Oauth redirection don't recognized certificate
98 views
Skip to first unread message
Florent Thomas
Jan 7, 2018, 7:35:59 PM1/7/18
to CAS Community
Hello everyone,
Happy new year.
I have an issue I don't succeed to find out a solution with proxying.
I'm running the latets 5.2 graddle overlay and have an apache reverse proxy in front of the CAS instance.
WAN <==> FRONT (HTTPS) <==> CAS (AJP)
The SSL is provided by Let's encrypt. I made a keystore and ad the cert into the keystore and then add it into my cas server.
(Thanks to https://maximilian-boehm.com/en-gb/blog/create-a-java-keystore-jks-from-let-s-encrypt-certificates-1884000/ and https://apereo.github.io/cas/developer/Build-Process.html#configure-ssl)
I added the certificate into the global keystore with success and check that the cert are either in the global keystore and the one use by cas. Both are knowing my domain.
The /etc/hosts of my CAS instance have the domain associated to it IP.
Here is my conf :
With this conf, I succeed in using directly the web login but I also need to use Oauth and during the callback, I have a
Any advice / help woul be appreciated.
regards
Happy new year.
I have an issue I don't succeed to find out a solution with proxying.
I'm running the latets 5.2 graddle overlay and have an apache reverse proxy in front of the CAS instance.
WAN <==> FRONT (HTTPS) <==> CAS (AJP)
The SSL is provided by Let's encrypt. I made a keystore and ad the cert into the keystore and then add it into my cas server.
(Thanks to https://maximilian-boehm.com/en-gb/blog/create-a-java-keystore-jks-from-let-s-encrypt-certificates-1884000/ and https://apereo.github.io/cas/developer/Build-Process.html#configure-ssl)
I added the certificate into the global keystore with success and check that the cert are either in the global keystore and the one use by cas. Both are knowing my domain.
The /etc/hosts of my CAS instance have the domain associated to it IP.
Here is my conf :
#server.port=8080
cas.server.name: https://domain.tld
cas.server.prefix: https://domain.tld/cas
#Service Déclarations
cas.serviceRegistry.initFromJson=true
cas.serviceRegistry.config.location=file:/etc/cas/config
# LDAP Authetification Source
logging.config: file:/etc/cas/config/log4j2.xml
#Proxy part working with AJP reverse proxy :
#Activate the options for secure connexions
# https://discuss.pivotal.io/hc/en-us/articles/202650798--Archived-How-can-Tomcat-redirect-to-a-secure-connection-when-behind-a-reverse-proxy-web-server-1037406-
cas.server.ajp.secure=true
cas.server.ajp.enabled=true
#cas.server.ajp.proxyPort=443
cas.server.ajp.protocol=AJP/1.3
cas.server.ajp.asyncTimeout=5000
cas.server.ajp.scheme=https
cas.server.ajp.maxPostSize=20971520
cas.server.ajp.port=8080
cas.server.ajp.enableLookups=false
cas.server.ajp.redirectPort=443
cas.server.ajp.allowTrace=true
cas.server.ajp.attributes.attributeName=attributeValue
# SSL
server.ssl.enabled=true
#https://apereo.github.io/cas/developer/Build-Process.html#configure-ssl
#https://github.com/apereo/cas-gradle-overlay-template#deployment
server.ssl.keyStore=file:/etc/cas/cas-auth.jks
server.ssl.keyStorePassword=11111
server.ssl.keyPassword=11111With this conf, I succeed in using directly the web login but I also need to use Oauth and during the callback, I have a
java.security.cert.CertificateException: No name matchingAnd it's really weird because all the keystore are macthing my domain.tld.
Any advice / help woul be appreciated.
regards
Ray Bon
Jan 8, 2018, 3:16:05 PM1/8/18
to cas-...@apereo.org
Florent,
Have you added the certificate to your apache FRONT?
Ray
-- Ray Bon Programmer analyst Development Services, University Systems 2507218831 | CLE 019 | rb...@uvic.ca
Florent Thomas
Jan 8, 2018, 4:07:03 PM1/8/18
to cas-...@apereo.org
Hi Ray, great thanks for your answer.
Actually, the front is the place where the certificate has been defined.--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1515442557.1878.26.camel%40uvic.ca.
Ray Bon
Jan 8, 2018, 5:04:21 PM1/8/18
to cas-...@apereo.org
If CAS is running on another machine, import the certificate there.
Make sure the java that is starting tomcat is the same as the java that is using the keytool.
Ray
Message has been deleted
Florent Thomas
Jan 14, 2018, 4:12:56 PM1/14/18
to CAS Community
Hi Ray,
I remade many tests and still have the issue. To be sure I made an ansible script to generate my certs etc...
I'm really struggling with the way to debug this.
In summary, here is what I've done :
* copy all the certs from the front that is the owner of the domain.tld in the DNS registry into the CAS VM
* In the CAS Set the domain.tld in my /etc/hosts file associated to both 127.0.0.1 and the IP
* Generate a keystore with the SAN:dns option
* Convert the Keystore into PKCS12
* Use part 2 and 3 from https://maximilian-boehm.com/en-gb/blog/create-a-java-keystore-jks-from-let-s-encrypt-certificates-1884000/ to import the domain.tld let's encrypt cert into the CAS keystore
* Checked that the alias domain.tld is correctly in the Keystore => Ok
* Export the cert from the keystore following https://apereo.github.io/cas/developer/Build-Process.html#configure-ssl instructions
* checking that the alias domain.tld is present into the cacerts => Ok
* Running CAS => Ok
* Login into CAS => Ok
* Trying to log using Oauth2 protocol => redirection cause
Please be advice that with latest JDK8, some keytoolms options have to be done wth -J-Duser.language=en to foce the language
Any advice or guidance will be appreciated.
regards
I remade many tests and still have the issue. To be sure I made an ansible script to generate my certs etc...
I'm really struggling with the way to debug this.
In summary, here is what I've done :
* copy all the certs from the front that is the owner of the domain.tld in the DNS registry into the CAS VM
* In the CAS Set the domain.tld in my /etc/hosts file associated to both 127.0.0.1 and the IP
* Generate a keystore with the SAN:dns option
* Convert the Keystore into PKCS12
* Use part 2 and 3 from https://maximilian-boehm.com/en-gb/blog/create-a-java-keystore-jks-from-let-s-encrypt-certificates-1884000/ to import the domain.tld let's encrypt cert into the CAS keystore
* Checked that the alias domain.tld is correctly in the Keystore => Ok
* Export the cert from the keystore following https://apereo.github.io/cas/developer/Build-Process.html#configure-ssl instructions
* checking that the alias domain.tld is present into the cacerts => Ok
* Running CAS => Ok
* Login into CAS => Ok
* Trying to log using Oauth2 protocol => redirection cause
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching
Please be advice that with latest JDK8, some keytoolms options have to be done wth -J-Duser.language=en to foce the language
Any advice or guidance will be appreciated.
regards
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1515442557.1878.26.camel%40uvic.ca.
Florent Thomas
Jan 14, 2018, 4:54:07 PM1/14/18
to CAS Community
Hi Ray,
Finally, the option was to not set the /etc hosts !
Finally, the option was to not set the /etc hosts !
Reply all
Reply to author
Forward
0 new messages