SP Socket error on daemon start at boot
Zellober, Lutz
we installed the shibboleth sp 2.4.3-2-2 from openSuse Build Service on SLES 11SP1 for VMWare under VMWare 4.1.
When the shibd is started by the init script an error message is dropped ( see bottom).
When I start the daemon as root (also using the init script) everything works fine.
I tried to start the daemon by the cron service at boot, same result as starting over the init process. Socket error.
If more information is needed, please write and I will deliver.
Thanks
Lutz
2011-09-20 13:21:54 INFO Shibboleth.Application : building MetadataProvider of type Chaining...
2011-09-20 13:21:54 INFO OpenSAML.Metadata.Chaining : building MetadataProvider of type XML
2011-09-20 13:21:54 INFO OpenSAML.Metadata : building MetadataFilter of type RequireValidUntil
2011-09-20 13:21:54 INFO OpenSAML.Metadata : building MetadataFilter of type Signature
2011-09-20 13:21:54 INFO XMLTooling.SecurityHelper : loading certificate(s) from file (/etc/shibboleth/dfn-aai.pem)
2011-09-20 13:21:54 INFO OpenSAML.Metadata : building MetadataFilter of type Whitelist
2011-09-20 13:21:54 DEBUG OpenSAML.MetadataProvider.XML : using remote resource (https://www.aai.dfn.de/fileadmin/metadata/DFN-AAI-Test-metadata.xml)
2011-09-20 13:21:54 DEBUG OpenSAML.MetadataProvider.XML : backup remote resource to (/etc/shibboleth/DFN-AAI-Test-metadata.xml)
2011-09-20 13:21:54 DEBUG OpenSAML.MetadataProvider.XML : loaded initial cache tag (If-None-Match: "5c0de-3273a6-4ad5d63657580")
2011-09-20 13:21:54 DEBUG OpenSAML.MetadataProvider.XML : will reload remote resource at most every 7200 seconds
2011-09-20 13:21:54 DEBUG OpenSAML.MetadataProvider.XML : loading configuration from external resource...
2011-09-20 13:21:54 INFO Shibboleth.SecurityPolicyProvider.XML : reload thread started...running when signaled
2011-09-20 13:21:54 INFO XMLTooling.StorageService : cleanup thread started...running every 900 seconds
2011-09-20 13:22:04 ERROR XMLTooling.ParserPool : fatal error on line 0, column 0, message: An exception occurred! Type:NetAccessorException, Message:Could not connect to the socket for URL 'https://www.aai.dfn.de/fileadmin/metadata/DF
N-AAI-Test-metadata.xml'
2011-09-20 13:22:04 ERROR OpenSAML.MetadataProvider.XML : error while loading resource (https://www.aai.dfn.de/fileadmin/metadata/DFN-AAI-Test-metadata.xml): XML error(s) during parsing, check log for specifics
2011-09-20 13:22:04 WARN OpenSAML.MetadataProvider.XML : adjusted reload interval to 600 seconds
2011-09-20 13:22:04 INFO OpenSAML.MetadataProvider.XML : using local backup of remote resource
AFTER MANUAL START
2011-09-20 13:41:59 INFO Shibboleth.Application : building MetadataProvider of type Chaining...
2011-09-20 13:41:59 INFO OpenSAML.Metadata.Chaining : building MetadataProvider of type XML
2011-09-20 13:41:59 INFO OpenSAML.Metadata : building MetadataFilter of type RequireValidUntil
2011-09-20 13:41:59 INFO OpenSAML.Metadata : building MetadataFilter of type Signature
2011-09-20 13:41:59 INFO XMLTooling.SecurityHelper : loading certificate(s) from file (/etc/shibboleth/dfn-aai.pem)
2011-09-20 13:41:59 INFO OpenSAML.Metadata : building MetadataFilter of type Whitelist
2011-09-20 13:41:59 DEBUG OpenSAML.MetadataProvider.XML : using remote resource (https://www.aai.dfn.de/fileadmin/metadata/DFN-AAI-Test-metadata.xml)
2011-09-20 13:41:59 DEBUG OpenSAML.MetadataProvider.XML : backup remote resource to (/etc/shibboleth/DFN-AAI-Test-metadata.xml)
2011-09-20 13:41:59 DEBUG OpenSAML.MetadataProvider.XML : loaded initial cache tag (If-None-Match: "5c0de-3273a6-4ad5d63657580")
2011-09-20 13:41:59 DEBUG OpenSAML.MetadataProvider.XML : will reload remote resource at most every 7200 seconds
2011-09-20 13:41:59 DEBUG OpenSAML.MetadataProvider.XML : loading configuration from external resource...
