[cas-user] Shib/CAS integration - Shib CAS Client Error - No subject alternative DNS name matching <servername> found.

[Brad Rippe]

Here's my error:

java.security.cert.CertificateException: No subject alternative DNS name matching <servername> found.

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching <servername> found.

        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[na:1.7.0_45]

        ...more...

Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching <servername> found.

        at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:191) ~[na:1.7.0_45]

        at sun.security.util.HostnameChecker.match(HostnameChecker.java:93) ~[na:1.7.0_45]

        at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:347) ~[na:1.7.0_45]

        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:203) ~[na:1.7.0_45]

        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) ~[na:1.7.0_45]

        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323) ~[na:1.7.0_45]

I understand that this is due to the cert CN not matching the host name. 

My situation is the following: we are trying to load balance on two CAS servers: cas1 and cas2. We have an ssl cert signed for the virtual host, <whatever>.domain.edu, which is placed on each of our cas servers. When Shib redirects to CAS, <whatever>.domain.edu, I get the login page and submit it, then I go back to Shib and get an error. In the shib logs is the above stacktrace. I've checked the cas.properties on each server and all looks good (set to the virtual host). I'm running CAS 3.4.12 and CAS client 3.2.1.

 

Any recommendations around this issue? Thanks!

 

 

 

 

Brad Rippe

IT Project Leader

North Orange County Community College District
(714) 808-4872
bri...@nocccd.edu

-- 
You are currently subscribed to cas-...@lists.jasig.org as: jasig-cas-user...@googlegroups.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

[Marvin S. Addison]

> My situation is the following: we are trying to load balance on two CAS
> servers: cas1 and cas2. We have an ssl cert signed for the virtual host,

> <whatever>.domain.edu <http://domain.com/>, which is placed on each of
> our cas servers.

I'm a little unclear of your setup; presumably you're following
https://wiki.jasig.org/display/CASUM/Shibboleth-CAS+Integration. In that
case you should note that connections from your CAS client (Shib in this
case) are back channel calls. You MUST configure the CAS client such
that the virtual host is the target of ticket validation attempts.
You'll also need to ensure that you're using a suitable HA ticket
registry since these connections are sourced differently and may hit a
different host from what the user hit with browser.

If you continue to have trouble, perform an SSL trace [1] and note the
CN of the presented certificate. That should help indicate the source of
your configuration problem.

M

[1]
https://wiki.jasig.org/display/CASUM/SSL+Troubleshooting+and+Reference+Guide