[Shib-Users] ERROR XMLTooling.libcurl.InputStream : error while fetching metadata.xml Unknown cipher in list: ALL:!aNULL:!LOW:!EXPORT:!SSLv2
Tommy Peterson
I am trying to access the https://[my domain]/Shibboleth.sso/Metadata to test my set up and the Shibboleth prints out to the browser the following error message:
Metadata Request Failed
The logs print out the following error messages:
2011-05-04 08:49:33 ERROR XMLTooling.libcurl.InputStream : error while fetching https:// [my domain]/idp-metadata.xml: (59) Unknown cipher in list: ALL:!aNULL:!LOW:!EXPORT:!SSLv2
2011-05-04 08:49:33 ERROR XMLTooling.ParserPool : fatal error on line 0, column 0, message: internal error in NetAccessor
2011-05-04 08:49:33 ERROR OpenSAML.MetadataProvider.XML : error while loading resource (https:// [my domain]/idp-metadata.xml): XML error(s) during parsing, check log for specifics
2011-05-04 08:49:33 WARN OpenSAML.MetadataProvider.XML : adjusted reload interval to 0 seconds
2011-05-04 08:49:33 CRIT Shibboleth.Application : error initializing MetadataProvider: XML error(s) during parsing, check log for specifics
Â
Â
I did a search on the forums and net and the only thing that comes back is one forum post/response that suggests that 8443 is not open. I have configured 8443 to be open on Tomcat.
Â
Any suggestions?
Â
Thanks,
Tommty
This message contains Devin Group confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.
Please notify the sender immediately by e-mail if you have received this e-mail in error and delete this e-mail from your system. E-mail transmissions cannot be guaranteed secure, error-free and information could be intercepted, corrupted, lost, destroyed, arrive late, incomplete, or contain viruses. The sender therefore does not accept liability for errors or omissions in the contents of this message which may arise as result of transmission. If verification is required please request hard-copy version.
Tommy Peterson
And I just found this one->
http://marc.info/?l=shibboleth-users&m=125138606601444&w=2
Â
But there is no firewall blocking it.
Cantor, Scott E.
>I am trying to access the
>https://[my domain]/Shibboleth.sso/Metadata
><https://[my%20domain]/Shibboleth.sso/Metadata> to test my set up and the
>Shibboleth prints out to the browser the following error message:
>Metadata Request Failed
>The logs print out the following error messages:
>2011-05-04 08:49:33 ERROR XMLTooling.libcurl.InputStream : error while
>fetching https:// [my domain]/idp-metadata.xml: (59) Unknown cipher in
>list: ALL:!aNULL:!LOW:!EXPORT:!SSLv2
That isn't why. That's unrelated and is probably because you're using Red
Hat 6 and ignored the big warning message about having to use a different
libcurl that's on the RPM documentation page.
-- Scott
Peter Schober
> I am trying to access the https://[my domain]/Shibboleth.sso/Metadata<https://[my%20domain]/Shibboleth.sso/Metadata> to test my set up and the Shibboleth prints out to the browser the following error message:
> Metadata Request Failed
> The logs print out the following error messages:
> 2011-05-04 08:49:33 ERROR XMLTooling.libcurl.InputStream : error
> while fetching https:// [my domain]/idp-metadata.xml:
What happended to simply loading the metadata from the filesystem
(which has been pointed out to you now several times)?
-peter
Tommy Peterson
-- Scott
Tommy Peterson
-----Original Message-----
From: shibboleth-u...@internet2.edu [mailto:shibboleth-u...@internet2.edu] On Behalf Of Peter Schober
Sent: Wednesday, May 04, 2011 10:08 AM
To: shibbole...@internet2.edu
This message contains Devin Group confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.
Cantor, Scott E.
>From what we read in the documentation we have the right libcurl. We
>installed redhat 6 when the server was set up. So obviously it installed
>redhat 6's libcurl package. Then we installed shibboleth. We have not
>upgraded redhat at any time thereafter so from what we read in the
>documentation the shibboleth install set up the correct libcurl package
>to use. Is this incorrect?
It's been somewhat unclear to me whether installing shibboleth pulls in
the replacement for libcurl, but based on the message, you probably don't
have it. It's easy enough to tell, just look and see which package is
installed.
-- Scott
Tommy Peterson
-----Original Message-----
From: shibboleth-u...@internet2.edu [mailto:shibboleth-u...@internet2.edu] On Behalf Of Cantor, Scott E.
Sent: Wednesday, May 04, 2011 10:32 AM
To: shibbole...@internet2.edu
Subject: Re: [Shib-Users] ERROR XMLTooling.libcurl.InputStream : error while fetching metadata.xml Unknown cipher in list: ALL:!aNULL:!LOW:!EXPORT:!SSLv2
-- Scott
Tommy Peterson
curl: (35) error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112)
So if we installed Shibboleth on Redhat 6 and have not upgraded Rehat and still don't have the correct libcurl package where do we get it and what version?
Thanks.
Cantor, Scott E.
>Libcurl so 4 is what we can tell.
That isn't a package name, it's a library soname.
> But I don't see a "correct libcurl package version" mentioned on the
>docs page to compare it against.
libcurl-openssl or some such.
-- Scott
Peter Schober
> Libcurl so 4 is what we can tell. But I don't see a "correct libcurl
> package version" mentioned on the docs page to compare it against.
$ rpm -qa libcurl-openssl
Redhat's package is called libcurl, the one provided by Scott/by the
Shibboleth project (linked against openssl) is called libcurl,
-peter
Peter Schober
Fsck. "the one provided by Scott/by the Shibboleth project is called
libcurl-openssl", of course.
-peter
Tommy Peterson
But when I log directly onto the server and perform a
Curl -k https://localhost/Shibboleth.sso/Status
I still get
curl: (35) error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112)
When I look in /var/log/shibboleth/shibd.log I see
2011-05-04 12:49:00 ERROR XMLTooling.libcurl.InputStream : error while fetching https://[my domain]/idp/idp-metadata.xml: (22) SSL: certificate subject name 'localhost.localdomain' does not match target host name '[my domain]'
2011-05-04 12:49:00 ERROR XMLTooling.ParserPool : fatal error on line 0, column 0, message: internal error in NetAccessor
2011-05-04 12:49:00 ERROR OpenSAML.MetadataProvider.XML : error while loading resource (https://[my domain]/idp/idp-metadata.xml): XML error(s) during parsing, check log for specifics
2011-05-04 12:49:00 WARN OpenSAML.MetadataProvider.XML : adjusted reload interval to 0 seconds
2011-05-04 12:49:00 CRIT Shibboleth.Application : error initializing MetadataProvider: XML error(s) during parsing, check log for specifics
-----Original Message-----
From: shibboleth-u...@internet2.edu [mailto:shibboleth-u...@internet2.edu] On Behalf Of Peter Schober
Sent: Wednesday, May 04, 2011 10:51 AM
To: shibbole...@internet2.edu
Subject: Re: [Shib-Users] ERROR XMLTooling.libcurl.InputStream : error while fetching metadata.xml Unknown cipher in list: ALL:!aNULL:!LOW:!EXPORT:!SSLv2
This message contains Devin Group confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.
Brent Putman
On 5/4/11 12:53 PM, Tommy Peterson wrote:
> 2011-05-04 12:49:00 ERROR XMLTooling.libcurl.InputStream : error while fetching https://[my domain]/idp/idp-metadata.xml: (22) SSL: certificate subject name 'localhost.localdomain' does not match target host name '[my domain]'
> 2011-05-04 12:49:00 ERROR XMLTooling.ParserPool : fatal error on line 0, column 0, message: internal error in NetAccessor
> 2011-05-04 12:49:00 ERROR OpenSAML.MetadataProvider.XML : error while loading resource (https://[my domain]/idp/idp-metadata.xml): XML error(s) during parsing, check log for specifics
>
I'd just venture a guess that your IdP is using a cert with DN
"localhost.localdomain", and is failing the SP's curl check against the
domain name when it attempts to load the metadata from the URL at the
IdP. This is just a basic SSL/TLS config issue on your IdP.
Cantor, Scott E.
>But when I log directly onto the server and perform a
>Curl -k https://localhost/Shibboleth.sso/Status
>I still get
>curl: (35) error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112)
Well, that has nothing to do with the SP (or the log error). You're
talking to Apache with curl.
Also, curl itself is in a different package that might not have been
overridden (curl-openssl, not libcurl-openssl). The SP doesn't use curl,
only libcurl. If you intend to use curl, then you'd best use the one that
matches.
-- Scott
Tommy Peterson
-----Original Message-----
From: shibboleth-u...@internet2.edu [mailto:shibboleth-u...@internet2.edu] On Behalf Of Brent Putman
Sent: Wednesday, May 04, 2011 1:11 PM
To: shibbole...@internet2.edu
Subject: Re: [Shib-Users] ERROR XMLTooling.libcurl.InputStream : error while fetching metadata.xml Unknown cipher in list: ALL:!aNULL:!LOW:!EXPORT:!SSLv2
This message contains Devin Group confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.
Cantor, Scott E.
>But I'm using -k with curl which ignores the SSL stuff.
It ignores the certificate. Since that isn't the error...
> I mean if you browse a page like that you can accept the exception and
>move on in to the page. -k does that for you at the command line unless
>I'm missing something.
You can ignore what I said, but the fact remains that it has nothing to do
with the SP in any case. An SSL connection between curl and Apache does
not involve the SP, period.
I told you what would probably fix it. And Brent told you how to fix the
other problem.
-- Scott
Tommy Peterson
Looking around the internet I see the following when I search and look for libcurl (and most use curl/libcurl interchangeably)
$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, "http://www.zend.com/");
curl_setopt ($ch, CURLOPT_HEADER, 0);
curl_exec ($ch);
curl_close ($ch);
-----Original Message-----
From: shibboleth-u...@internet2.edu [mailto:shibboleth-u...@internet2.edu] On Behalf Of Cantor, Scott E.
Sent: Wednesday, May 04, 2011 1:14 PM
To: shibbole...@internet2.edu
Subject: Re: [Shib-Users] ERROR XMLTooling.libcurl.InputStream : error while fetching metadata.xml Unknown cipher in list: ALL:!aNULL:!LOW:!EXPORT:!SSLv2
-- Scott
Tommy Peterson
-----Original Message-----
From: shibboleth-u...@internet2.edu [mailto:shibboleth-u...@internet2.edu] On Behalf Of Cantor, Scott E.
Sent: Wednesday, May 04, 2011 1:48 PM
To: shibbole...@internet2.edu
Subject: Re: [Shib-Users] ERROR XMLTooling.libcurl.InputStream : error while fetching metadata.xml Unknown cipher in list: ALL:!aNULL:!LOW:!EXPORT:!SSLv2
-- Scott
Brent Putman
On 5/4/11 1:41 PM, Tommy Peterson wrote:
> But I'm using -k with curl which ignores the SSL stuff. I mean if you browse a page like that you can accept the exception and move on in to the page. -k does that for you at the command line unless I'm missing something.
>
Right, I don't know if the SP has an option for libcurl to "ignore bad
certs" in the HTTP metadata provider. (It does have a transport options
thing for libcurl when used as a SOAP client). I don't see anything in
the docs about it.
Actually, the docs here (which I believe are applicable to the HTTP
metadata provider):
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPReloadableXMLFile
say for the url attribute: "The native SP does not verify the transport
(e.g. the SP does not verify the X.509 certificate presented by the
remote server when HTTPS is the transport".
Since it seems to not like the hostname, perhaps the above merely means
that it doesn't do certificate path validation to a trust anchor, not
that it doesn't do host name validation. If that's not correct, I'm
sure Scott will correct me.
Cantor, Scott E.
>So if I am using the command line to check that page if I don't use curl
>which I thought was libcurl then what do I use?
How about the rebuilt package supplied alongside the libcurl-openssl
package?
-- Scott
Brent Putman
On 5/4/11 1:56 PM, Brent Putman wrote:
>
> On 5/4/11 1:41 PM, Tommy Peterson wrote:
>> But I'm using -k with curl which ignores the SSL stuff. I mean if you browse a page like that you can accept the exception and move on in to the page. -k does that for you at the command line unless I'm missing something.
>>
> Right, I don't know if the SP has an option for libcurl to "ignore bad
> certs" in the HTTP metadata provider. (It does have a transport options
> thing for libcurl when used as a SOAP client). I don't see anything in
> the docs about it.
