Re: [Cosign-discuss] cosign integration in development

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

I used c_rehash to generate the symlinks as documented in the Cosign
implementation docs.

Info....

------------------------------------------------------------
------------------------------------------------------------
---------------------------------------------
[root@molar cosign-ca-dir]# sha512sum umwebCA.pem
e8de2020db961a1d20ef17752945ebdfdc089ceeb9d9370d6cbbac29f3c65711994e5e54a03338d3d6b03b711faa197c229b9eb9832be982fa0cd3eb65a79a04
 umwebCA.pem

[root@molar cosign-ca-dir]# yum list authconfig
Loaded plugins: rhnplugin, security
Installed Packages
authconfig.x86_64                                              5.3.21-7.el5
                                             installed
------------------------------------------------------------
------------------------------------------------------------
---------------------------------------------

I just removed them and used what you suggested, which generated as follows:
------------------------------------------------------------
------------------------------------------------------------
---------------------------------------------

[root@molar cosign-ca-dir]# rm -f *.0
[root@molar cosign-ca-dir]# ls -la
total 60
drwxr-x---  3 apache apache 4096 Aug 17 10:40 .
drwxr-xr-x 10 root   root   4096 Aug 14 14:33 ..
drwx------  2 root   root   4096 Aug 17 07:44 archive
-rw-------  1 root   root   1521 Aug 17 07:45 extCAroot.pem
-rw-------  1 root   root   5379 Aug 17 07:43 incommonCA.pem
-rw-------  1 root   root   3309 Aug 17 07:45 intermediate.pem
-rw-r--r--  1 root   root   1334 Aug 17 08:52 umwebCA.pem
[root@molar cosign-ca-dir]# cacertdir_rehash .
unable to load certificate
16755:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE

[root@molar cosign-ca-dir]# ls -la
total 76
drwxr-x---  3 apache apache 4096 Aug 17 10:40 .
drwxr-xr-x 10 root   root   4096 Aug 14 14:33 ..
lrwxrwxrwx  1 root   root     13 Aug 17 10:40 3c58f906.0 -> extCAroot.pem
lrwxrwxrwx  1 root   root     11 Aug 17 10:40 4700e8dd.0 -> umwebCA.pem
lrwxrwxrwx  1 root   root     14 Aug 17 10:40 84df5188.0 -> incommonCA.pem
drwx------  2 root   root   4096 Aug 17 07:44 archive
lrwxrwxrwx  1 root   root     16 Aug 17 10:40 b0de3e19.0 -> intermediate.pem
-rw-------  1 root   root   1521 Aug 17 07:45 extCAroot.pem
-rw-------  1 root   root   5379 Aug 17 07:43 incommonCA.pem
-rw-------  1 root   root   3309 Aug 17 07:45 intermediate.pem
-rw-r--r--  1 root   root   1334 Aug 17 08:52 umwebCA.pem

------------------------------------------------------------
------------------------------------------------------------
---------------------------------------------

Also, it seems that the hash output for the umwebCA is not what you are
saying it should be:

[root@molar cosign-ca-dir]# openssl x509 -hash -noout -in ./umwebCA.pem
4700e8dd

Thanks,
Shawn Rahl
Unix Administrator

Dental Informatics, School of Dentistry

University of Michigan

sr...@um...

On Fri, Aug 17, 2012 at 10:35 AM, Mark Montague <ma...@ca...> wrote:

> On August 17, 2012 10:27 , Shawn Rahl <sr...@um...> wrote:
>
>> Output....
>>
>> [root@molar cosign-ca-dir]# ls -la /etc/httpd/cosign-ca-dir
>> [...]
>>
>> lrwxrwxrwx  1 root   root     11 Aug 17 07:51 fa84f4ea.0 -> umwebCA.pem
>> [...]
>>
>> -rw-r--r--  1 root   root   1334 Aug 17 08:52 umwebCA.pem
>> [root@molar cosign-ca-dir]# sha512sum umwebCA.pem
>> e8de2020db961a1d20ef17752945eb**dfdc089ceeb9d9370d6cbbac29f3c6**
>> 5711994e5e54a03338d3d6b03b711f**aa197c229b9eb9832be982fa0cd3eb**65a79a04
>>  umwebCA.pem
>>
>>     Be sure you have the following in that directory (note that this
>>     will be different for people from other institutions):
>>
>>     lrwxrwxrwx. 1 root root     11 Jul 10 11:22 5cc1e784.0 -> umwebCA.pem
>>     -rw-r--r--. 1 root root   1334 Mar 19 10:56 umwebCA.pem
>>
>>     Also make sure you have the correct CA root certificate:
>>
>>     [root@minos certs]# sha512sum umwebCA.pem
>>     e8de2020db961a1d20ef17752945eb**dfdc089ceeb9d9370d6cbbac29f3c6**
>> 5711994e5e54a03338d3d6b03b711f**aa197c229b9eb9832be982fa0cd3eb**65a79a04
>>      umwebCA.pem
>>     [root@minos certs]#
>>
>>
> If you have the wrong hash -- as you seem to -- mod_cosign will not be
> able to find the CA root certificate for UM Web CA.
>
> How did you generate the hash symlink?
>
> If this is a Red Hat Enterprise Linux box, make sure you have the
> authconfig RPM installed, then run:
>
> cd /etc/httpd/cosign-ca-dir ; /usr/sbin/cacertdir_rehash .
>
> Or, if you have the c_rehash script from the OpenSSL source code
> distribution, run:
>
> cd /etc/httpd/cosign-ca-dir ; c_rehash .
>
> Also, you should be able to see the same output for:
>
> [root@minos certs]# openssl x509 -hash -noout -in ./umwebCA.pem
> 5cc1e784
> [root@minos certs]#
>
> Short form:  fixing the hash symlink should solve the problem.
>
> --
>   Mark Montague
>   ma...@ca...
>
>

Re: [Cosign-discuss] cosign integration in development

Open Source Web Single Sign-On

Re: [Cosign-discuss] cosign integration in development