SimpleSAML_Error_Error: UNHANDLEDEXCEPTION

91 views
Skip to first unread message

Andro Nacu

unread,
Dec 14, 2017, 4:29:31 PM12/14/17
to simple...@googlegroups.com

Hello,

I hope someone can help me with this error. I've ran into this before and usually just updating the certFingerprint (saml20--idp-remote.php) and PUBLIC_KEY_PEM (CertificatesMock.php) would fix it. This time it didn't. We have to renew our certificates this year and our ping federation group only supports providing the new certificate.

I update the new certFingerprint and public_key_pem they provide and got this error. And this is all i recall doing when the last time we got it working.


This is still new to me. Any ideas? or anything i could be missing? Thanks!


Unhandled exception

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION

Backtrace:
0 F:\LTDComm\simplesamlphp-1.13.2\www\module.php:179 (N/A)
Caused by: SimpleSAML_Error_Exception: Unable to find a certificate matching the configured fingerprint. Candidates: '890193161b16fe653bcc54893d9dcff7479db802'; certFingerprint: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'.
Backtrace:
5 F:\LTDComm\simplesamlphp-1.13.2\modules\saml\lib\Message.php:125 (sspmod_saml_Message::findCertificate)
4 F:\LTDComm\simplesamlphp-1.13.2\modules\saml\lib\Message.php:174 (sspmod_saml_Message::checkSign)
3 F:\LTDComm\simplesamlphp-1.13.2\modules\saml\lib\Message.php:545 (sspmod_saml_Message::processAssertion)
2 F:\LTDComm\simplesamlphp-1.13.2\modules\saml\lib\Message.php:517 (sspmod_saml_Message::processResponse)
1 F:\LTDComm\simplesamlphp-1.13.2\modules\saml\www\sp\saml2-acs.php:96 (require)
0 F:\LTDComm\simplesamlphp-1.13.2\www\module.php:134 (N/A)


Here is my saml20-ipd-remote configuration:


<?php
/**
 * SAML 2.0 remote IdP metadata for simpleSAMLphp.
 *
 * Remember to remove the IdPs you don't use from this file.
 *
 * See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-remote
 */

$metadata['https://saml-preprod.domain.com'] = array(
    'name' => array(
        'en' => 'Domain PingFederate - preprod',
    ),
    'certFingerprint'      => 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
);

Peter Schober

unread,
Dec 15, 2017, 4:27:00 AM12/15/17
to simple...@googlegroups.com
* Andro Nacu <drd...@gmail.com> [2017-12-14 22:29]:
> I hope someone can help me with this error. I've ran into this
> before and usually just updating the certFingerprint
> (saml20--idp-remote.php) and PUBLIC_KEY_PEM (CertificatesMock.php)
> would fix it.

There's no reason to mess with fingerprints ("certFingerprint").
Instead use "certificate" to reference the file with the IDP's cert in
it (or "certData" with the contents of the IDP's cert in it):
https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-remote#section_1

I don't know what any of the rest means, as "PUBLIC_KEY_PEM" (or
"public_key_pem" as you write further below) are not valid
SimpleSAMLphp configuration directives, and "CertificatesMock.php" is
not something distributed by SimpleSAMLphp.

> And this is all i recall doing when the last time we got it working.
> This is still new to me. Any ideas? or anything i could be missing? Thanks!

If in doubt start with the documentation, e.g.:
https://simplesamlphp.org/docs/stable/simplesamlphp-sp
https://simplesamlphp.org/docs/stable/saml:keyrollover

-peter

Jaime Perez Crespo

unread,
Dec 15, 2017, 4:44:24 AM12/15/17
to SimpleSAMLphp
Hi Andro,

On 14 Dec 2017, at 22:29 PM, Andro Nacu <drd...@gmail.com> wrote:
> Hello,
>
> I hope someone can help me with this error. I've ran into this before and usually just updating the certFingerprint (saml20--idp-remote.php) and PUBLIC_KEY_PEM (CertificatesMock.php) would fix it.

You don’t need to touch the CertificatesMock.php file. That’s an automated test and it’s definitely not intended to be modified. Why did you end up modifying it?

> This time it didn't. We have to renew our certificates this year and our ping federation group only supports providing the new certificate.
>
> I update the new certFingerprint and public_key_pem they provide and got this error. And this is all i recall doing when the last time we got it working.

You shouldn’t use the “certFingerprint” configuration option either. It’s deprecated and will go away in the future. Instead, just put the pem you are provided with in the "certs” directory and set the “certificate” configuration option to point to that file.


Jaime Pérez
UNINETT / Feide

jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2

"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost

Reply all
Reply to author
Forward
0 new messages