>
> Actually, the docs here (which I believe are applicable to the HTTP
> metadata provider):
>
> https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPReloadableXMLFile
>
Sorry, I didn't read down the page far enough. As of 2.2, it apparently
does take the TransportOptions element. See the CURLOPT_SSL_VERIFYHOST
option for what I think you need.
Or you could just generate a new self-signed cert for your IdP with the
correct name.
Tommy Peterson
Anyway, since everyone seems to think this is just an insignificant matter at this stage (we will be getting an SSL cert [commercial version] when/if we use this in production) what do I do now that the Idp and SP are set up with no other errors that these libcurl ones?
I put an html page in a directory on apache and put an .htaccess file in that same directory as the html file. I tried to browse it from my Windows machine. I could browse it all right but it should be flagged and ask for a log in if I have this set up correctly. I am just looking for a test that this is indeed set up correctly before I start trying to make it work with our real applications to produce Single sign on between them.
The .htaccess simply says the following:
AuthType Shibboleth
ShibRequestSetting requireSession 1
Require valid-user
ShibRedirectToSSL 8443
Where else should I look besides going back over the documentation for the umpteenth time, bugging you and the rest of the people on this user forum, looking at the same logs over and over and over, and searching the internet?
Thanks.
-----Original Message-----
From: shibboleth-u...@internet2.edu [mailto:shibboleth-u...@internet2.edu] On Behalf Of Cantor, Scott E.
Sent: Wednesday, May 04, 2011 1:57 PM
To: shibbole...@internet2.edu
Subject: Re: [Shib-Users] ERROR XMLTooling.libcurl.InputStream : error while fetching metadata.xml Unknown cipher in list: ALL:!aNULL:!LOW:!EXPORT:!SSLv2
-- Scott
Tommy Peterson
<Location />
AuthType shibboleth
Require shibboleth
</Location>
-----Original Message-----
From: shibboleth-u...@internet2.edu [mailto:shibboleth-u...@internet2.edu] On Behalf Of Brent Putman
Sent: Wednesday, May 04, 2011 2:04 PM
To: shibbole...@internet2.edu
Subject: Re: [Shib-Users] ERROR XMLTooling.libcurl.InputStream : error while fetching metadata.xml Unknown cipher in list: ALL:!aNULL:!LOW:!EXPORT:!SSLv2
Tommy Peterson
And the only errors in the shibd log are :
2011-05-04 14:11:15 ERROR XMLTooling.libcurl.InputStream : error while fetching https://[my domain]/idp/idp-metadata.xml: (22) SSL: certificate subject name 'localhost.localdomain' does not match target host name 'rt-hvcp1-test.hvcp.local'
2011-05-04 14:11:15 ERROR XMLTooling.ParserPool : fatal error on line 0, column 0, message: internal error in NetAccessor
2011-05-04 14:11:15 ERROR OpenSAML.MetadataProvider.XML : error while loading resource (https://[my domain]//idp/idp-metadata.xml): XML error(s) during parsing, check log for specifics
2011-05-04 14:11:15 WARN OpenSAML.MetadataProvider.XML : adjusted reload interval to 0 seconds
2011-05-04 14:11:15 CRIT Shibboleth.Application : error initializing MetadataProvider: XML error(s) during parsing, check log for specifics
Are the last 3 unrelated to the first? The idp/idp-metadata.xml was generated for me. I didn't touch it.
--Tommy
Brent Putman
On 5/4/11 2:06 PM, Tommy Peterson wrote:
> I need syntax. I don't know how else to do it unless I use wget or curl commands.
>
> Anyway, since everyone seems to think this is just an insignificant matter at this stage (we will be getting an SSL cert [commercial version] when/if we use this in production)
The issue of the SP being unable to load the IdP's metadata is not
insignificant. If the SP doesn't have the IdP's metadata, it will not
work, pure and simple. You can either:
1) use the metadata provider with the TransportOption that I mentioned
previously to ignore the hostname validation against the cert. There is
a syntax example at the top of the wiki page for it.
2) just get a cert with the right name for the IdP. It doesn't have to
be a commercial cert, it just needs to have the right name. A
self-signed cert generated with a single openssl command will suffice.
3) just copy the IdP's metadata file to the SP's filesystem and
reference it as a local file, rather than trying to pull it from an
https URL.
I think #3 is what has been suggested several times, and is probably the
easiest option, so I'm not sure what you don't want to do that.
--Brent
Cantor, Scott E.
>And I restarted apache and shibd services. And I still get to the page.
You posted something indicating that you used commands that enable the
module for the root of the site with no actual active requirement for a
login anywhere.
Not requiring a session is not going to prevent you from getting to the
page. The documentation has extensive material on protecting content in
different ways and the initial Apache example has explicit commands for
protecting /secure as a simple starting point.
And Brent covered the main thing that's going to fail as soon as you try
it.
-- Scott
Tommy Peterson
But I guess I failed to mention in all this back and forth that I did change the shibboleth2.xml to load it from a file. I didn't change it to load it from the SP directory like you suggested below in no 3. I configured it to load it from the Idp directory ont eh server. But since you said to copy it in the sp shibboleth directory and call it from there I changed the metadataprovider xml in the shibboleth2.xml file, restarted shibd and apache and I can still get to the .html file I have protected. I cannot get to the status page as it says "Access denied" in the browser (when I browse this page-> https://[my domain]/Shibboleth.sso/Status)
And I see the same errors in the log
-----Original Message-----
From: shibboleth-u...@internet2.edu [mailto:shibboleth-u...@internet2.edu] On Behalf Of Brent Putman
Sent: Wednesday, May 04, 2011 2:19 PM
To: shibbole...@internet2.edu
Subject: Re: [Shib-Users] ERROR XMLTooling.libcurl.InputStream : error while fetching metadata.xml Unknown cipher in list: ALL:!aNULL:!LOW:!EXPORT:!SSLv2
--Brent
This message contains Devin Group confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.
Tommy Peterson
-----Original Message-----
From: shibboleth-u...@internet2.edu [mailto:shibboleth-u...@internet2.edu] On Behalf Of Cantor, Scott E.
Sent: Wednesday, May 04, 2011 2:34 PM
To: shibbole...@internet2.edu
Subject: Re: [Shib-Users] ERROR XMLTooling.libcurl.InputStream : error while fetching metadata.xml Unknown cipher in list: ALL:!aNULL:!LOW:!EXPORT:!SSLv2
-- Scott
Cantor, Scott E.
