self signed certificate not working

veskoz commented 4 years ago

Hello! I'm struggling to get mod_auth_cas working with https with a self signed certificate; my environment is centos 7 on virtualbox. what i did was create a folder in /opt/certificates; in there i ran this: Generate private key: openssl genrsa -out cas.pem 2048 Generate CSR: (In the "Common Name" i gave my server ipv4 address: 192.168.1.7) openssl req -new -key cas.pem -out cas.csr Generate Self Signed Cert openssl x509 -req -days 365 -in cas.csr -signkey cas.pem -out cas.crt

in: /etc/httpd/conf.d/auth_cas.conf

CASLoginURL https://192.168.1.7:8443/cas/login CASValidateURL https://192.168.1.7:8443/cas/serviceValidate CASCertificatePath /opt/certificates/

And it does not work i always get: MOD_AUTH_CAS: curl_easy_perform() failed (Issuer certificate is invalid.), referer: http://192.168.1.7/mod_auth_cas/index.php

If i stick with http works i really don't understand why is it failing...trying to solve this problem from like 2 weeks. phpCAS is working like charm with http and https, can you help me out please?

dhawes commented 4 years ago

Is your CAS server using the certificate you created in the first step?

Is that certificate in /opt/certificates linked to its hashed name? If not, use the path to the certificate with your CASCertificatePath directive.

Can you:

openssl s_client -connect 192.168.1.7:8443 -CAfile <self-signed-cert>
curl --cacert <self-signed-cert> https://192.168.1.7:8443

?

veskoz commented 4 years ago

Is your CAS server using the certificate you created in the first step?

Is that certificate in /opt/certificates linked to its hashed name? If not, use the path to the certificate with your CASCertificatePath directive.

Can you:
openssl s_client -connect 192.168.1.7:8443 -CAfile <self-signed-cert>
curl --cacert <self-signed-cert> https://192.168.1.7:8443
?

Thank you for answering! I really don't know how to check cas server certificate .. I can tell you what i did, so in order to install cas i did

./gradlew createKeystore which create /etc/cas/cas.cer and /etc/cas/thekeystore
./gradlew copyCasConfiguration

Than i enabled https for tomcat:

mkdir /opt/certificates
cd /opt/certificates

keytool -genkey -keyalg RSA -alias tomcat -keystore selfsigned.jks -validity 365 -keysize 2048
answered localhost to all questions

keytool -export -keystore selfsigned.jks -storepass changeme -alias tomcat -file selfsigned.cer

nano /opt/tomcat/latest/conf/server.xml

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="/opt/certificates/selfsigned.jks"
                         certificateKeyAlias="tomcat"
                         certificateKeystorePassword="changeme"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

So my /opt/certificates has:

-rw-r--r--. 1 root root 1159 Apr  3 10:32 cas.crt
-rw-r--r--. 1 root root  980 Apr  3 10:31 cas.csr
-rw-r--r--. 1 root root 1675 Apr  3 10:30 cas.pem
-rw-r--r--. 1 root root  895 Apr  2 11:59 selfsigned.cer (tomcat)
-rw-r--r--. 1 root root 2591 Apr  2 11:58 selfsigned.jks (tomcat)