2011-09-20 13:41:59 INFO Shibboleth.SecurityPolicyProvider.XML : reload thread started...running when signaled
2011-09-20 13:41:59 INFO XMLTooling.StorageService : cleanup thread started...running every 900 seconds
2011-09-20 13:41:59 INFO OpenSAML.MetadataProvider.XML : remote resource (https://www.aai.dfn.de/fileadmin/metadata/DFN-AAI-Test-metadata.xml) unchanged, adjusted reload interval to 7200 seconds
2011-09-20 13:41:59 INFO OpenSAML.MetadataProvider.XML : using local backup of remote resource
2011-09-20 13:42:00 INFO OpenSAML.MetadataProvider.XML : loaded XML resource (/etc/shibboleth/DFN-AAI-Test-metadata.xml)
2011-09-20 13:42:00 INFO OpenSAML.Metadata : applying metadata filter (RequireValidUntil)
2011-09-20 13:42:00 INFO OpenSAML.Metadata : applying metadata filter (Signature)
[X]
Lutz Zellober
Universität Hamburg
Regionales Rechenzentrum
SEAIT - IT-Services
Schlüterstr. 64
20146 Hamburg
Tel.: +49 (0)40 42838 - 4119
Fax: +49 (0)40 42838 - 7159
E-Mail: lutz.z...@verw.uni-hamburg.de
--------------------------------------------------------
Und wenn alle anderen die von der Partei verbreitete Lüge glaubten - wenn alle Aufzeichnungen gleich lauteten -, dann ging die Lüge in die Geschichte ein und wurde Wahrheit.
Georg Orwell, 1984
--
To unsubscribe from this list send an email to users-un...@shibboleth.net
Peter Schober
> When the shibd is started by the init script an error message is
> dropped ( see bottom).
> 2011-09-20 13:22:04 ERROR XMLTooling.ParserPool : fatal error on
> line 0, column 0, message: An exception occurred!
> Type:NetAccessorException, Message:Could not connect to the socket
> for URL
> 'https://www.aai.dfn.de/fileadmin/metadata/DFN-AAI-Test-metadata.xml'
> When I start the daemon as root (also using the init script)
> everything works fine.
Do you need to go though a proxy to reach the DFN metadata from your
machine (and does root already have its environment set up to use a
proxy)? Try this for example:
$ curl -O https://www.aai.dfn.de/fileadmin/metadata/DFN-AAI-Test-metadata.xml
vs.
$ NO_PROXY="*" curl -O https://www.aai.dfn.de/fileadmin/metadata/DFN-AAI-Test-metadata.xml
Or, if you don't have the curl binary installed but have wget, try:
$ wget https://www.aai.dfn.de/fileadmin/metadata/DFN-AAI-Test-metadata.xml
vs.
$ wget --no-proxy https://www.aai.dfn.de/fileadmin/metadata/DFN-AAI-Test-metadata.xml
If you've set up root's environment to use a proxy this would also be
inherited to child processes such as starting the shibd manually.
If that's indeed the case here's the documentation for the Shib SP:
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPTransportOption
-peter
Zellober, Lutz
it seems that you are right. But ..
Yes, we have to use a proxy.
Curl and wget couldn't download the file without the proxy, manual start of the daemon fails also when the proxy is removed from the env.