>I have no clue as to what you are saying I did wrong that you are
>commenting on below or where to look in the documentation.
You could search for "protect" and "content" as a starting point. Or
"require session". The wiki has a search engine.
> I mean you literally said "You posted something . . . " . Am I supposed
>to guess what this something is? I don't understand your response to my
>post.
I suppose you are. I'll just stop annoying you.
-- Scott
Cantor, Scott E.
>I'm a little confused. Scott said the SSL cert never came into play. So
>that is why I am temporarily ignoring it . . . to get to the base
>solution. I can regenerate one easily. I am just trying tob e judicious
>with the rest of my patience with this install.
No, I didn't. You complained about a curl error that's between you and
Apache, nothing to do with the SP, and that said nothing about a
certificate problem. I simply said you were wrong about the cause and the
-k helping, and explained how to fix it. You then demanded I feed you
every last command involved to maintain your packages, and since I'm not
about to do that, I dropped it.
You also in parallel included an unrelated log message about fetching
metadata that Brent explained. That is entirely about the certificate, as
the log message said.
>But I guess I failed to mention in all this back and forth that I did
>change the shibboleth2.xml to load it from a file.
You didn't, not if you're still getting that log message.
> I didn't change it to load it from the SP directory like you suggested
>below in no 3. I configured it to load it from the Idp directory ont eh
>server.
I don't really see how unless you mean they're sharing filesystem mounts.
> But since you said to copy it in the sp shibboleth directory and call it
>from there I changed the metadataprovider xml in the shibboleth2.xml
>file, restarted shibd and apache and I can still get to the .html file I
>have protected.
If you do this:
<Location />
AuthType shibboleth
require shibboleth
</Location>
That¹s what should happen. You aren't requiring a session, ergo, no
session is created. That¹s called "passive" or lazy protection.
See NativeSPProtectContent and the Apache configuration material in the
wiki.
> I cannot get to the status page as it says "Access denied" in the
>browser (when I browse this page-> https://[my
>domain]/Shibboleth.sso/Status)
Edit the acl property on the handler or you could use localhost.
-- Scott
Brent Putman
On 5/4/11 2:35 PM, Tommy Peterson wrote:
> I'm a little confused. Scott said the SSL cert never came into play. So that is why I am temporarily ignoring it . . . to get to the base solution. I can regenerate one easily. I am just trying tob e judicious with the rest of my patience with this install.
>
> But I guess I failed to mention in all this back and forth that I did change the shibboleth2.xml to load it from a file. I didn't change it to load it from the SP directory like you suggested below in no 3.
I didn't suggest that, actually, I said "copy the IdP's metadata file to
the SP's filesystem". That means what it means, i.e. copy to the
filesystem of the host where the SP is installed. That doesn't
necessarily mean copy it to /etc/shibboleth, although that is one
logical place for it and is what a lot of people do, at least for
testing purposes.
> I configured it to load it from the Idp directory ont eh server.
As Scott also said, I don't know what this means. Either you are
referencing it as a local file, or you are referencing it as a remote
file, via an http URL. The errors you've posted (which again will be
fatal to the operation of the SP) indicate you were trying to load
remotely via an https. Switching to load a local file will avoid those
errors.
> But since you said to copy it in the sp shibboleth directory and call it from there I changed the metadataprovider xml in the shibboleth2.xml file, restarted shibd and apache and I can still get to the .html file I have protected. I cannot get to the status page as it says "Access denied" in the browser (when I browse this page-> https://[my domain]/Shibboleth.sso/Status)
Then perhaps you did get it loaded successfully from the local file.
The logs should tell you one way or the other. As Scott said, the
access denied on the status page is the expected behavior if you haven't
the ACL entry on the status handler to allow calling it from somewhere
other than 127.0.0.1.
> And I see the same errors in the log
>
Well, if you still see the same error about the IdP's certificate, then
you didn't effectively change it. Either something didn't get
restarted, or you have the metadata provider listed twice or something.
Doublecheck the config in shibboleth2.xml.
Tommy Peterson
-----Original Message-----
From: shibboleth-u...@internet2.edu [mailto:shibboleth-u...@internet2.edu] On Behalf Of Cantor, Scott E.
Sent: Wednesday, May 04, 2011 3:13 PM
To: shibbole...@internet2.edu
Subject: Re: [Shib-Users] ERROR XMLTooling.libcurl.InputStream : error while fetching metadata.xml Unknown cipher in list: ALL:!aNULL:!LOW:!EXPORT:!SSLv2
On 5/4/11 2:35 PM, "Tommy Peterson" <Tommy.P...@xpandcorp.com> wrote:
>I'm a little confused. Scott said the SSL cert never came into play. So
>that is why I am temporarily ignoring it . . . to get to the base
>solution. I can regenerate one easily. I am just trying tob e judicious
>with the rest of my patience with this install.
>No, I didn't. You complained about a curl error that's between you and
>Apache, nothing to do with the SP, and that said nothing about a
vcertificate problem. I simply said you were wrong about the cause and the
>-k helping, and explained how to fix it. You then demanded I feed you
>every last command involved to maintain your packages, and since I'm not
>about to do that, I dropped it.
Kinda irrelevant at this point to speak to although I haven't ever "complained" or "demanded" anything while speaking to you or anyone else on here.
>You also in parallel included an unrelated log message about fetching
>metadata that Brent explained. That is entirely about the certificate, as
>the log message said.
>But I guess I failed to mention in all this back and forth that I did
>change the shibboleth2.xml to load it from a file.
>You didn't, not if you're still getting that log message.
I'm not getting an SSL or libcurl or metadataprovider error message any longer.
> I didn't change it to load it from the SP directory like you suggested
>below in no 3. I configured it to load it from the Idp directory ont eh
>server.
>I don't really see how unless you mean they're sharing filesystem mounts.
Of course they are.
> But since you said to copy it in the sp shibboleth directory and call it
>from there I changed the metadataprovider xml in the shibboleth2.xml
>file, restarted shibd and apache and I can still get to the .html file I
>have protected.
>If you do this:
><Location />
>AuthType shibboleth
>require shibboleth
></Location>
>That¹s what should happen. You aren't requiring a session, ergo, no
>session is created. That¹s called "passive" or lazy protection.