if from the server i run

[root@centostest ~]# openssl s_client -connect 192.168.1.7:8443 -CAfile /opt/certificates/cas.crt
CONNECTED(00000003)
depth=0 C = Unknown, ST = Unknown, L = Unknown, O = Unknown, OU = Unknown, CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 C = Unknown, ST = Unknown, L = Unknown, O = Unknown, OU = Unknown, CN = localhost
verify return:1
---
Certificate chain
 0 s:/C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=localhost
   i:/C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDezCCAmOgAwIBAgIENcV4tjANBgkqhkiG9w0BAQsFADBuMRAwDgYDVQQGEwdV
bmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYD
VQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRIwEAYDVQQDEwlsb2NhbGhv
c3QwHhcNMjAwNDAyMDk1ODU0WhcNMjEwNDAyMDk1ODU0WjBuMRAwDgYDVQQGEwdV
bmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYD
VQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRIwEAYDVQQDEwlsb2NhbGhv
c3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCZKZL8mHHpRgyIDD9R
1iWKWSH/ZaYLscEOTBlyXC+DxluNR9DGrceXu/FzQhdZkxmc9quTcioIWyQIMQBW
0NOhvlJ4tkxO7S00ec4iUb1Nak40s6zWk2ZFZ9oYcA0TPL9fpKduu6sAVQuIUT7s
suM6uTlWlx623R23RXaa2dDKw6juOy+QLxyGuMeSDG8A6jlwsdFjvPpuotHgrbMk
/0/8yi4BNNgJr1y0LgrvrJbtoA8CZgq7tmKf05Zo0w1VkH77Mz2iNsiawJuY2e/v
d6l8W1JPX1YbvGph2RR8IWO/1NPgaJkG8BE+rLCi6QWmgsLFUTa9blYG/QmWf470
jw25AgMBAAGjITAfMB0GA1UdDgQWBBSXuwOaGMkEo/fFW5czE1l19ceawjANBgkq
hkiG9w0BAQsFAAOCAQEATLCK/mUwLvcDMJtFyz+pPZbGcbEhifhlUQEsJfzdh7iB
N+qGj3HKn/aGyQIZVBQimZGMbL2q2lvU5Q5PCBU98GCSb0JLcmXkWf77cY/IU5Fj
jtmF6LqT6Yh8OBDi4H2aoNqTH23MKr4/O/U1nJ4Dy7pq1qnFE53Wph3nYLLhOa7f
ztOlKBmq1ivsqSeKwZtBbFmvBGyq7/lXq3zdMffl6FFTwTyAPu0HEj/gO1IkNmuR
siuOkOznaqopJXE5pbKg5K4/INIqQISUErp8+y4ATZMU+AARa5a/ONI3azNlXxzs
dn7fxygWHo6tOAtrNLSIQ5UV+5LZD/5C1UglrjBA6Q==
-----END CERTIFICATE-----
subject=/C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=localhost
issuer=/C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=localhost
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1379 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 95DA5330770F8336D73C53CB4D5F477B7742331A4C169F14FD79E4362E192ECE
    Session-ID-ctx: 
    Master-Key: 177C8BF5E592081E6E9D1F47C497F45EBF06213DAC729301EA0DB1843F2B98264AF4DEE9C1F162D450D5A74241F59B8C
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1586248468
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---

[root@centostest ~]# curl --cacert /opt/certificates/cas.crt https://192.168.1.7:8443 curl: (60) Issuer certificate is invalid. More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.

dhawes commented 4 years ago

Can you add '-vv' to that last curl command and post the output?

curl -vv --cacert /opt/certificates/cas.crt https://localhost:8443

veskoz commented 4 years ago

Can you add '-vv' to that last curl command and post the output?

curl -vv --cacert /opt/certificates/cas.crt https://localhost:8443

HI yes sure:


[root@centostest ~]# curl -vv --cacert /opt/certificates/cas.crt https://localhost:8443
* About to connect() to localhost port 8443 (#0)
*   Trying ::1...
* Connected to localhost (::1) port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /opt/certificates/cas.crt
  CApath: none
* Server certificate:
*   subject: CN=localhost,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Un...
*   start date: Apr 02 09:58:54 2020 GMT
*   expire date: Apr 02 09:58:54 2021 GMT
*   common name: localhost
*   issuer: CN=localhost,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Un...
* NSS error -8156 (SEC_ERROR_CA_CERT_INVALID)
* Issuer certificate is invalid.
* Closing connection 0
curl: (60) Issuer certificate is invalid.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

dhawes commented 4 years ago

Does your /opt/certificates/cas.crt contain:

and is the certificate used by what you have configured in CASLoginURL?

