Multiple different test sites?

37 views
Skip to first unread message

Jelmer

unread,
May 31, 2018, 4:16:52 AM5/31/18
to eID Middleware
What's the difference between http://www.test.eid.belgium.be and https://iamapps.belgium.be/tma/ ?

My setup works with the `iamapps` domain but not the `test.eid` domain. (Safari 11.1 on macOS 10.13.4) Error I'm getting with the test.eid domain: "Server did not accept the certificate." AFAIK the correct certificate is being send.
Chrome doesn't work at all, but I guess that's still related to this bug: https://github.com/Fedict/eid-mw/issues/55

I can log in to government websites like https://eservices.minfin.fgov.be/ but not into other services like https://my.azjanportaels.be/patientportal-login-azjp/ (also complains there is no certificate found, even though I selected the correct one and used my pin to read it from the eID).

Is this a problem on my side or the server side?


Frederik Vernelen

unread,
May 31, 2018, 4:20:55 AM5/31/18
to eid...@googlegroups.com
Hello Jelmer,

https://iamapps.belgium.be/tma/ is our current official test site, which does an authentication that is equivalent with a real authentication on the FAS (Federal Authentication Server).

http://www.test.eid.belgium.be is our former test site, it does not do any OCSP check, and it is currently meant for internal use only. 
(it has different settings, and might as well be missing (the most recent) intermediate certificates in its trust list, therefore rejecting your authentication certificate).

As you can log on to government websites (using the FAS) your problem is server side.

The server problem might be that safari on macOS 10.13 is not sending the entire certificate chain, but only your leaf certificate,
where most browsers send the entire chain.
If they build the certificate chain on the server, or e.g. they add the intermediate certificates (citizen and foreigner CA's to be found at https://certs.eid.belgium.be) to their trusted certificates list, 
the server should be able to verify your authentication certificate.

Wkr,
 Frederik

--
Je hebt dit bericht ontvangen omdat je bent geabonneerd op de groep "eID Middleware" van Google Discussiegroepen.
Als je je wilt afmelden bij deze groep en geen e-mails van de groep meer wilt ontvangen, stuur je een e-mail naar eid-mw+unsubscribe@googlegroups.com.
Als je een bericht in deze groep wilt plaatsen, stuur je een e-mail naar eid...@googlegroups.com.
Bezoek deze groep op https://groups.google.com/group/eid-mw.
Ga naar https://groups.google.com/d/optout voor meer opties.

Jelmer

unread,
May 31, 2018, 10:36:29 AM5/31/18
to eID Middleware
Thanks for the explanation Frederik, this clarifies things. 
Might be an idea to make the old test site inaccessible from outside, since there's still a good amount of guides linking to it. It could confuse users with a working setup. (like me)

 Best,
Jelmer

On Thursday, May 31, 2018 at 10:20:55 AM UTC+2, fvernelen wrote:
Hello Jelmer,

https://iamapps.belgium.be/tma/ is our current official test site, which does an authentication that is equivalent with a real authentication on the FAS (Federal Authentication Server).

http://www.test.eid.belgium.be is our former test site, it does not do any OCSP check, and it is currently meant for internal use only. 
(it has different settings, and might as well be missing (the most recent) intermediate certificates in its trust list, therefore rejecting your authentication certificate).

As you can log on to government websites (using the FAS) your problem is server side.

The server problem might be that safari on macOS 10.13 is not sending the entire certificate chain, but only your leaf certificate,
where most browsers send the entire chain.
If they build the certificate chain on the server, or e.g. they add the intermediate certificates (citizen and foreigner CA's to be found at https://certs.eid.belgium.be) to their trusted certificates list, 
the server should be able to verify your authentication certificate.

Wkr,
 Frederik
On Wed, May 30, 2018 at 6:26 PM, Jelmer <jel...@tiete.be> wrote:
What's the difference between http://www.test.eid.belgium.be and https://iamapps.belgium.be/tma/ ?

My setup works with the `iamapps` domain but not the `test.eid` domain. (Safari 11.1 on macOS 10.13.4) Error I'm getting with the test.eid domain: "Server did not accept the certificate." AFAIK the correct certificate is being send.
Chrome doesn't work at all, but I guess that's still related to this bug: https://github.com/Fedict/eid-mw/issues/55

I can log in to government websites like https://eservices.minfin.fgov.be/ but not into other services like https://my.azjanportaels.be/patientportal-login-azjp/ (also complains there is no certificate found, even though I selected the correct one and used my pin to read it from the eID).

Is this a problem on my side or the server side?


--
Je hebt dit bericht ontvangen omdat je bent geabonneerd op de groep "eID Middleware" van Google Discussiegroepen.
Als je je wilt afmelden bij deze groep en geen e-mails van de groep meer wilt ontvangen, stuur je een e-mail naar eid-mw+un...@googlegroups.com.

Frederik Vernelen

unread,
Jun 1, 2018, 4:00:14 AM6/1/18
to eid...@googlegroups.com
Hello Jelmer,

Thanks for your idea,
it is indeed already planned to move the old test server, and have the old url redirect towards the tma test site.

Wkr,
 Frederik

Als je je wilt afmelden bij deze groep en geen e-mails van de groep meer wilt ontvangen, stuur je een e-mail naar eid-mw+unsubscribe@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages