"Could not validate signature" when using metadata refresh
75 views
Skip to first unread message
Lorenzo Milesi
Sep 30, 2021, 9:40:01 PM9/30/21
to simplesamlphp
Hi.
I'm using the metadata refresh module to update metadata from Nextcloud. I followed this [1] guide. Unfortunately I'm not able to verify the self signed cert, when I run the cron command with debug enabled I get:
Oct 01 03:00:37 simplesamlphp INFO [CL4c122338] cron [metarefresh]: Running cron in cron tag [daily]
Oct 01 03:00:37 simplesamlphp INFO [CL4c122338] cron [metarefresh]: Executing set [domain.it]
Oct 01 03:00:37 simplesamlphp DEBUG [CL4c122338] cron [metarefresh]: In set [domain.it] loading source [https://servizi.domain.it/nextcloud/apps/user_saml/saml/metadata]
Oct 01 03:00:37 simplesamlphp DEBUG [CL4c122338] Could not validate signature
Oct 01 03:00:37 simplesamlphp INFO [CL4c122338] Skipping "https://servizi.domain.it/nextcloud/apps/user_saml/saml/metadata" - could not verify signature using certificate.
The cert has been generated with:
openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out nextcloud.crt -keyout nextcloud.key
The cert alg is:
Signature Algorithm: sha256WithRSAEncryption
I then copied the content of the crt and key file into Nextcloud's "Service Provider Data" config. If I fetch NC metadata the embedded X509 cert matches the one created above.
Any hint on what I could have done wrong?
Thanks
[1] https://mihneac.com/saml/nextcloud_simplesamlphp
--
Lorenzo Milesi - lorenzo...@yetopen.com
CTO @ YetOpen Srl
YetOpen - https://www.yetopen.com/
Via Salerno 18 - 23900 Lecco - ITALY - | 4801 Glenwood Avenue - Suite 200 - Raleigh, NC 27612 - USA -
Tel +39 0341 220 205 - inf...@yetopen.com | Phone +1 919-817-8106 - inf...@yetopen.com
Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary
-------- D.Lgs. 196/2003 e GDPR 679/2016 --------
Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario.
Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini
del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata.
Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile.
Grazie.
Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information;
pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution
is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible.
Thank you.
I'm using the metadata refresh module to update metadata from Nextcloud. I followed this [1] guide. Unfortunately I'm not able to verify the self signed cert, when I run the cron command with debug enabled I get:
Oct 01 03:00:37 simplesamlphp INFO [CL4c122338] cron [metarefresh]: Running cron in cron tag [daily]
Oct 01 03:00:37 simplesamlphp INFO [CL4c122338] cron [metarefresh]: Executing set [domain.it]
Oct 01 03:00:37 simplesamlphp DEBUG [CL4c122338] cron [metarefresh]: In set [domain.it] loading source [https://servizi.domain.it/nextcloud/apps/user_saml/saml/metadata]
Oct 01 03:00:37 simplesamlphp DEBUG [CL4c122338] Could not validate signature
Oct 01 03:00:37 simplesamlphp INFO [CL4c122338] Skipping "https://servizi.domain.it/nextcloud/apps/user_saml/saml/metadata" - could not verify signature using certificate.
The cert has been generated with:
openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out nextcloud.crt -keyout nextcloud.key
The cert alg is:
Signature Algorithm: sha256WithRSAEncryption
I then copied the content of the crt and key file into Nextcloud's "Service Provider Data" config. If I fetch NC metadata the embedded X509 cert matches the one created above.
Any hint on what I could have done wrong?
Thanks
[1] https://mihneac.com/saml/nextcloud_simplesamlphp
--
Lorenzo Milesi - lorenzo...@yetopen.com
CTO @ YetOpen Srl
YetOpen - https://www.yetopen.com/
Via Salerno 18 - 23900 Lecco - ITALY - | 4801 Glenwood Avenue - Suite 200 - Raleigh, NC 27612 - USA -
Tel +39 0341 220 205 - inf...@yetopen.com | Phone +1 919-817-8106 - inf...@yetopen.com
Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary
-------- D.Lgs. 196/2003 e GDPR 679/2016 --------
Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario.
Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini
del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata.
Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile.
Grazie.
Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information;
pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution
is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible.
Thank you.
Peter Schober
Oct 1, 2021, 6:46:35 AM10/1/21
to simplesamlphp
* 'Lorenzo Milesi' via SimpleSAMLphp <simple...@googlegroups.com> [2021-10-01 03:40]:
The person having written this is in no position to give configuration
advice: There is no need to hack/patch SimpleSAMLphp or any of its
modules in order to download and verify signed SAML 2.0 Metadata.
I've stopped reading at that point and so should you.
The SimpleSAMLphp documentation covers how to set up metarefresh:
https://simplesamlphp.org/docs/stable/ -> "Automated Metadata
Management"
https://github.com/simplesamlphp/simplesamlphp-module-metarefresh/blob/master/docs/simplesamlphp-automated_metadata.md
(why ever that points to github and not a deployed copy of that on
https://simplesamlphp.org/docs/)
> Unfortunately I'm not able to verify the self signed cert, when I
> run the cron command with debug enabled I get:
If you hacked SimpleSAMLphp code then stop and go back to the original
code.
Once you've done that pay attention to what the message says (it's not
about "not able to verify the self signed cert", as you claim, it says
"could not validate/verify signature").
I.e., the certificate you have configured to validate the signature
doesn't match the private key that was used for signing it.
> I then copied the content of the crt and key file into Nextcloud's
> "Service Provider Data" config. If I fetch NC metadata the embedded
> X509 cert matches the one created above.