But adding the curl TransportOption to the shibboleth.xml file doesn't work.
Same error as before.
We switched from an older shibboleth installation. My old configuration included the TransportOption but I forgot about it.
Our old installation worked fine. Now that we changed shibboleth sp version and operating system, we get this error.
Any further idears?
Thanks
Lutz
Lutz Zellober
Universität Hamburg
Regionales Rechenzentrum
SEAIT - IT-Services
Schlüterstr. 64
20146 Hamburg
E-Mail:
lutz.z...@verw.uni-hamburg.de
--------------------------------------------------------
Und wenn alle anderen die von der Partei verbreitete Lüge glaubten - wenn alle Aufzeichnungen gleich lauteten -, dann ging die Lüge in die Geschichte ein und wurde Wahrheit.
Georg Orwell, 1984
-----Ursprüngliche Nachricht-----
Von: users-...@shibboleth.net [mailto:users-...@shibboleth.net] Im Auftrag von Peter Schober
Gesendet: Mittwoch, 21. September 2011 11:39
An: us...@shibboleth.net
Betreff: Re: SP Socket error on daemon start at boot
Peter Schober
> But adding the curl TransportOption to the shibboleth.xml file
> doesn't work.
>
> Same error as before.
What is the config snippet you're using, exactly?
Also, for Shib 2.x there is no file "shibboleth.xml" used by default
so unless you specifically point to it with shibd's -c option you're
possibly editing the wrong file. (But maybe that was just a typo in
your email, no way for me to know.)
Maybe turn on DEBUG logging and check whether shibd.log contains
anything to that regard.
Zellober, Lutz
thanks a lot for your help.
Naturally the file is named shobboleth2.xml.
I added the following string at the end
.
.
.
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
<TransportOption provider="CURL" option="10004">172.20.250.250:8080</TransportOption>
</SPConfig>
I also enabled the log4j.category.XMLTooling.libcurl=DEBUG
The Log entries aren't really valuable aren't they?
I dumped the network traffic and I could see that the proxy isn't used.
2011-09-21 13:58:19 DEBUG OpenSAML.MetadataProvider.XML : using remote resource (https://www.aai.dfn.de/fileadmin/metadata/DFN-AAI-Test-metadata.xml)
2011-09-21 13:58:19 DEBUG OpenSAML.MetadataProvider.XML : backup remote resource to (/etc/shibboleth/DFN-AAI-Test-metadata.xml)
2011-09-21 13:58:19 DEBUG OpenSAML.MetadataProvider.XML : loaded initial cache tag (If-None-Match: "5c0ec-32a9b6-4ad6fd4341200")
2011-09-21 13:58:19 DEBUG OpenSAML.MetadataProvider.XML : will reload remote resource at most every 7200 seconds
2011-09-21 13:58:19 DEBUG OpenSAML.MetadataProvider.XML : loading configuration from external resource...
2011-09-21 13:58:19 DEBUG XMLTooling.libcurl.InputStream : libcurl trying to fetch https://www.aai.dfn.de/fileadmin/metadata/DFN-AAI-Test-metadata.xml
2011-09-21 13:58:19 INFO Shibboleth.SecurityPolicyProvider.XML : reload thread started...running when signaled
2011-09-21 13:58:19 INFO XMLTooling.StorageService : cleanup thread started...running every 900 seconds
2011-09-21 13:58:29 DEBUG XMLTooling.libcurl.InputStream : msg 1, 28 from curl
2011-09-21 13:58:29 ERROR XMLTooling.ParserPool : fatal error on line 0, column 0, message: An exception occurred! Type:NetAccessorException, Message:Could not connect to the socket for URL 'https://www.aai.dfn.de/fileadmin/metadata/DF
N-AAI-Test-metadata.xml'
2011-09-21 13:58:29 ERROR OpenSAML.MetadataProvider.XML : error while loading resource (https://www.aai.dfn.de/fileadmin/metadata/DFN-AAI-Test-metadata.xml): XML error(s) during parsing, check log for specifics
2011-09-21 13:58:29 WARN OpenSAML.MetadataProvider.XML : adjusted reload interval to 600 seconds
Lutz
Lutz Zellober
Universität Hamburg
Regionales Rechenzentrum
SEAIT - IT-Services
Schlüterstr. 64
20146 Hamburg
E-Mail:
lutz.z...@verw.uni-hamburg.de
--------------------------------------------------------
Und wenn alle anderen die von der Partei verbreitete Lüge glaubten - wenn alle Aufzeichnungen gleich lauteten -, dann ging die Lüge in die Geschichte ein und wurde Wahrheit.
Georg Orwell, 1984
-----Ursprüngliche Nachricht-----
Von: users-...@shibboleth.net [mailto:users-...@shibboleth.net] Im Auftrag von Peter Schober
Gesendet: Mittwoch, 21. September 2011 14:45
An: us...@shibboleth.net
Betreff: Re: SP Socket error on daemon start at boot
* Zellober, Lutz <Lutz.Z...@verw.uni-hamburg.de> [2011-09-21 13:41]:
Peter Schober
> Naturally the file is named shobboleth2.xml.
You sure? ;)
> I added the following string at the end
>
> <TransportOption provider="CURL" option="10004">172.20.250.250:8080</TransportOption>
>
> </SPConfig>
That looks OK, so possibly it's an issue of the libcurl you're using?
You'll need to wait until Scott wakes up (EDT being 6 hours behind),
I guess.
Zellober, Lutz
what a day :-[
our libcurl version : libcurl/7.19.0 OpenSSL/0.9.8h zlib/1.2.3 libidn/1.10 protocols: tftp ftp telnet dict ldap http file https ftps
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz
Lutz
Lutz Zellober
Universität Hamburg
Regionales Rechenzentrum
SEAIT - IT-Services
Schlüterstr. 64
20146 Hamburg
E-Mail:
lutz.z...@verw.uni-hamburg.de
--------------------------------------------------------
Und wenn alle anderen die von der Partei verbreitete Lüge glaubten - wenn alle Aufzeichnungen gleich lauteten -, dann ging die Lüge in die Geschichte ein und wurde Wahrheit.
Georg Orwell, 1984
-----Ursprüngliche Nachricht-----
Von: users-...@shibboleth.net [mailto:users-...@shibboleth.net] Im Auftrag von Peter Schober
Gesendet: Mittwoch, 21. September 2011 15:12
An: us...@shibboleth.net
Betreff: Re: SP Socket error on daemon start at boot
* Zellober, Lutz <Lutz.Z...@verw.uni-hamburg.de> [2011-09-21 15:04]:
Cantor, Scott
>
>> I added the following string at the end
>>
>> <TransportOption provider="CURL"
>>option="10004">172.20.250.250:8080</TransportOption>
>>
>> </SPConfig>
That has no effect on metadata access, you'd have to put the element
inside the MetadataProvider itself.
-- Scott
Zellober, Lutz
it works.
Thanks a lot.
Lutz
Lutz Zellober
Universität Hamburg
Regionales Rechenzentrum
SEAIT - IT-Services
Schlüterstr. 64
20146 Hamburg
E-Mail:
lutz.z...@verw.uni-hamburg.de
--------------------------------------------------------
Und wenn alle anderen die von der Partei verbreitete Lüge glaubten - wenn alle Aufzeichnungen gleich lauteten -, dann ging die Lüge in die Geschichte ein und wurde Wahrheit.
Georg Orwell, 1984
-----Ursprüngliche Nachricht-----
Von: users-...@shibboleth.net [mailto:users-...@shibboleth.net] Im Auftrag von Cantor, Scott
Gesendet: Mittwoch, 21. September 2011 16:05
An: us...@shibboleth.net
Betreff: Re: SP Socket error on daemon start at boot
On 9/21/11 9:11 AM, "Peter Schober" <peter....@univie.ac.at> wrote: