|
cosign-discuss at umich.edu
|
general discussion of cosign development and deployment
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: file not found error - now unsupported certificate
- Subject: RE: file not found error - now unsupported certificate
- From: "Goldrick, Jim" <jgoldrick@xxxxxxxxxxxxxxxxx>
- Date: Fri, 19 Nov 2004 17:22:39 -0600
- Cc: "Cosign Discussion" <cosign-discuss@xxxxxxxxx>
- Thread-index: AcTI3aXE4ouBj64ZQMi4bEMuoxvdGQFrtf5Q
- Thread-topic: file not found error
Hi Johanna
I seem to have made some progress. I tried setting the cosign directives above the directory settings as such:
CosignHostname judsonhp.judsoncollege.edu
CosignRedirect https://judsonhp.judsoncollege.edu/
CosignPostErrorRedirect https://judsonhp.judsoncollege.edu/post_error.html
CosignService cosign
CosignCrypto /opt/apache/cosign/CA/ca.key /opt/apache/cosign/CA/ca.cr
t /opt/apache/cosign/CA
CosignProtected On
<Directory /opt/apache/cosign/html>
CosignProtected Off
Options ExecCGI Indexes
AllowOverride All
AuthType Basic
AuthName "Faculty Access"
AuthLDAPURL ldap://judsonhp.judsoncollege.edu:1389/cn=basic,cn=camSignons,cn=Jud
son,cn=Authentication Data,o=Cognos,c=CA?cn?
......
this seems to have helped, as I am not getting the errors about CosignHostname, etc. Also, I am getting redirected to the error page.
But....the error page tells me it is unable to communicate with the cosign server. In the syslog I have this:
Nov 19 17:02:58 judsonhp cosignd[8797]: f_starttls: snet_starttls: error:140890B
2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Nov 19 17:02:58 judsonhp cosignd[769]: child 8797 died on signal 13
syslog.log: END
in the apache error_log this:
choose another connection: 533 CHECK: cookie not in db!
choose another connection: 533 CHECK: cookie not in db!
snet_starttls: error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupport
ed certificate
cosign_choose_conn: no connection to servers.
/basicosign.cgi: login failed
Which is encouraging, anyway. I have a self-signed cert. I have run the verify test (OK) and this one as cosign and the web user:
cat /dev/null | /usr/local/ssl/bin/openssl s_client -connect judsonhp.judsoncoll
ege.edu:6663 -CApath /opt/apache/cosign/CA -cert /opt/apache/cosign/CA/ca.crt -k
ey /opt/apache/cosign/CA/ca.key -starttls smtp
result of above
depth=1 /C=US/ST=Illinois/L=Elgin/O=Judson College/OU=Tech Services/CN=Judson College CA/emailAddress=jgoldrick@xxxxxxxxxxxxxxxxx
verify return:1
depth=0 /C=US/ST=Illinois/L=Elgin/O=Judson College/OU=Tech Services/CN=judsonhp.judsoncollege.edu/emailAddress=jgoldrick@xxxxxxxxxxxxxxxxx
verify return:1
CONNECTED(00000003)
---
Certificate chain
0 s:/C=US/ST=Illinois/L=Elgin/O=Judson College/OU=Tech Services/CN=judsonhp.judsoncollege.edu/emailAddress=jgoldrick@xxxxxxxxxxxxxxxxx
i:/C=US/ST=Illinois/L=Elgin/O=Judson College/OU=Tech Services/CN=Judson College CA/emailAddress=jgoldrick@xxxxxxxxxxxxxxxxx
1 s:/C=US/ST=Illinois/L=Elgin/O=Judson College/OU=Tech Services/CN=Judson College CA/emailAddress=jgoldrick@xxxxxxxxxxxxxxxxx
i:/C=US/ST=Illinois/L=Elgin/O=Judson College/OU=Tech Services/CN=Judson College CA/emailAddress=jgoldrick@xxxxxxxxxxxxxxxxx
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDVDCCAr2gAwIBAgIJAIwl1Nfoayd6MA0GCSqGSIb3DQEBBAUAMIGpMQswCQYD
VQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxDjAMBgNVBAcTBUVsZ2luMRcwFQYD
VQQKEw5KdWRzb24gQ29sbGVnZTEWMBQGA1UECxMNVGVjaCBTZXJ2aWNlczEaMBgG
A1UEAxMRSnVkc29uIENvbGxlZ2UgQ0ExKjAoBgkqhkiG9w0BCQEWG2pnb2xkcmlj
a0BqdWRzb25jb2xsZWdlLmVkdTAeFw0wNDExMTIxODQ0NTVaFw0wNTExMTIxODQ0
NTVaMIGyMQswCQYDVQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxDjAMBgNVBAcT
BUVsZ2luMRcwFQYDVQQKEw5KdWRzb24gQ29sbGVnZTEWMBQGA1UECxMNVGVjaCBT
ZXJ2aWNlczEjMCEGA1UEAxMaanVkc29uaHAuanVkc29uY29sbGVnZS5lZHUxKjAo
BgkqhkiG9w0BCQEWG2pnb2xkcmlja0BqdWRzb25jb2xsZWdlLmVkdTCBnzANBgkq
hkiG9w0BAQEFAAOBjQAwgYkCgYEAqcOvpFWlODB3ZaTwjjRB+SGOpAc1qNZtIuPT
Siq9S9OO+n/rvIsjFlJOr/CEkIJLxucnRKF56Y3BleDj/OjQrMjmIUxYwGIcYjBf
6gnqlvTAyjB6VceXxSr+ZyGlPYOo5T5elNE7YJn0zMlaAyVdkMjOIz7+hl0c7/K/
XSG5bPUCAwEAAaN5MHcwJgYDVR0RBB8wHYEbamdvbGRyaWNrQGp1ZHNvbmNvbGxl
Z2UuZWR1MDoGCWCGSAGG+EIBDQQtFittb2Rfc3NsIGdlbmVyYXRlZCBjdXN0b20g
c2VydmVyIGNlcnRpZmljYXRlMBEGCWCGSAGG+EIBAQQEAwIGQDANBgkqhkiG9w0B
AQQFAAOBgQAMF10MWb4llmm8/07xka4GY+Lht6roWAOxOVVe848wvua9jwm6ORx2
XLoAil8ohoIcteF4lijN5Ja1h9P7zXVc0X9zf8v9Qeo3Q11VIWLOWhmRMkM5wqbC
zHgadMVUnuP6nKhwUabnhFow9N5KbbovQtvd3A5AjMsj3/tea4OTXQ==
-----END CERTIFICATE-----
subject=/C=US/ST=Illinois/L=Elgin/O=Judson College/OU=Tech Services/CN=judsonhp.judsoncollege.edu/emailAddress=jgoldrick@xxxxxxxxxxxxxxxxx
issuer=/C=US/ST=Illinois/L=Elgin/O=Judson College/OU=Tech Services/CN=Judson College CA/emailAddress=jgoldrick@xxxxxxxxxxxxxxxxx
---
No client certificate CA names sent
---
SSL handshake has read 1941 bytes and written 1372 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 96C6EBD413CD6D2CC5C2E8E4C1C57696C46E9325C50C40A8601BAD6380F7A8F9
Session-ID-ctx:
Master-Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Key-Arg : None
Start Time: 1100906293
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
220 COokie SIGNer ready
DONE
Any ideas would be appreciated.
thanks
jim
-----Original Message-----
From: johanna bromberg craig [mailto:canna@xxxxxxxxx]
Sent: Friday, November 12, 2004 11:28 AM
To: Goldrick, Jim
Cc: Cosign Discussion
Subject: Re: file not found error
Hey Jim,
couple of things to try:
1) make sure the CosignHostname and all that come before the first
"CosignProtected On", line number wise.
2) for this dir:
<Directory /opt/apache/cosign/html/services>
CosignProtected On
Options ExecCGI
AllowOverride None
order allow,deny
allow from all
</Directory>
you just want cosignprotected on, i think, unless you're running a cgi.
you don't need the allowoveridess and the order bits, i believe.
3) also, i'm not sure about this line:
Alias /weblogin/ /opt/apache/cosign/html/
to make things easier, we put basiccosign.cgi as a DirectoryIndex, like
you have, and put it in docroot, so that
https://judsonhp.judsoncollege.edu/
would just work.
4) also, it might be easier at first to cosign protect a separate
directory or location all together ( not one that is under docroot like
that ) like a user home dir, so that we don't have to deal with the
hested complexity utnil we get the authentication part working. :)
5) When you turn off cosign, your basic auth bit works, right? :)
Keep us posted :)
-J
On Nov 12, 2004, at 11:45 AM, Goldrick, Jim wrote:
>
> error_log
>
> here is my vhost, which I have tried to set up similar to yours for
> now.