If Nextcloud correctly signed its SAML 2.0 Metadata (which not a topic
for this list, but you can verify this with several tools, including
xmlsec1, XmlSecTool or samlsign from the Shib SP package) then the
only likely error is that you did not configure the certificate of
that key pair in your metarefresh configuration.
That's all there is to it.
Self-signed, signature algorithm, letsencrypt: Non of that matters one bit.
-peter
> I'm using the metadata refresh module to update metadata from
> Nextcloud.
> I followed this [1] guide.
> [1] https://mihneac.com/saml/nextcloud_simplesamlphp
> Nextcloud.
> I followed this [1] guide.
The person having written this is in no position to give configuration
advice: There is no need to hack/patch SimpleSAMLphp or any of its
modules in order to download and verify signed SAML 2.0 Metadata.
I've stopped reading at that point and so should you.
The SimpleSAMLphp documentation covers how to set up metarefresh:
https://simplesamlphp.org/docs/stable/ -> "Automated Metadata
Management"
https://github.com/simplesamlphp/simplesamlphp-module-metarefresh/blob/master/docs/simplesamlphp-automated_metadata.md
(why ever that points to github and not a deployed copy of that on
https://simplesamlphp.org/docs/)
> Unfortunately I'm not able to verify the self signed cert, when I
> run the cron command with debug enabled I get:
code.
Once you've done that pay attention to what the message says (it's not
about "not able to verify the self signed cert", as you claim, it says
"could not validate/verify signature").
I.e., the certificate you have configured to validate the signature
doesn't match the private key that was used for signing it.
> I then copied the content of the crt and key file into Nextcloud's
> "Service Provider Data" config. If I fetch NC metadata the embedded
> X509 cert matches the one created above.
for this list, but you can verify this with several tools, including
xmlsec1, XmlSecTool or samlsign from the Shib SP package) then the
only likely error is that you did not configure the certificate of
that key pair in your metarefresh configuration.
That's all there is to it.
Self-signed, signature algorithm, letsencrypt: Non of that matters one bit.
-peter
Peter Schober
Oct 1, 2021, 7:18:31 AM10/1/21
to simplesamlphp
* Peter Schober <peter....@univie.ac.at> [2021-10-01 12:46]:
given context that the statement
"If using let's encrypt or self signed certificate on nextcloud"
referred to the certificate from the key pair used for securing SAML
protocol messages. (And I think you've made the same mistake, as you
were wondering about the correctness of the self-signed certificate
you created to let nextcloud sign its SAML Metadata.)
I now realise that the suggested code change was to enable HTTPS
connections from SimpleSAMLphp's metarefresh to a TLS-enabled web
server (hosting the SAML Metadata for Nextcloud) where the certificate
presented on that HTTPS connection is not trustworthy (i.e., self-signed).
It still makes no sense at all to disable TLS verification when using
letsencrypt certificates (the whole point of letsencrypt is that those
certificates are fully trusted as they come from an established
Certificate Authority present in all major trust stores) but I can see
how connecting to a TLS-enabled web server with an untrustworthy
certificate (i.e., self-signed) might have metarefresh fail.
Of course the proper way to enable that would be to file an issue (or
send a pull request with the suggested code changes) in the
SimpelSAMLphp issue tracker, instead of adding it to some random blog
post about nexcloud integration (when this isn't even about nexcloud).
So yeah, with the exception of the comment about letsencrypt that code
change may be necessary if you're using a self-signed certificate to
secure the HTTPS web server that is hosting SAML Metadata you're
trying to import using SimpleSAMLphp's metarefresh.
-peter
> The person having written this is in no position to give configuration
> advice: There is no need to hack/patch SimpleSAMLphp or any of its
> modules in order to download and verify signed SAML 2.0 Metadata.
I misunderstood the point of the suggested hack. I've assumed in the
> advice: There is no need to hack/patch SimpleSAMLphp or any of its
> modules in order to download and verify signed SAML 2.0 Metadata.
given context that the statement
"If using let's encrypt or self signed certificate on nextcloud"
referred to the certificate from the key pair used for securing SAML
protocol messages. (And I think you've made the same mistake, as you
were wondering about the correctness of the self-signed certificate
you created to let nextcloud sign its SAML Metadata.)
I now realise that the suggested code change was to enable HTTPS
connections from SimpleSAMLphp's metarefresh to a TLS-enabled web
server (hosting the SAML Metadata for Nextcloud) where the certificate
presented on that HTTPS connection is not trustworthy (i.e., self-signed).
It still makes no sense at all to disable TLS verification when using
letsencrypt certificates (the whole point of letsencrypt is that those
certificates are fully trusted as they come from an established
Certificate Authority present in all major trust stores) but I can see
how connecting to a TLS-enabled web server with an untrustworthy
certificate (i.e., self-signed) might have metarefresh fail.
Of course the proper way to enable that would be to file an issue (or
send a pull request with the suggested code changes) in the
SimpelSAMLphp issue tracker, instead of adding it to some random blog
post about nexcloud integration (when this isn't even about nexcloud).
So yeah, with the exception of the comment about letsencrypt that code
change may be necessary if you're using a self-signed certificate to
secure the HTTPS web server that is hosting SAML Metadata you're
trying to import using SimpleSAMLphp's metarefresh.
-peter
Lorenzo Milesi
Oct 1, 2021, 2:27:20 PM10/1/21
to simplesamlphp
> If Nextcloud correctly signed its SAML 2.0 Metadata (which not a topic
> for this list, but you can verify this with several tools, including
> xmlsec1, XmlSecTool or samlsign from the Shib SP package) then the
> only likely error is that you did not configure the certificate of
> that key pair in your metarefresh configuration.
I will file a PR for the ssl check disable option.
thanks
Reply all
Reply to author
Forward
0 new messages