From: Nathaniel M. <nm...@um...> - 2008-05-02 18:28:43
|
I have figured out this error, it was tied to mod_cosign: snet_starttls: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed my Apache is running in a chroot'd environment, and didn't have the ability to perform name resolution. I created an /etc/resolv.conf file and I was able to get right on! -Nathaniel On Apr 28, 2008, at 11:16 AM, Nathaniel Madura wrote: > I am trying to configure cosign to authenticate against the UM > cosign services. I have a cert signed by umwebCA, however it appears > that I still am getting certificate problems! > > The site that is connecting to cosign is on a private network, and > request are being proxied to it from another apache server. > > I have tried any of the troubleshooting suggestions that I could > find, all of which are attached below, including the error messages > I am seeing, and the relevant part of the virtual-host config. > > Any help would be much appreciated. > > Thanks, > Nathaniel > > > relevant apache virtualhost config: > SSLEngine on > SSLCertificateFile /var/www/etc/ssl/server.crt > SSLCertificateKeyFile /var/www/etc/ssl/private/server.key > CosignProtected On > CosignHostname weblogin.umich.edu > CosignRedirect https://weblogin.umich.edu/ > CosignPostErrorRedirect https://weblogin.umich.edu/post_error.html > CosignService wirelessguest.umtri > CosignCrypto /var/www/etc/ssl/private/wirelessguest.key / > var/www/etc/ssl/wirelessguest.crt /var/www/etc/ssl/cosignCA > CosignSiteEntry https://wirelessguest.umtri.umich.edu > > apache error log: > [Mon Apr 28 10:19:10 2008] [error] mod_cosign: snet_starttls: error: > 14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify > failed > [Mon Apr 28 10:19:10 2008] [error] mod_cosign: snet_starttls: error: > 14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify > failed > [Mon Apr 28 10:19:10 2008] [error] mod_cosign: snet_starttls: error: > 14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify > failed > [Mon Apr 28 10:19:10 2008] [error] mod_cosign: snet_starttls: error: > 14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify > failed > [Mon Apr 28 10:19:10 2008] [error] mod_cosign: cosign_cookie_valid: > Unable to connect to any Cosign server. > > # ls -l var/cosign/ > total 4 > drwxr-xr-x 2 www daemon 512 Apr 23 15:45 filter > > # openssl verify -CApath etc/ssl/cosignCA -purpose sslclient etc/ssl/ > wirelessguest.crt > etc/ssl/wirelessguest.crt: OK > > # openssl version > OpenSSL 0.9.7j 04 May 2006 > > # cat /dev/null | openssl s_client -connect weblogin.umich.edu:6663 - > CApath etc/ssl/cosignCA -cert etc/ssl/wirelessguest.crt -key etc/ssl/ > private/wirelessguest.key -starttls smtp > CONNECTED(00000004) > depth=1 /C=US/ST=Michigan/L=Ann Arbor/O=University of Michigan/ > OU=ITCS/CN=UM Web CA/emailAddress=webmaster@xxxxxxxx > verify return:1 > depth=0 /C=US/ST=Michigan/L=Ann Arbor/O=University of Michigan/ > OU=ITCS/CN=weblogin.umich.edu/emailAddress=webmaster@xxxxxxxx > verify return:1 > --- > Certificate chain > 0 s:/C=US/ST=Michigan/L=Ann Arbor/O=University of Michigan/OU=ITCS/ > CN=weblogin.umich.edu/emailAddress=webmaster@xxxxxxxx > i:/C=US/ST=Michigan/L=Ann Arbor/O=University of Michigan/OU=ITCS/ > CN=UM Web CA/emailAddress=webmaster@xxxxxxxx > 1 s:/C=US/ST=Michigan/L=Ann Arbor/O=University of Michigan/OU=ITCS/ > CN=UM Web CA/emailAddress=webmaster@xxxxxxxx > i:/C=US/ST=Michigan/L=Ann Arbor/O=University of Michigan/OU=ITCS/ > CN=UM Web CA/emailAddress=webmaster@xxxxxxxx > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIICszCCAhwCAgDzMA0GCSqGSIb3DQEBBAUAMIGcMQswCQYDVQQGEwJVUzERMA8G > A1UECBMITWljaGlnYW4xEjAQBgNVBAcTCUFubiBBcmJvcjEfMB0GA1UEChMWVW5p > dmVyc2l0eSBvZiBNaWNoaWdhbjENMAsGA1UECxMESVRDUzESMBAGA1UEAxMJVU0g > V2ViIENBMSIwIAYJKoZIhvcNAQkBFhN3ZWJtYXN0ZXJAdW1pY2guZWR1MB4XDTAz > MTAxMjAxMTEzMloXDTA4MTAxMDAxMTEzMlowgaUxCzAJBgNVBAYTAlVTMREwDwYD > VQQIEwhNaWNoaWdhbjESMBAGA1UEBxMJQW5uIEFyYm9yMR8wHQYDVQQKExZVbml2 > ZXJzaXR5IG9mIE1pY2hpZ2FuMQ0wCwYDVQQLEwRJVENTMRswGQYDVQQDExJ3ZWJs > b2dpbi51bWljaC5lZHUxIjAgBgkqhkiG9w0BCQEWE3dlYm1hc3RlckB1bWljaC5l > ZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOB9xDh+7N+mL1zO3KzycVej > 0yhR1fLP+B/qLgZjq4daOoCMhmOuEIkYWmglUuttmcdF9/eWU6699q7GHOZcdgf+ > cSzsZnC2pVLgB4gsWiGVZ96epDiOCT3Gp4yg2I/C8hd0UMnXiv9ZqOg/naxvy5Vw > jEX5Jqn65C17E9lbv+xHAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAWuMF8HDzso1Q > G/o2i+QqwwBfa7kR6P4gb0So1UldS/yk1lRlJ0bir7S37BxlkVEkRtAhjPs/vljE > 08nDD5lfwMPBipXrA/dPpLihsoW5vJ40RQ/KitSSw85mHR9rYW+EAHbvFleZMGox > ipHSLviNHjjylkJ4A6foEfszqaXUdlE= > -----END CERTIFICATE----- > subject=/C=US/ST=Michigan/L=Ann Arbor/O=University of Michigan/ > OU=ITCS/CN=weblogin.umich.edu/emailAddress=webmaster@xxxxxxxx > issuer=/C=US/ST=Michigan/L=Ann Arbor/O=University of Michigan/ > OU=ITCS/CN=UM Web CA/emailAddress=webmaster@xxxxxxxx > --- > No client certificate CA names sent > --- > SSL handshake has read 1911 bytes and written 2558 bytes > --- > New, TLSv1/SSLv3, Cipher is AES256-SHA > Server public key is 1024 bit > SSL-Session: > Protocol : TLSv1 > Cipher : AES256-SHA > Session-ID: > 6F05919474D0D6AE4F50CE2F2E7F59202BBF1AA96FB48CA4FA4369E01DA96F7E > Session-ID-ctx: > Master-Key: > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > Key-Arg : None > Start Time: 1209392865 > Timeout : 300 (sec) > Verify return code: 0 (ok) > --- > 220 2 Collaborative Web Single Sign-On > 500 Command EHLO unregcognized > DONE > > > > ----- > Nathaniel Madura > Engineer in Research > UMTRI - Biosciences > 734-936-1109 > nm...@um... > ----- Nathaniel Madura Engineer in Research UMTRI - Biosciences 734-936-1109 nm...@um... |