>
> <VirtualHost judsonhp.judsoncollege.edu:443>
> ServerName judsonhp.judsoncollege.edu
> DocumentRoot /opt/apache/cosign/html
> AddHandler cgi-script .cgi
> DirectoryIndex basiccosign.cgi index.html index.php index.htm
> index.shtml
> Alias /images/ /opt/apache/images/
> SSLEngine on
> SSLCertificateFile /opt/apache/etc/ssl.crt/server.crt
> SSLCertificateKeyFile /opt/apache/etc/ssl.key/server.key
> SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
>
>
> <Directory /opt/apache/cosign/html>
> CosignProtected Off
> Options ExecCGI
> AllowOverride None
> AuthType Basic
> AuthName "Faculty Access"
> AuthLDAPURL
> ldap://judsonhp.judsoncollege.edu:1389/cn=basic,cn=camSignons,cn=Jud
> son,cn=Authentication Data,o=Cognos,c=CA?cn?
> require valid-user
> order allow,deny
> allow from all
> </Directory>
>
>
> <Directory /opt/apache/cosign/html/services>
> CosignProtected On
> Options ExecCGI
> AllowOverride None
> order allow,deny
> allow from all
> </Directory>
>
> Alias /weblogin/ /opt/apache/cosign/html/
> CosignProtected On
> CosignHostname judsonhp.judsoncollege.edu
> CosignRedirect https://judsonhp.judsoncollege.edu/weblogin/
> CosignPostErrorRedirect
> https://judsonhp.judsoncollege.edu/weblogin/post_error.h
> tml
> CosignService cosign
> CosignCrypto /opt/apache/cosign/CA/ca.key
> /opt/apache/cosign/CA/ca.crt /opt/apache/cosign/CA
> </VirtualHost>
>
> I was also getting an unknown ca error for awhile, but it went away, I
> believe, when I changed the perms on the CA directory to 777. Either
> that or I have somehow taken a step backwards and I will hit that
> error again. Please note I am using the basic auth. Also, I do not
> have a cgi-ssl directory.
>
> Any input would be most appreciated!
>
> thanks
>
> jim
>
>
> -----Original Message-----
> From: johanna bromberg craig [mailto:canna@xxxxxxxxx]
> Sent: Monday, November 08, 2004 2:49 PM
> To: Goldrick, Jim
> Subject: Re: file not found error
>
>
> this is with basicauth, right? Here's what i believe to be a working
> conf :)
> On the port 80 ( 8080, in my case ) we have merely:
>
> CosignProtected Off
>
> on the :443 ( :8443 we have )
>
> <VirtualHost _default_:8443>
>
> DocumentRoot /usr/local/projects/cosign/html/
> ScriptAlias /cosign-bin/ /usr/local/projects/cosign/cgi-ssl/
> AddHandler cgi-script .cgi
> ErrorDocument 404 https://beothuk.web.itd.umich.edu:8443/
> DirectoryIndex basiccosign.cgi index.html index.php index.htm
> index.shtml
>
> <Directory /usr/local/projects/cosign/html/>
> Options ExecCGI
> AuthUserFile /usr/local/users/canna/.htpasswd
> AuthName "Demasduit's Dream"
> AllowOverride All
> AuthType Basic
> CosignProtected Off
> </Directory>
>
> CosignHostname weblogin.umich.edu
> CosignRedirect https://weblogin.umich.edu/
> CosignPostErrorRedirect http://www.umich.edu/~canna
> CosignService jojo
> CosignCrypto /usr/local/etc/apache/certs/beothuk.key
> /usr/local/etc/apache/certs/beothuk.cert /usr/local/etc/apache/certs
>
> CosignProtected On
>
> something like that.
>
> maybe you can send cosign@xxxxxxxxx your httpd.conf and we can check it
> out
>
> -J
>
>
>
>
> On Nov 4, 2004, at 6:10 PM, Goldrick, Jim wrote:
>
>> I'm still getting the same errors. One thing, I never get prompted
>> for any type of authentication. Can someone send me an example of
>> their http.conf/access.conf file that pertains to Cosign (Directory's
>> and Virtual hosts)? It seems like a configuration problem, but I sure
>> can't find it.
>>
>> thanks!
>>
>> jim
>>
>>
>> -----Original Message-----
>> From: Goldrick, Jim
>> Sent: Wednesday, November 03, 2004 5:18 PM
>> To: 'cosign-discuss@xxxxxxxxx'
>> Subject: file not found error
>>
>> Hi,
>>
>> Since this is a different issue, I thought I would open a new post.