I'm confused at what certs you are using. You mention that you set the CN as an IP address, but your certificate is clearly using "localhost".

veskoz commented 4 years ago

okay so in order to avoid misunderstandig i delete everything inside /opt/certificates except selfsigned.cer and selfsigned.jks cause used by tomcat I ran


    Generate private key:
    openssl genrsa -out cas.pem 2048
    Generate CSR: 
    openssl req -new -key cas.pem -out cas.csr
    Generate Self Signed Cert
    openssl x509 -req -days 365 -in cas.csr -signkey cas.pem -out cas.crt

[root@centostest ~]# openssl s_client -connect 192.168.1.7:8443 -CAfile /opt/certificates/cas.crt
CONNECTED(00000003)
depth=0 C = Unknown, ST = Unknown, L = Unknown, O = Unknown, OU = Unknown, CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 C = Unknown, ST = Unknown, L = Unknown, O = Unknown, OU = Unknown, CN = localhost
verify return:1
---
Certificate chain
 0 s:/C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=localhost
   i:/C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDezCCAmOgAwIBAgIENcV4tjANBgkqhkiG9w0BAQsFADBuMRAwDgYDVQQGEwdV
bmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYD
VQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRIwEAYDVQQDEwlsb2NhbGhv
c3QwHhcNMjAwNDAyMDk1ODU0WhcNMjEwNDAyMDk1ODU0WjBuMRAwDgYDVQQGEwdV
bmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYD
VQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRIwEAYDVQQDEwlsb2NhbGhv
c3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCZKZL8mHHpRgyIDD9R
1iWKWSH/ZaYLscEOTBlyXC+DxluNR9DGrceXu/FzQhdZkxmc9quTcioIWyQIMQBW
0NOhvlJ4tkxO7S00ec4iUb1Nak40s6zWk2ZFZ9oYcA0TPL9fpKduu6sAVQuIUT7s
suM6uTlWlx623R23RXaa2dDKw6juOy+QLxyGuMeSDG8A6jlwsdFjvPpuotHgrbMk
/0/8yi4BNNgJr1y0LgrvrJbtoA8CZgq7tmKf05Zo0w1VkH77Mz2iNsiawJuY2e/v
d6l8W1JPX1YbvGph2RR8IWO/1NPgaJkG8BE+rLCi6QWmgsLFUTa9blYG/QmWf470
jw25AgMBAAGjITAfMB0GA1UdDgQWBBSXuwOaGMkEo/fFW5czE1l19ceawjANBgkq
hkiG9w0BAQsFAAOCAQEATLCK/mUwLvcDMJtFyz+pPZbGcbEhifhlUQEsJfzdh7iB
N+qGj3HKn/aGyQIZVBQimZGMbL2q2lvU5Q5PCBU98GCSb0JLcmXkWf77cY/IU5Fj
jtmF6LqT6Yh8OBDi4H2aoNqTH23MKr4/O/U1nJ4Dy7pq1qnFE53Wph3nYLLhOa7f
ztOlKBmq1ivsqSeKwZtBbFmvBGyq7/lXq3zdMffl6FFTwTyAPu0HEj/gO1IkNmuR
siuOkOznaqopJXE5pbKg5K4/INIqQISUErp8+y4ATZMU+AARa5a/ONI3azNlXxzs
dn7fxygWHo6tOAtrNLSIQ5UV+5LZD/5C1UglrjBA6Q==
-----END CERTIFICATE-----
subject=/C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=localhost
issuer=/C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=localhost
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1379 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 3919AE705088DD65AFF607B42122F2CC225135F90ABFADAC1BD7C23AF20DC8E7
    Session-ID-ctx: 
    Master-Key: B088C061C2BA2A28D17243C22C6ACE28943C6B814F559E99CE3C35A345DEB35231BE22D7DD8FF4CCA2C8991B51BA7720
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1586374251
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)

[root@centostest ~]# curl --cacert /opt/certificates/cas.crt https://192.168.1.7:8443
curl: (60) Issuer certificate is invalid.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

[root@centostest ~]# curl -vv --cacert /opt/certificates/cas.crt https://localhost:8443
* About to connect() to localhost port 8443 (#0)
*   Trying ::1...
* Connected to localhost (::1) port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /opt/certificates/cas.crt
  CApath: none
* Server certificate:
*   subject: CN=localhost,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Un...
*   start date: Apr 02 09:58:54 2020 GMT
*   expire date: Apr 02 09:58:54 2021 GMT
*   common name: localhost
*   issuer: CN=localhost,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Un...
* NSS error -8156 (SEC_ERROR_CA_CERT_INVALID)
* Issuer certificate is invalid.
* Closing connection 0
curl: (60) Issuer certificate is invalid.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Which is trange cause i answered the questions; in fact if i run:

[root@centostest certificates]# openssl x509 -text -noout -in /opt/certificates/cas.crt 
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            f1:47:d4:c2:77:08:41:d5
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=IT, ST=Italy, L=Padova, O=Company, OU=IT, CN=192.168.1.7
        Validity
            Not Before: Apr  8 19:13:11 2020 GMT
            Not After : Apr  8 19:13:11 2021 GMT
        Subject: C=IT, ST=Italy, L=Padova, O=Company, OU=IT, CN=192.168.1.7
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ca:4d:1f:a0:cf:a1:a2:68:4a:59:99:76:75:c4:
                    84:53:19:56:3f:ce:1c:da:e5:f4:09:78:a3:17:08:
                    11:6f:a0:20:57:a6:54:85:f0:a3:2e:23:92:a0:11:
                    3c:4d:91:32:54:34:f5:91:22:ec:3d:85:38:b0:14:
                    2d:62:5b:ff:98:1b:ba:01:35:09:19:87:0f:21:74:
                    0e:65:5c:19:e7:ba:a4:4f:94:96:72:0f:e1:10:91:
                    57:d4:a7:9d:98:bd:10:3b:00:8a:40:9d:d5:ba:c8:
                    93:db:0f:f8:6c:71:26:ad:00:53:11:bc:a8:a1:2c:
                    8a:bc:1d:6f:c0:e7:a9:f7:ca:37:40:6e:d3:e0:69:
                    0b:33:14:52:fc:ef:6a:d7:a8:de:cf:bd:22:dd:4d:
                    51:f0:b1:ae:ae:65:26:f3:08:e7:6e:82:22:97:8e:
                    a0:72:a1:2e:04:7d:8c:61:f7:0e:b3:f4:9a:c1:2a:
                    45:04:bc:ad:0e:20:9a:87:e2:34:02:e0:44:a0:dc:
                    ea:77:eb:8c:e3:fb:58:93:cc:35:9b:51:93:c6:7d:
                    91:25:40:30:e7:ca:8e:00:30:9e:4d:5e:35:09:4d:
                    b6:d7:39:2d:89:7d:4c:fd:69:47:5a:bb:08:12:fb:
                    8b:a4:8a:02:83:6a:27:43:f2:93:fa:9c:7a:b9:d5:
                    68:5d
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         2a:59:aa:c2:6e:95:00:17:13:82:ed:6f:36:97:0d:a3:d3:49:
         64:69:cd:28:87:c1:b0:fd:30:ca:a4:d5:ed:e1:56:a2:2d:30:
         e5:cd:5e:a2:5a:45:94:33:fd:f7:67:d7:61:59:17:e2:68:31:
         85:28:98:ca:90:d2:f2:24:85:ff:7e:77:4b:33:2d:c8:8b:32:
         dd:e4:57:08:44:0a:9d:98:d6:3c:28:07:f1:93:d6:0d:56:a6:
         a5:fb:81:aa:fa:32:5f:87:7e:e7:89:a5:9e:ce:85:53:32:f2:
         5c:f3:15:65:8d:f7:57:87:50:a5:89:09:69:e5:92:37:2c:ba:
         b7:2f:23:8c:d3:a6:9e:ef:54:83:8d:3a:d1:5f:37:b6:24:c8:
         4f:27:08:2b:1a:71:1f:c9:ba:e1:f7:f7:18:89:d7:a7:2a:e0:
         99:96:94:af:24:16:57:79:94:0a:05:10:a8:ce:4d:9b:f1:55:
         2c:c6:fb:a1:56:e5:f5:44:b0:dc:2d:56:8b:69:2f:ad:e3:0a:
         0c:be:d7:61:a4:3f:52:fc:cf:f9:09:bd:31:54:ef:94:90:3b:
         9d:6c:60:bc:4f:26:38:e8:72:48:c6:90:b5:8d:ca:46:d6:a4:
         78:a1:4b:bb:a3:40:94:e3:b5:4d:cd:d9:c3:d0:d8:66:24:3d:
         56:ad:b0:77

