SimpleSAMLphp CAS Unhandled exception

[rhemandaddy]

Hi everyone.
I am new SimpleSAMLphp user and I am trying to use it with my existing cas server.
My cas server is working and I use it for other apps.

After installing SimpleSAMLphp I have tried a  "Test configured authentication sources". But after successful login on my cas server  the following error is sent back.

Unhandled exception

If you report this error, please also report this tracking number which makes it possible to locate your session in the logs available to the system administrator:  63247c9209

Debug information

Backtrace:
0 /var/simplesamlphp/www/module.php:180 (N/A)

Caused by: SimpleSAML_Error_Exception: Error fetching 'https://esfam-cas.auf.org:8443/validate?ticket=ST-6-YgWCZa7ZQHuXWkbpuEgi-esfam-cas.auf.org&service=https%3A%2F%2Fesfam-saml.auf.org%2Fsimplesaml%2Fmodule.php%2Fcas%2Flinkback.php%3FstateID%3D_0ca5d73cd29c180d1a5204d77258138636ee10fe00%253Ahttps%253A%252F%252Fesfam-saml.auf.org%252Fsimplesaml%252Fmodule.php%252Fcore%252Fas_login.php%253FAuthId%253Dauf-cas%2526ReturnTo%253Dhttps%25253A%25252F%25252Fesfam-saml.auf.org%25252Fsimplesaml%25252Fmodule.php%25252Fcore%25252Fauthenticate.php%25253Fas%25253Dauf-cas':file_get_contents(https://esfam-cas.auf.org:8443/validate?ticket=ST-6-YgWCZa7ZQHuXWkbpuEgi-esfam-cas.auf.org&service=https%3A%2F%2Fesfam-saml.auf.org%2Fsimplesaml%2Fmodule.php%2Fcas%2Flinkback.php%3FstateID%3D_0ca5d73cd29c180d1a5204d77258138636ee10fe00%253Ahttps%253A%252F%252Fesfam-saml.auf.org%252Fsimplesaml%252Fmodule.php%252Fcore%252Fas_login.php%253FAuthId%253Dauf-cas%2526ReturnTo%253Dhttps%25253A%25252F%25252Fesfam-saml.auf.org%25252Fsimplesaml%25252Fmodule.php%25252Fcore%25252Fauthenticate.php%25253Fas%25253Dauf-cas): failed to open stream: operation failed
Backtrace:

5 /var/simplesamlphp/lib/SimpleSAML/Utils/HTTP.php:407 (SimpleSAML\Utils\HTTP::fetch)
4 /var/simplesamlphp/modules/cas/lib/Auth/Source/CAS.php:96 (sspmod_cas_Auth_Source_CAS::casValidate)
3 /var/simplesamlphp/modules/cas/lib/Auth/Source/CAS.php:156 (sspmod_cas_Auth_Source_CAS::casValidation)
2 /var/simplesamlphp/modules/cas/lib/Auth/Source/CAS.php:178 (sspmod_cas_Auth_Source_CAS::finalStep)
1 /var/simplesamlphp/modules/cas/www/linkback.php:26 (require)
0 /var/simplesamlphp/www/module.php:137 (N/A)

I dont what's wrong. Please, could someone help me ?

[Peter Schober]

* 'rhemandaddy' via SimpleSAMLphp <simple...@googlegroups.com> [2017-04-19 11:01]:

> Caused by: SimpleSAML_Error_Exception: Error fetching

> 'https://esfam-cas.auf.org:8443/validate?ticket=...: failed to open
> stream: operation failed

Now I know exactly nothing about CAS but the above seems to be pretty
clear to me? Make sure your whatever needs to talk to that resource
can reach it.
Does your webserver listen on port 443 for HTTPS, and also on port
8443? If so, why?
-peter

[rhemandaddy]

On my apache log , I have the following error:

SimpleSAML_Error_Exception: Error 2 - file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages:\nerror:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed, referer: https://esfam-saml.auf.org/simplesaml/module.php/core/authenticate.php

[Jaime Perez Crespo]

Hi,

On 19 Apr 2017, at 20:44 PM, 'rhemandaddy' via SimpleSAMLphp <simple...@googlegroups.com> wrote:
> On my apache log , I have the following error:
>
> SimpleSAML_Error_Exception: Error 2 - file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages:\nerror:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed, referer: https://esfam-saml.auf.org/simplesaml/module.php/core/authenticate.php

I think the error is pretty much self-explanatory: “certificate verify failed”.