>> When trying to connect to
>> https://judsonhp.judsoncollege.edu:444/index.html, which is my doc
>> root that I have set for cosign,
>> the browser hangs and I get this in my syslog:
>>
>>
>> Nov 3 16:59:06 judsonhp cosignd[9620]: connect: 10.100.0.142
>> Nov 3 16:59:06 judsonhp cosignd[9620]: service_to_login:
>> cosign-cosign=4tWOHyU+
>> IzH9Usx+QfgsVwOCrtO0EHsPFjtUaKPx80TdhemR2ld8yA9rcsX4IDUU15s1sztTyvMOfv
>> 5
>> 0Es7-ML-Z
>> IY3j1OLCC8SdKdq+7FZJoqRh8wgMjtXC43v9: No such file or directory
>> Nov 3 16:59:06 judsonhp cosignd[9612]: service_to_login:
>> cosign-cosign=+0QwqH3j
>> F8DFbplXVjr3gNKIMaDsU0B+W2ArWpBZPGGtnzOKYX0CjuE88QtIoDgsIp6b1lVJJ47o6Z
>> Q
>> cGABBt-CY
>> kpAa-F2EAzejAGJnFicEg11BCz0ifSxK7q8g: No such file or directory
>> Nov 3 16:59:07 judsonhp cosignd[9613]: service_to_login:
>> cosign-cosign=DGzMJLge
>> vfaJBAtWQdLx+Yo7QkI6KWF9aFueZ3s1jwXo9Usdk6nkYLfBAaoeUP+eSVgsSnJxLriwYU
>> 7
>> owBnKAm4n
>> xIi3Bs8JwgwAznkK2ZPB-r1P1g6NmOF+uwdh: No such file or directory
>> syslog.log: END
>>
>> and this in my apache error_log (I assume because the file is not
>> found):
>>
>> choose another connection: 533 CHECK: cookie not in db!
>> choose another connection: 533 CHECK: cookie not in db!
>> choose another connection: 533 CHECK: cookie not in db!
>> choose another connection: 533 CHECK: cookie not in db!
>> choose another connection: 533 CHECK: cookie not in db!
>> choose another connection: 533 CHECK: cookie not in db!
>> choose another connection: 533 CHECK: cookie not in db!
>> What file is the error referring to? I have the html and templates
>> directories setup in /opt/apache/cosign. Where should the
>> basicosign.cgi be? In the web root? Here is my Virtual host:
>>
>> VirtualHost judsonhp.judsoncollege.edu:444>
>> ServerName judsonhp.judsonocollege.edu
>> DocumentRoot /opt/apache/carsi-test/share/htdocs/
>> ScriptAlias /cgi-bin/ /opt/apache/carsi-test/share/cgi-bin/
>> Alias /images/ /opt/apache/images/
>> SSLEngine on
>> SSLCertificateFile /opt/apache/xxx/xxxxxx/xxxxxx.xxx
>> SSLCertificateKeyFile /opt/apache/xxx/xxxxxxx/xxxxx.xxxx
>> SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown \
>> downgrade-1.0 force-response-1.0
>>
>>
>> CosignProtected On
>> CosignHostname acadinfo.judsoncollege.edu
>> CosignRedirect /weblogin/
>> CosignPostErrorRedirect /weblogin/post_error.html
>> CosignService cosign
>> CosignCrypto /opt/apache/xxxxxx/xxxxxxx/cakey
>> /opt/apache/xxxxxx/xxxxxx/ca /opt/apache/xxxxxxxx/xxxxxxxx
>>
>> </VirtualHost>
>>
>> Here is the doc root directory:
>>
>> #this is so the cosign login will run from / of DocRoot
>> <Directory /opt/apache/carsi-test/share/htdocs>
>> DirectoryIndex basiccosign.cgi index.html
>> AddHandler cgi-script .cgi
>> AllowOverride None
>> Options FollowSymLinks ExecCGI
>> order deny,allow
>> allow from all
>> AuthType Basic
>> AuthName "Faculty Access"
>> AuthLDAPURL
>> ldap://judsonhp.judsoncollege.edu:1389/cn=basic,cn=camSignons,cn=Jud
>> son,cn=Authentication Data,o=Cognos,c=CA?cn?
>> require valid-user
>> <Files *.css>
>> order allow,deny
>> allow from all
>> </Files>
>> <Files *.js>
>> order allow,deny
>> allow from all
>> </Files>
>>
>>
>> So I am not quite sure what to do. The acadinfo.judsoncollege.edu
>> hostname is just a virtual ip for the judsonhp host. If I remove the
>> cosign settings in the virtual host, I can get to the index.html after
>> authenticating.
>>
>> FYI, I am using a self-signed cert.
>>
>> thanks much!
>>
>>
>>
>> Jim Goldrick
>> Judson College
>> 573-335-7074
>> jgoldrick@xxxxxxxxxxxxxxxxx
>>
>>
>
>
> !DSPAM:4194e925168611328518187!
>
>
>
|