This is my curl version:
[root@centostest certificates]# curl -V
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.44 zlib/1.2.7 libidn/1.28 libssh2/1.8.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp 
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets

dhawes commented 4 years ago

It seems to me you are mixing up your certificates.

The first certificate is the one that is used by Tomcat, which I assume is your CAS server. This is the one we care about. I believe it is selfsigned.cer if I'm reading correctly.

The second is for your Apache that is running mod_auth_cas. That is what you are creating with your openssl commands.

Is that right?

If so, we only care about the first one for mod_auth_cas.

Point CASCertificatePath to the self-signed server certificate for your CAS server. Also, try curl and s_client with the same file to verify everything works.

veskoz commented 4 years ago

I guess you were right, i edited:

/etc/httpd/conf.d/auth_cas.conf
CASCookiePath /var/cache/httpd/mod_auth_cas/
CASLoginURL https://192.168.1.7:8443/cas/login
CASValidateURL https://192.168.1.7:8443/cas/serviceValidate
CASCertificatePath /opt/certificates/selfsigned.cer
LogLevel debug
CASDebug On

<Directory "/var/www/html/mod_auth_cas/secured-by-cas">
  AuthType CAS
  Require valid-user
</Directory>

Than restarted http even tomcat; tried an incognito page got redirect to my cas server fed them login and password but still can't get authorized


