root 4096 Aug 17 07:44 archive -rw--- 1 root root 1521 Aug 17 07:45 extCAroot.pem -rw--- 1 root root 5379 Aug 17 07:43 incommonCA.pem -rw--- 1 root root 3309 Aug 17 07:45 intermediate.pem -rw-r--r-- 1 root root 1334 Aug 17 11:04 umwebCA.pem [root@molar cosign-ca-dir]# openssl x509 -hash -noout -in ./umwebCA.pem 4700e8dd Shawn Rahl Unix Administrator Dental Informatics, School of Dentistry University of Michigan sr...@umich.edu On Fri, Aug 17, 2012 at 11:02 AM, Mark Montague m...@catseye.org wrote: On August 17, 2012 10:49 , Shawn Rahl sr...@umich.edu wrote: [root@molar cosign-ca-dir]# ls -la total 76 drwxr-x--- 3 apache apache 4096 Aug 17 10:40 . drwxr-xr-x 10 root root 4096 Aug 14 14:33 .. lrwxrwxrwx 1 root root 13 Aug 17 10:40 3c58f906.0 - extCAroot.pem lrwxrwxrwx 1 root root 11 Aug 17 10:40 4700e8dd.0 - umwebCA.pem lrwxrwxrwx 1 root root 14 Aug 17 10:40 84df5188.0 - incommonCA.pem drwx-- 2 root root 4096 Aug 17 07:44 archive lrwxrwxrwx 1 root root 16 Aug 17 10:40 b0de3e19.0 - intermediate.pem -rw--- 1 root root 1521 Aug 17 07:45 extCAroot.pem -rw--- 1 root root 5379 Aug 17 07:43 incommonCA.pem -rw--- 1 root root 3309 Aug 17 07:45 intermediate.pem -rw-r--r-- 1 root root 1334 Aug 17 08:52 umwebCA.pem --**--** --**--** --**--- Also, it seems that the hash output for the umwebCA is not what you are saying it should be: [root@molar cosign-ca-dir]# openssl x509 -hash -noout -in ./umwebCA.pem 4700e8dd This is very strange, especially since the SHA-512 hash of your umwebCA.pem file matches mine. I recommend getting a new copy and checking. I just did this on my MacOS X laptop and the results match what I have on my RHEL6 web server: $ curl -O http://www.umich.edu/~umweb/**umwebCA.pemhttp://www.umich.edu/~umweb/umwebCA.pem % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 1334 100 13340 0 19974 0 --:--:-- --:--:-- --:--:-- 21868 $ openssl x509 -hash -noout -in ./umwebCA.pem 5cc1e784 $ Once you get this, recreate the hash symlink by running c_rehash again. If you don't get a link named 5cc1e784.0, then something is still amiss and we'll have to look at this further. -- Mark Montague m...@catseye.org -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss
Re: [Cosign-discuss] cosign integration in development
On August 17, 2012 11:00 , Phil Pishioneri p...@psu.edu wrote: Starting with version 1 of openssl, it uses a different algorithm to compute the hash. You can get the old and new values from it: pgp$ /opt/local/bin/openssl x509 -subject_hash -subject_hash_old -noout -in umwebCA.pem 5cc1e784 4700e8dd D'oh! Thanks, Phil, I think you've hit the nail on the head. I had no idea that OpenSSL had changed their hash algorithm. Shawn, what version of the OpenSSL libraries are your installations of mod_cosign and mod_ssl linked against? And is this from the same version of OpenSSL that the openssl executable is from? [root@minos certs]# ldd /usr/lib64/httpd/modules/mod_cosign.so | grep ssl libssl.so.10 = /usr/lib64/libssl.so.10 (0x7f7910dd4000) [root@minos certs]# ldd /usr/lib64/httpd/modules/mod_ssl.so | grep ssl libssl.so.10 = /usr/lib64/libssl.so.10 (0x7f6e0e383000) [root@minos certs]# rpm -q -f /usr/lib64/libssl.so.10 openssl-1.0.0-20.el6_2.5.x86_64 [root@minos certs]# openssl version OpenSSL 1.0.0-fips 29 Mar 2010 [root@minos certs]# If all three use the same OpenSSL version and you still have a problem, then the hash symlink is not the problem and we'll have to look elsewhere. On the other hand, if you are using one version of OpenSSL for either mod_cosign or mod_ssl and a different version of OpenSSL for the openssl executable, then the problem is definitely the hash symlink and you should probably use the same version of OpenSSL from the command line that you're using to compile mod_cosign. -- Mark Montague m...@catseye.org -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss
Re: [Cosign-discuss] cosign integration in development
make sure the certificates listed on the CosignCrypto line are valid and the common name of the certificate matches your FQDN. I believe that self-signed certs wont' work for authing with cosign. 503 is the error that cosign gives across the board when something goes wrong. -Ross On Thu, Aug 16, 2012 at 2:43 PM, Shawn Rahl sr...@umich.edu wrote: Good afternoon. We have a new development server hosting dev versions of our MiTools site. All is working except for the cosign integration. Any assistance would be greatly appreciated. We are getting the 503 Service Temporarily Unavailable message after authenticating with weblogin. We have followed the cosign documentation for UM as well as the general docs on weblogin.org. Attached is a text file containing our VirtualHost entry that is configured with Cosign. Whether we point there or at production, we get the same results. Differences between production and this config: - site name is mitools-dev instead of mitools - IPs are different - certs are self-signed instead of GeoTrust certs Here is what we are seeing: In the error log (mitools-ssl-error_log), we see: [Thu Aug 16 14:39:50 2012] [error] mod_cosign: snet_starttls: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed [Thu Aug 16 14:39:50 2012] [error] mod_cosign: snet_starttls: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed [Thu Aug 16 14:39:50 2012] [error] mod_cosign: snet_starttls: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed [Thu Aug 16 14:39:50 2012] [error] mod_cosign: snet_starttls: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed [Thu Aug 16 14:39:50 2012] [error] mod_cosign: snet_starttls: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed [Thu Aug 16 14:39:50 2012] [error] mod_cosign: snet_starttls: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed [Thu Aug 16 14:39:50 2012] [error] mod_cosign: cosign_cookie_valid: Unable to connect to any Cosign server. In our browser, afterauthentication from weblogin or weblogin-test, we see: - 503 Service Temporarily Unavailable error - URL in browser address bar: https://mitools-dev.dent.umich.edu/cosign/valid/?cosign-mitools-dev.dent.umich.edu=U10jam-8ApjjZXs0gNUNMo1xPAGCYiqvU7cl2sDu3A2nWw4F9-hTjJd2zPF2dT4SlWyh1o9hZTF04xEI1Mpvf6HUqMANCsrK618i5wpjJhGbWDsUibkfmo5THawuhttps://mitools-dev.dent.umich.edu/ listing of the cosign-ca-dir shows the following: [root@molar httpd]# ls -l cosign-ca-dir/ total 48 lrwxrwxrwx 1 root root 13 Aug 15 17:15 3c58f906.0 - extCAroot.pem lrwxrwxrwx 1 root root 16 Aug 15 17:15 4b841d5f.0 - intermediate.pem lrwxrwxrwx 1 root root 14 Aug 15 17:15 84df5188.0 - incommonCA.pem -rw-r--r-- 1 root root 1521 Apr 16 12:11 extCAroot.pem lrwxrwxrwx 1 root root 11 Aug 15 17:15 fa84f4ea.0 - umwebCA.pem -rw-r--r-- 1 root root 1712 Aug 15 17:14 incommonCA.pem -rw-r--r-- 1 root root 2664 Jun 14 09:18 intermediate.pem -rw-r--r-- 1 root root 1927 Aug 7 09:08 umwebCA.pem Thanks, Shawn Rahl Unix Administrator Dental Informatics, School of Dentistry University of Michigan sr...@umich.edu -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss