[Shib-Users] Problem with Tomcat SSL Certificate
Ravi Verma
After several days of trying to resolve this, I have come to your for your help.
2010-10-23 08:34:36 ERROR Shibboleth.AttributeResolver.Query [19]: exception during SAML query to https://idp.telecommand.com:8443/idp/profile/SAML2/SOAP/AttributeQuery: CURLSOAPTransport failed while contacting SOAP endpoint (https://idp.telecommand.com:8443/idp/profile/SAML2/SOAP/AttributeQuery): SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2010-10-23 08:34:36 ERROR Shibboleth.AttributeResolver.Query [19]: unable to obtain a SAML response from attribute authority
I have checked that https://idp.telecommand.com:8443/ is available. Off course, I am using self signed certificate for https://idp.telecommand.com:8443/. I guess I have to let sp know of of the Tomcat certificate. I am not able to figure out from the documentation, in which file I should put the certificate. Do I need to put it in the idp-metadata.xml? If I do, what is the format.
I appreciate your help.
--
Ravi Verma
Telecommand Software and Services
5401 Wesley Road
Rocklin, CA 95765
Phone:9167053261
Fax:9169142008
www.telecommand.com
Tom Scavo
>
> 2010-10-23 08:34:36 ERROR Shibboleth.AttributeResolver.Query [19]: exception
> during SAML query to
> https://idp.telecommand.com:8443/idp/profile/SAML2/SOAP/AttributeQuery:
> CURLSOAPTransport failed while contacting SOAP endpoint
> (https://idp.telecommand.com:8443/idp/profile/SAML2/SOAP/AttributeQuery):
> SSL certificate problem, verify that the CA cert is OK. Details:
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> failed
> 2010-10-23 08:34:36 ERROR Shibboleth.AttributeResolver.Query [19]: unable to
> obtain a SAML response from attribute authority
Just do a google search for
shibboleth "SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"
The first link will guide you to shib wiki where this issue is diagnosed.
Tom
Chad La Joie
SP. So wherever the SP is getting its metadata, you need to make sure
that source has the correct information (including certificate) for your
IdP.
> www.telecommand.com <http://www.telecommand.com>
--
Chad La Joie
http://itumi.biz
trusted identities, delivered
Ravi Verma
That is my question. I have the idp-metadata.xml loaded in the sp. The id-metata.xml has the IDP key. SP is able to recognize my idp instance and forward the requests to idp.
My question is: Where do I put the certificate that I have generated for Tomcat ssl? Of course, I am guessing that SP is complaining because it does not recognize the Tomcat certificate.
Right now, idp-metadata.xml has the idp.crt but not Tomcat cert.
I appreciate your help.
Regards.
Ravi Verma
Chief Executive Officer
Peter Schober
> Right now, idp-metadata.xml has the idp.crt but not Tomcat cert.
The error you sent was specific to an attribute query on port
8443. For this port there is no "Tomcat cert", there is only the
IdP's.
While there probably also is an SSL cert for HTTPS on port 443 (which
could be called "Tomcat cert" if Tomcat handles HTTPS in your
deployment, I suppose) which is not covered in the Shibboleth
documentation, this has nothing to do with the error at hand.
If you install from the official documentation there is nothing extra
(i.e., outside of the documentation) you need to do. If you don't
follow the documentation, you seem to know better and it's then up to
you how to deal with this.
If the instructions are unclear, please point out which part
specifically is unclear.
By default the IdP creates the necessary certificates and also puts
the correct cert inside metadata/idp-metadata.xml
The documentation has specific instructions on how to prepare your
container. For Apache Tomcat this is
https://spaces.internet2.edu/display/SHIB2/IdPApacheTomcatPrepare
-peter