Is it possible to connect via TLS/SSL to your server from the machine where you have SimpleSAMLphp? Are you using a self-signed certificate on the server?

In any case, this has nothing to do with SimpleSAMLphp, I’m afraid...

--
Jaime Pérez
UNINETT / Feide

jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2

"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost

[rheman puewe]

Yes I am using self-signed certificat on my server

2017-04-20 10:24 GMT+03:00 Jaime Perez Crespo <jaime...@uninett.no>:

Hi,

--
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlphp+unsubscribe@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at https://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/d/optout.

[rhemandaddy]

yes I am using selft-signed certificate and I think that the problème is comming from self-signed certificate. But I dont know what to do.

Best regard

[Peter Schober]

* 'rhemandaddy' via SimpleSAMLphp <simple...@googlegroups.com> [2017-04-20 13:05]:

> yes I am using selft-signed certificate and I think that the problème is
> comming from self-signed certificate. But I dont know what to do.

You didn't answer my question why you have port tcp/443 open on that
server, plus also tcp/8443. Is that a requirement from CAS?

As to avoiding self-signed certificates: Try https://letsencrypt.org/
The alternative is making sure every HTTPS client that needs to
interact with your server has a copy of the self-signed certificate in
its trust store. Since I don't know the CAS protocol flows I can't
advise on how to do that.
-peter

[rheman puewe]

I am working with two virtual machine. The fist one hosts cas server on port 8443 and the second one hosts the simplesamlphp on port 443.

the probleme is that simplesamlphp cannot verify certificate on cas server. its why certificate verify failed. Moreover I can not use https://letsencrypt.org/ because il requires valid domain name and I am working on local domain name.

2017-04-20 14:48 GMT+03:00 Peter Schober <peter....@univie.ac.at>:

* 'rhemandaddy' via SimpleSAMLphp <simplesamlphp@googlegroups.com> [2017-04-20 13:05]:

[rheman puewe]

Sorry I forgot to tell you that on virtual machine hosting simplesamlphp we also have several java app running on port 8443

2017-04-20 15:19 GMT+03:00 rheman puewe <rhema...@googlemail.com>:

I am working with two virtual machine. The fist one hosts cas server on port 8443 and the second one hosts the simplesamlphp on port 443.

the probleme is that simplesamlphp cannot verify certificate on cas server. its why certificate verify failed. Moreover I can not use https://letsencrypt.org/ because il requires valid domain name and I am working on local domain name.

2017-04-20 14:48 GMT+03:00 Peter Schober <peter....@univie.ac.at>:

* 'rhemandaddy' via SimpleSAMLphp <simple...@googlegroups.com> [2017-04-20 13:05]:

[Peter Schober]

* 'rheman puewe' via SimpleSAMLphp <simple...@googlegroups.com> [2017-04-20 14:19]:

> I am working with two virtual machine. The fist one hosts cas server on
> port 8443 and the second one hosts the simplesamlphp on port 443.
> the probleme is that simplesamlphp cannot verify certificate on cas server.
> its why certificate verify failed. Moreover I can not use
> https://letsencrypt.org/ because il requires valid domain name and I am
> working on local domain name.

OK, your task is then to configure PHP's use of SSL so that it can
trust the self-signed TLS certificate on port 8443 from your CAS
server. Cf. http://php.net/manual/en/context.ssl.php

Or maybe the CAS client that you're using within SimpleSAMLphp has
options for TLS trust, I don't know. Check its documentation, or
failing that, the code.

-peter

[Jaime Perez Crespo]

Hi,

On 20 Apr 2017, at 14:19 PM, 'rheman puewe' via SimpleSAMLphp <simple...@googlegroups.com> wrote:
> I am working with two virtual machine. The fist one hosts cas server on port 8443 and the second one hosts the simplesamlphp on port 443.

Are you using docker, so that you have the ports mapped to localhost?

If not, why don’t you just use 443 in both?

> the probleme is that simplesamlphp cannot verify certificate on cas server. its why certificate verify failed.

No, SimpleSAMLphp doesn’t verify anything and has nothing to do here. The error you are getting is coming from OpenSSL, as it should be, since certificate validation is its responsibility. You can tell OpenSSL to not verify a certificate, but then you can’t trust that you are talking to who you think you are talking. Obviously, SimpleSAMLphp doesn’t allow that.

> Moreover I can not use https://letsencrypt.org/ because il requires valid domain name and I am working on local domain name.

When you move out of your local domain, the problem will disappear as then you can have a certificate. For now, you can either use plain HTTP or add the certificate of your CAS server to the trusted certificates in the SimpleSAMLphp machine. In any case, both are unrelated to SSP.

[Peter Schober]

* Jaime Perez Crespo <jaime...@uninett.no> [2017-04-20 17:51]:

> Are you using docker, so that you have the ports mapped to localhost?
>
> If not, why don’t you just use 443 in both?

Seems 8443 is where the OP runs some Java web server,
and 443 is the webserver running PHP.

With httpd and Tomcat you could of course tunnel requests to Java
though AJP and make both available on 443 only (assuming
non-overlapping REQUEST_URIs can be established).
-peter

[rhemandaddy]

Thank's a lot for your help. The test is working now. I just import my apache self-signed certificate to my java keystore.

[Peter Schober]

* 'rhemandaddy' via SimpleSAMLphp <simple...@googlegroups.com> [2017-04-21 12:59]:

> Thank's a lot for your help. The test is working now. I just import
> my apache self-signed certificate to my java keystore.

I thought it was SimpleSAMLphp's CAS module having issues with the TLS
certificate on your Java server (on port 8443)? Then it would have
been PHP and OpenSSL you'd need to convince to trust the Java server,
not the other way around. Obviously I misunderstood your issue.
Glad you still got it to work.
-peter

[rhemandaddy]

Hi.

Now I have another problem. After successfull login, I am not redirected and when I try to look in my apache log, I have the following entries.

There is already a PHP session with the same name as SimpleSAMLphp's session, or the 'session.phpsession.cookiename' configuration option is not set.

[Jaime Perez Crespo]

On 21 Apr 2017, at 13:10 PM, 'rhemandaddy' via SimpleSAMLphp <simple...@googlegroups.com> wrote:
> Hi.
>
> Now I have another problem. After successfull login, I am not redirected and when I try to look in my apache log, I have the following entries.
>
> There is already a PHP session with the same name as SimpleSAMLphp's session, or the 'session.phpsession.cookiename' configuration option is not set.

Well, is “session.phpsession.cookiename” set?

If so, to what value?

[rhemandaddy]

I am using the deafult setting. Thus I have the following setting 'store.type' => 'phpsession' and   session.phpsession.cookiename' => null,

[Jaime Perez Crespo]

On 21 Apr 2017, at 14:17 PM, 'rhemandaddy' via SimpleSAMLphp <simple...@googlegroups.com> wrote:
> I am using the deafult setting. Thus I have the following setting 'store.type' => 'phpsession' and session.phpsession.cookiename' => null,

The defaults sometimes are there because we can’t just assume things, or know every deployment on before hand. Therefore, you need to go through the configuration file and adapt the settings to your particular environment.

If you are also using PHP sessions in an application deployed alongside SimpleSAMLphp, both need to use different session names. Set ‘session.phpsession.cookiename’ to something meaningful (i.e. “SimpleSAML”) and make sure your app uses named sessions.

Make sure to read the documentation:

https://simplesamlphp.org/docs/stable/simplesamlphp-sp#section_6