>See NativeSPProtectContent and the Apache configuration material in the
>wiki.
I looked at it before and again now. As I said I have an .htaccess file in the directory of the .html file requiring a session:
AuthType Shibboleth
ShibRequestSetting requireSession 1
Require valid-user
ShibRedirectToSSL 8443
And I tried
AuthType Shibboleth
ShibRequestSetting requireSession 1
Require shibboleth
ShibRedirectToSSL 8443
And I tried
<Location /secure>
AuthType shibboleth
Require shibboleth
</Location>
And when I browsed the http://[my domain]/secure I got the following message:
shibsp::ListenerException
The system encountered an error at Wed May 4 16:06:17 2011
To report this problem, please contact the site administrator at root@localhost.
Please include the following message in any email:
shibsp::ListenerException at (http://[my domain]/secure)
Cannot connect to shibd process, a site adminstrator should be notified.
Then I tried
<Location /secure>
AuthType shibboleth
ShibRequestSetting requireSession 1
# require valid-user
require shibboleth
</Location>
Same result
I even tried doing that to the entire server . . . same result on my html page.
> I cannot get to the status page as it says "Access denied" in the
>browser (when I browse this page-> https://[my
>domain]/Shibboleth.sso/Status)
>Edit the acl property on the handler or you could use localhost.
Using localhost gets us back to the curl discussion that I never found a solution around. Also there is no acl property on the handler that I can see.
-- Scott
Tommy Peterson
Nothing there points to or suggests, to me, to use the following for a local reference to a file for the SP metadataprovider:
<MetadataProvider type="XML" file="idp-metadata.xml" />
Which I stumbled across in the shibboleth2.xml.dist as an example
And lastly this page-> https://www.switch.ch/aai/docs/shibboleth/SWITCH/2.4/sp/deployment/solaris-source.html
helped me regenerated the SSL's since they were at last mention still an urgent issue to resolving the current problems I am having getting this set up namely with this line
cd /etc/shibboleth/
sudo sh $SHIB_HOME/etc/shibboleth/keygen.sh -h sp.example.org -y 3 -e https://sp.example.org/shibboleth
Caskey, Paul
> From: shibboleth-u...@internet2.edu [mailto:shibboleth-users-
> req...@internet2.edu] On Behalf Of Tommy Peterson
>
> Cannot connect to shibd process, a site adminstrator should be notified.
>
>
Is shibd running?
Don't forget 'shibd -t' is your friend...
Tommy Peterson
2011-05-04 16:33:40 ERROR OpenSSL : error code: 33558541 in bss_file.c, line 355
2011-05-04 16:33:40 ERROR OpenSSL : error data: fopen('/etc/shibboleth/sp-key.pem','r')
2011-05-04 16:33:40 ERROR OpenSSL : error code: 537346050 in bss_file.c, line 35 7
2011-05-04 16:33:40 CRIT Shibboleth.Application : error building CredentialResolver: Unable to load private key from file (/etc/shibboleth/sp-key.pem).
overall configuration is loadable, check console for non-fatal problems
-----Original Message-----
From: shibboleth-u...@internet2.edu [mailto:shibboleth-u...@internet2.edu] On Behalf Of Caskey, Paul
Sent: Wednesday, May 04, 2011 4:32 PM
To: shibbole...@internet2.edu
This message contains Devin Group confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.
Tommy Peterson
Tommy Peterson
https://[my domain]/Shibboleth.sso/Status
I get a forbidden message still
And trying
https://[my domain]/secure
I get the shibsp::ListenerException Cannot connect to shibd process, a site adminstrator should be notified.
Message again
I even tried http://[my domain]/secure and got the same thing.
I know Scott said somethinga bout modify the ACL on the handler but again I don't see one.
Caskey, Paul
For status handler, look for something like this in shibboleth2.xml (from a slightly older version of the SP):
<Handler type="Status" Location="/Status" acl="127.0.0.1 172.19.70.70 172.19.70.74"/>
> -----Original Message-----
> From: shibboleth-u...@internet2.edu [mailto:shibboleth-users-
> req...@internet2.edu] On Behalf Of Tommy Peterson
> Sent: Wednesday, May 04, 2011 4:00 PM
> To: shibbole...@internet2.edu
> Subject: RE: [Shib-Users] ERROR XMLTooling.libcurl.InputStream : error while
> fetching metadata.xml Unknown cipher in list:
> ALL:!aNULL:!LOW:!EXPORT:!SSLv2
>
Tommy Peterson
Please notify the sender immediately by e-mail if you have received this e-mail in error and delete this e-mail from your system. E-mail transmissions cannot be guaranteed secure, error-free and information could be intercepted, corrupted, lost, destroyed, arrive late, incomplete, or contain viruses. The sender therefore does not accept liability for errors or omissions in the contents of this message which may arise as result of transmission. If verification is required please request hard-copy version.
Caskey, Paul
> -----Original Message-----
> From: shibboleth-u...@internet2.edu [mailto:shibboleth-users-
> req...@internet2.edu] On Behalf Of Tommy Peterson
> Sent: Wednesday, May 04, 2011 4:23 PM
> To: shibbole...@internet2.edu
> Subject: RE: [Shib-Users] ERROR XMLTooling.libcurl.InputStream : error while
> fetching metadata.xml Unknown cipher in list:
> ALL:!aNULL:!LOW:!EXPORT:!SSLv2
>
Tommy Peterson
Please notify the sender immediately by e-mail if you have received this e-mail in error and delete this e-mail from your system. E-mail transmissions cannot be guaranteed secure, error-free and information could be intercepted, corrupted, lost, destroyed, arrive late, incomplete, or contain viruses. The sender therefore does not accept liability for errors or omissions in the contents of this message which may arise as result of transmission. If verification is required please request hard-copy version.
Brent Putman
On 5/4/11 4:28 PM, Tommy Peterson wrote:
Yeah I got the SSL errors to go away and the metadataprovider. The problem was this page-> https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMetadataProvider Nothing there points to or suggests, to me, to use the following for a local reference to a file for the SP metadataprovider: <MetadataProvider type="XML" file="idp-metadata.xml" /> Which I stumbled across in the shibboleth2.xml.dist as an example
The XML "portion" is a reloadable resource, which means that the XML content can be supplied inline, in a local file, or a remote file, and can be monitored for changes and reloaded on the fly.
and
Attributes
Inherits attributes supported by reloadable resources.
And then the page linked to as "reloadable resources" does document the use of the 'file' attribute.
Brent Putman
On 5/4/11 5:34 PM, Tommy Peterson wrote:
> OK. I changed it to my server's ip address restarted and still the same thing. I also noticed that there was an exportACL of localhost's ip (127....) on the sessions. The shibboleth2.xml.dist didn't have that and some of the other extraneous attributes so I deleted them and restarted. Still same thing. Still no errors in the logs.
I lost track of whether you were still getting the "Cannot connect to
shibd process" error, but if you are:
In short, if you have SELinux running in "enforcing" mode, you need to
install the appropriate policy to allow httpd to connect to the shibd
Unix domain socket
--Brent
Cantor, Scott E.
>OK. I changed it to my server's ip address restarted and still the same
>thing. I also noticed that there was an exportACL of localhost's ip
>(127....) on the sessions. The shibboleth2.xml.dist didn't have that and
>some of the other extraneous attributes so I deleted them and restarted.
>Still same thing. Still no errors in the logs.
Any *.dist file has nothing to do with the running system.
I've long since lost track of what you're doing, so if you have a problem,
you probably ought to start a new thread that explicitly addresses it. If
/Status still won't work, then you need to explain what it's doing when
you access that. A 403 means the ACL is wrong. I don't know what more
anybody can say about that.
With respect to curl, I will repeat that you can't just install
libcurl-openssl and expect Red Hat's curl to work. There's a curl-openssl
package with the compatible utility to pair with the changed library. The
SP doesn't care about that, but if you do, then you can fix it.
-- Scott
Cantor, Scott E.
>In short, if you have SELinux running in "enforcing" mode, you need to
>install the appropriate policy to allow httpd to connect to the shibd
>Unix domain socket
That hasn't come up in a while, but suffice to say you'd have to turn off
SELinux or know a lot about it, but that one change probably won't fix it.
-- Scott
Brent Putman
Well, I'm actually speaking from recent personal experience. I've just
in the past week been standing up a new SP, and in our sysadmin group's
Linux VM environment they like to run in enforcing mode by default. I
could probably turn it off, and they wouldn't scream too much - but I
wanted to see if I could get it working with enforcing, as a challenge.
So far the only thing I've had to change was install the socket policy
for httpd. I imagine various files need to have the right filesystem
labels for httpd to read them, etc, but the default install seems to
have done the right thing as far as labeling them. It's RHEL 5.x and I
installed the 2.4.2 x86_64 RPM's straight from the SUSE repository.
Everything is working so far, at least.
I have not attempted to figure out how to install policies to run shibd
in "managed" mode or whatever it's called. For that case, I'm sure
there's a lot of other process and filesystem labeling that needs to get
done.
Brent Putman
On 5/4/11 7:48 PM, Brent Putman wrote:
>
> I have not attempted to figure out how to install policies to run shibd
> in "managed" mode or whatever it's called. For that case, I'm sure
> there's a lot of other process and filesystem labeling that needs to get
> done.
Actually, I take that back. I thought shibd was running unconfined, but
it's actually running with a confined context (I think).
ps -efZ | grep shibd
user_u:system_r:initrc_t root 3551 1 0 17:30 ?
00:00:00 /usr/sbin/shibd -p /var/run/shibboleth/shibd.pid -f -w 30
And everything is working so far. I must just be really that good. :-)
Tommy Peterson
I cannot access the https://mydomain/Shibboleth.sso/Status page as it says access denied
I cannot access the https://mydomain/secure as I get a Shibboleth listener problem.
Bob showed me the shibd -t and suggested like Scott to change the ACL attribute value on the Handler element inside the shibboleth2.xml file. I changed it to the localhost ip address (which was there by default at 127 . . . . ) and added my server's ip address. I restarted the services and still get the same messages int eh browser when trying to load the page.
So does SELinux have anything to do wth this? Or is this something else? I am at a loss at this point.
________________________________________
From: shibboleth-u...@internet2.edu [shibboleth-u...@internet2.edu] On Behalf Of Brent Putman [put...@georgetown.edu]
Sent: Wednesday, May 04, 2011 5:42 PM
To: shibbole...@internet2.edu
Subject: Re: [Shib-Users] ERROR XMLTooling.libcurl.InputStream : error while fetching metadata.xml Unknown cipher in list: ALL:!aNULL:!LOW:!EXPORT:!SSLv2
--Brent
This message contains Devin Group confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.
Tommy Peterson
________________________________________
From: shibboleth-u...@internet2.edu [shibboleth-u...@internet2.edu] On Behalf Of Tommy Peterson [Tommy.P...@xpandcorp.com]
Sent: Wednesday, May 04, 2011 7:58 PM
To: shibbole...@internet2.edu
Subject: RE: [Shib-Users] ERROR XMLTooling.libcurl.InputStream : error while fetching metadata.xml Unknown cipher in list: ALL:!aNULL:!LOW:!EXPORT:!SSLv2
Tommy Peterson
Anyway a moot point now.
________________________________________
From: shibboleth-u...@internet2.edu [shibboleth-u...@internet2.edu] On Behalf Of Brent Putman [put...@georgetown.edu]
Sent: Wednesday, May 04, 2011 5:39 PM
To: shibbole...@internet2.edu
Subject: Re: [Shib-Users] ERROR XMLTooling.libcurl.InputStream : error while fetching metadata.xml Unknown cipher in list: ALL:!aNULL:!LOW:!EXPORT:!SSLv2
On 5/4/11 4:28 PM, Tommy Peterson wrote:
Yeah I got the SSL errors to go away and the metadataprovider. The problem was this page-> https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMetadataProvider
Nothing there points to or suggests, to me, to use the following for a local reference to a file for the SP metadataprovider:
<MetadataProvider type="XML" file="idp-metadata.xml" />
Which I stumbled across in the shibboleth2.xml.dist as an example
Well, the wiki page does say:
The XML "portion" is a reloadable resource<https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPReloadableXMLFile>, which means that the XML content can be supplied inline, in a local file, or a remote file, and can be monitored for changes and reloaded on the fly.
and
Attributes
Inherits attributes supported by reloadable resources<https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPReloadableXMLFile>.
And then the page linked to as "reloadable resources" does document the use of the 'file' attribute.
Brent Putman
On 5/4/11 7:58 PM, Tommy Peterson wrote:
>
> Bob showed me the shibd -t and suggested like Scott to change the ACL attribute value on the Handler element inside the shibboleth2.xml file. I changed it to the localhost ip address (which was there by default at 127 . . . . ) and added my server's ip address.
No, you should add the IP addresses of the browser(s) from which you
will access the Status handler. The idea there is IP address
restrictions over which clients can access that endpoint.
>
> So does SELinux have anything to do wth this? Or is this something else? I am at a loss at this point.
>
The /Status issue almost certainly is the ACL, if you haven't added your
browser's IP address.
The listener error: assuming shibd is actually running (ps -ef | grep
shibd) then it might be SELinux. Check /etc/selinux/config. If it says
SELINUX=enforcing, then it's turned on and it is most likely the
problem. Check /var/log/audit/audit.log, that's where SELinux logs it's
stuff. You would see entries there related to httpd and the socket. If
that is the case, you must either install the policy from the wiki I
referenced, or else turn off SELinux (set SELINUX=permissive or
=disabled and reboot). Those are instructions for RHEL 5.x, if you're
running RHEL 6 you'll have to doublecheck that the files and logs are in
the same places, etc. I don't have one of those systems to check.
Also, SELinux has traditionally been in a state of flux, so the
requirements there might be different in RHEL 6.
If it's not SELinux, if might be something else, like permissions on the
socket file or something
--Brent
Tommy Peterson
However, if that is the IP address of the browser, then I guess from a production stand point (if I ever get there) what should it be? Is this because it is the shibboleth status? THat it is locked down to the server's localhost--the one it is running on for the developer/owner? If so then i guess x-windows would be necessary for all of this troubleshooting stuff then since I can't use curl..
________________________________________
From: shibboleth-u...@internet2.edu [shibboleth-u...@internet2.edu] On Behalf Of Brent Putman [put...@georgetown.edu]
Sent: Wednesday, May 04, 2011 8:18 PM
To: shibbole...@internet2.edu
Subject: Re: [Shib-Users] ERROR XMLTooling.libcurl.InputStream : error while fetching metadata.xml Unknown cipher in list: ALL:!aNULL:!LOW:!EXPORT:!SSLv2
On 5/4/11 7:58 PM, Tommy Peterson wrote:
--Brent
Peter Schober
> However, if that is the IP address of the browser, then I guess from
> a production stand point (if I ever get there) what should it be? Is
> this because it is the shibboleth status? THat it is locked down to
> the server's localhost--the one it is running on for the
> developer/owner? If so then i guess x-windows would be necessary for
> all of this troubleshooting stuff then since I can't use curl..
Please stop. It hurts. All of it.
There is no need for the status handler, except maybe for the first 3
seconds of all the 5 min it may take someone to `yum install
shibboleth` and change two parameters in shibboleth2.xml to have a
fully configured production SP.
There also is no need to permanently enable access to the status
handler, since all it does is say "ok" (I think, can't recall ever
using it). How often and from how many machines do you think you'll
need to access a page that says "ok?
Finally, if you still want to access it, by all means use lynx, links,
elinks, w3m or any other console-based HTTP user agent (avoid curl for
now) from that very systtem (i.e., by accessing localhost) and get
that page that just says "ok". Phew.
The SSL error was weird but caused by so many layers of you either not
following the docs (RHEL6 overriding libcurl/curl packages) or
misinterpreting them in wildly original ways or not taking advice from
the people on this list, it's hard to keep track. E.g. Why would you
generate an SSL cert with "localhost" in the X.509 subject in the
first place -- what on earth would that ever accomplish? Any why keep
the list busy with this issue when you could have simply generated a
new one with a single openssl command (as others have pointed out)?
And all that only to fetch metadata via HTTPS when there is no trust
derived from the transport (as the docs explain on several occasions),
especially with a "localhost" cert, and several people have explained
that loading it via HTTP from localhost is completely pointless anyway
(once it dawned this cannot be meant for a real deployment).
When "of course" the IdP and the SP share a filesystem...
Also, why would you need to generate the key pair for the SP (based on
SWITCH's docs for a source install on Sun Solaris) when the installer
generates a copy that's perfectly fine -- whatever you think the
reason is, it's wrong.
If this weren't the single most fascinating error generating trip (How
many more? What else could possibly go wrong? I'm afraid I'll miss out
on any further episodes) I've ever seen for something as demanding
as installing a Shib SP from binary packages on a supported platform,
one would have to think the software this projects produces is utterly
unusable crap. Luckily this is not the case.
-peter
Caskey, Paul
And, I *seem to recall* that you can't have a leading or terminating space in the IP ACL. So, if I am correct, this would fail " 127.0.0.1 1.2.3.4" as would this "127.0.0.1 1.2.3.4 ".
HTH...
> -----Original Message-----
> From: shibboleth-u...@internet2.edu [mailto:shibboleth-users-
> req...@internet2.edu] On Behalf Of Tommy Peterson
> Sent: Wednesday, May 04, 2011 7:56 PM
> To: shibbole...@internet2.edu
> Subject: RE: [Shib-Users] ERROR XMLTooling.libcurl.InputStream : error while
> fetching metadata.xml Unknown cipher in list:
> ALL:!aNULL:!LOW:!EXPORT:!SSLv2
>
> OK Thanks. I will check on this tomorrow.
>
> However, if that is the IP address of the browser, then I guess from a
> production stand point (if I ever get there) what should it be? Is this because
> it is the shibboleth status? THat it is locked down to the server's localhost--
> the one it is running on for the developer/owner? If so then i guess x-
> windows would be necessary for all of this troubleshooting stuff then since I
> can't use curl..
> ________________________________________
> From: shibboleth-u...@internet2.edu [shibboleth-users-
> req...@internet2.edu] On Behalf Of Brent Putman
Cantor, Scott E.
>And, I *seem to recall* that you can't have a leading or terminating
>space in the IP ACL. So, if I am correct, this would fail " 127.0.0.1
>1.2.3.4" as would this "127.0.0.1 1.2.3.4 ".
That would be a bug, but I don't think it's the case.
-- Scott
Cantor, Scott E.
>However, if that is the IP address of the browser, then I guess from a
>production stand point (if I ever get there) what should it be?
That would depend what you intend to use it for. If you use it to monitor,
then it could be your monitoring host(s).
>If so then i guess x-windows would be necessary for all of this
>troubleshooting stuff then since I can't use curl..
Sigh.
$ yum install curl-openssl
-- Scott
Caskey, Paul
Yep, false alarm, I just tested it. My apologies. Must've been remembering something else.
Peter Schober
> There also is no need to permanently enable access to the status
> handler, since all it does is say "ok" (I think, can't recall ever
> using it).
Of course I realized after sending (mind the time portion of the date
header of my mail) that the SP's status handler shows a lot more info,
-- which nevertheless I never had any use for. I confused this with
the IdP's old status handler.
-peter
Tommy Peterson
-----Original Message-----
From: shibboleth-u...@internet2.edu [mailto:shibboleth-u...@internet2.edu] On Behalf Of Brent Putman
Sent: Wednesday, May 04, 2011 8:18 PM
To: shibbole...@internet2.edu
Subject: Re: [Shib-Users] ERROR XMLTooling.libcurl.InputStream : error while fetching metadata.xml Unknown cipher in list: ALL:!aNULL:!LOW:!EXPORT:!SSLv2
--Brent
Tommy Peterson
-----Original Message-----
From: shibboleth-u...@internet2.edu [mailto:shibboleth-u...@internet2.edu] On Behalf Of Peter Schober
Sent: Wednesday, May 04, 2011 10:09 PM
To: shibbole...@internet2.edu
Subject: Re: [Shib-Users] ERROR XMLTooling.libcurl.InputStream : error while fetching metadata.xml Unknown cipher in list: ALL:!aNULL:!LOW:!EXPORT:!SSLv2
This message contains Devin Group confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.
Tommy Peterson
-----Original Message-----
From: shibboleth-u...@internet2.edu [mailto:shibboleth-u...@internet2.edu] On Behalf Of Cantor, Scott E.
Sent: Thursday, May 05, 2011 10:18 AM
To: shibbole...@internet2.edu
Subject: Re: [Shib-Users] ERROR XMLTooling.libcurl.InputStream : error while fetching metadata.xml Unknown cipher in list: ALL:!aNULL:!LOW:!EXPORT:!SSLv2
Sigh.
$ yum install curl-openssl
-- Scott
Tommy Peterson
-----Original Message-----
From: shibboleth-u...@internet2.edu [mailto:shibboleth-u...@internet2.edu] On Behalf Of Peter Schober
Sent: Thursday, May 05, 2011 10:38 AM
To: shibbole...@internet2.edu
Subject: Re: [Shib-Users] ERROR XMLTooling.libcurl.InputStream : error while fetching metadata.xml Unknown cipher in list: ALL:!aNULL:!LOW:!EXPORT:!SSLv2
This message contains Devin Group confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.
Cantor, Scott E.
>No need for sighing. Openssl was installed . .. that was covered
>yesterday. Curl failed until the selinux was disabled. Something to note
>for the nextperson who happens along and you are trying to help.
I will. I thought we had a very explicit warning about SELinux, but I
don't see it, so it needs to be added.
However, I have never heard of it causing SSL issues between curl and
Apache, so to be honest, I don't buy it.
-- Scott
Tommy Peterson
But once it was disabled by the sys admin everything freed up and started working. The error went away. Even the php was able to be configured with that Apache because before it kept crashing Apache. Etc etc etc. The SELinux warning is in there. I read it myself and asked him what it was . . . two days ago . . . thinking that might be a problem.
Perhaps something else was done. I have no idea. I was out sick yesterday. And I am just know what I am told by you and him.
-----Original Message-----
From: shibboleth-u...@internet2.edu [mailto:shibboleth-u...@internet2.edu] On Behalf Of Cantor, Scott E.
Sent: Friday, May 06, 2011 10:02 AM
To: shibbole...@internet2.edu
Subject: Re: [Shib-Users] ERROR XMLTooling.libcurl.InputStream : error while fetching metadata.xml Unknown cipher in list: ALL:!aNULL:!LOW:!EXPORT:!SSLv2
-- Scott
Peter Schober
> Hey Pete, Again I have failed to understand what it is that I am
> supposed to do to fix any of these issues from you statements.
My last one wasn't supposed to help you address any specific problem,
I just needed to express my opinion that:
a. your experience so far is in no way representative for the
typical deployment of a Shib SP, quite the opposite.
b. most or all of the problems so far have very little relation to the
Shibboleth software itself, but deployment decisions on your side
(metadata exchange, certificates, hostnames, use of SELinux) or are
consequences of RHEL's decision to do prefer nss over openssl.
To take one constructive item from this last error: You could file a
bug against the Shib SP packaging so that the RPM tests the return
code of selinuxenabled(1) and injects the necessary policy to allow
the shibd to work. (I don't use SELinux so can't help here),
-peter
Cantor, Scott E.
>To take one constructive item from this last error: You could file a
>bug against the Shib SP packaging so that the RPM tests the return
>code of selinuxenabled(1) and injects the necessary policy to allow
>the shibd to work. (I don't use SELinux so can't help here),
An RFE is fine, but it's likely to stay open unless the overall demand for
SELinux changes. To say there's not consensus on its viability at this
point is an understatement. Originally it was also unstable in terms of
extending policies, so nobody's work was staying viable and we decided to
table it unless things changed. Maybe it finally stopped evolving.
My recollection about the material on it in the wiki dates back to the old
SP, so I copied over the important information and added a warning to the
Linux page.
If there are SELinux fans that want to contribute patches and policies,
that's welcome.
-- Scott
Cantor, Scott E.
>But once it was disabled by the sys admin everything freed up and started
>working. The error went away.
I know it fixes the shibd communication error. What it doesn't fix is the
one in the subject line, nor do I think it fixes any connection issue to
Apache from a command line tool. But installing the curl override package
I repeatedly referenced probably does.
I'm just responding for the benefit of the list archive.
>Even the php was able to be configured with that Apache because before it
>kept crashing Apache. Etc etc etc. The SELinux warning is in there. I
>read it myself and asked him what it was . . . two days ago . . .
>thinking that might be a problem.
I have no doubt that SELinux broke hundreds of things involved in your
testing. That's why people rarely use it, none of the packages people use
care to support it well and Red Hat is playing whack a mole trying to
maintain it.
-- Scott