[Wed Apr 08 22:04:01.781785 2020] [authz_core:debug] [pid 1745] mod_authz_core.c(809): [client 192.168.1.14:56158] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: http://192.168.1.7/mod_auth_cas/index.php
[Wed Apr 08 22:04:01.781850 2020] [authz_core:debug] [pid 1745] mod_authz_core.c(809): [client 192.168.1.14:56158] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: http://192.168.1.7/mod_auth_cas/index.php
[Wed Apr 08 22:04:01.781885 2020] [:debug] [pid 1745] mod_auth_cas.c(2058): [client 192.168.1.14:56158] Entering cas_authenticate(), referer: http://192.168.1.7/mod_auth_cas/index.php
[Wed Apr 08 22:04:01.781908 2020] [:debug] [pid 1745] mod_auth_cas.c(580): [client 192.168.1.14:56158] CAS Service 'http%3a%2f%2f192.168.1.7%2fmod_auth_cas%2fsecured-by-cas%2findex.php', referer: http://192.168.1.7/mod_auth_cas/index.php
[Wed Apr 08 22:04:01.781913 2020] [:debug] [pid 1745] mod_auth_cas.c(528): [client 192.168.1.14:56158] entering getCASLoginURL(), referer: http://192.168.1.7/mod_auth_cas/index.php
[Wed Apr 08 22:04:01.781924 2020] [:debug] [pid 1745] mod_auth_cas.c(505): [client 192.168.1.14:56158] entering getCASGateway(), referer: http://192.168.1.7/mod_auth_cas/index.php
[Wed Apr 08 22:04:01.781928 2020] [:debug] [pid 1745] mod_auth_cas.c(595): [client 192.168.1.14:56158] entering redirectRequest(), referer: http://192.168.1.7/mod_auth_cas/index.php
[Wed Apr 08 22:04:01.781933 2020] [:debug] [pid 1745] mod_auth_cas.c(607): [client 192.168.1.14:56158] Adding outgoing header: Location: https://192.168.1.7:8443/cas/login?service=http%3a%2f%2f192.168.1.7%2fmod_auth_cas%2fsecured-by-cas%2findex.php, referer: http://192.168.1.7/mod_auth_cas/index.php
[Wed Apr 08 22:04:11.397086 2020] [authz_core:debug] [pid 1753] mod_authz_core.c(809): [client 192.168.1.14:56172] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Wed Apr 08 22:04:11.397114 2020] [authz_core:debug] [pid 1753] mod_authz_core.c(809): [client 192.168.1.14:56172] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Wed Apr 08 22:04:11.397133 2020] [:debug] [pid 1753] mod_auth_cas.c(2058): [client 192.168.1.14:56172] Entering cas_authenticate()
[Wed Apr 08 22:04:11.397143 2020] [:debug] [pid 1753] mod_auth_cas.c(652): [client 192.168.1.14:56172] Modified r->args (now '')
[Wed Apr 08 22:04:11.397172 2020] [:debug] [pid 1753] mod_auth_cas.c(1761): [client 192.168.1.14:56172] entering getResponseFromServer()
[Wed Apr 08 22:04:11.397226 2020] [:debug] [pid 1753] mod_auth_cas.c(580): [client 192.168.1.14:56172] CAS Service 'http%3a%2f%2f192.168.1.7%2fmod_auth_cas%2fsecured-by-cas%2findex.php'
[Wed Apr 08 22:04:11.480171 2020] [:debug] [pid 1753] mod_auth_cas.c(1830): [client 192.168.1.14:56172] MOD_AUTH_CAS: curl_easy_perform() failed ()
[Wed Apr 08 22:04:11.480213 2020] [:debug] [pid 1753] mod_auth_cas.c(1436): [client 192.168.1.14:56172] entering isValidCASTicket()

To be even sure that CAS wasn't the problem i set up a wild card as this: GNU nano 2.3.1 File: /etc/cas/services/testJsonFile-103935657744185.json

{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^(http|https)://.*",
  "name" : "testJsonFile",
  "id" : 103935657744185,
  "evaluationOrder" : 10
}

This are curl & s_client


[root@centostest certificates]# curl -vv --cacert /opt/certificates/selfsigned.crt https://localhost:8443
* About to connect() to localhost port 8443 (#0)
*   Trying ::1...
* Connected to localhost (::1) port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* Closing connection 0
curl: (77) Problem with the SSL CA cert (path? access rights?)
[root@centostest certificates]# openssl s_client -connect 192.168.1.7:8443 -CAfile /opt/certificates/selfsigned.cer 
CONNECTED(00000003)
depth=0 C = Unknown, ST = Unknown, L = Unknown, O = Unknown, OU = Unknown, CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 C = Unknown, ST = Unknown, L = Unknown, O = Unknown, OU = Unknown, CN = localhost
verify return:1
---
Certificate chain
 0 s:/C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=localhost
   i:/C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDezCCAmOgAwIBAgIENcV4tjANBgkqhkiG9w0BAQsFADBuMRAwDgYDVQQGEwdV
bmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYD
VQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRIwEAYDVQQDEwlsb2NhbGhv
c3QwHhcNMjAwNDAyMDk1ODU0WhcNMjEwNDAyMDk1ODU0WjBuMRAwDgYDVQQGEwdV
bmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYD
VQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRIwEAYDVQQDEwlsb2NhbGhv
c3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCZKZL8mHHpRgyIDD9R
1iWKWSH/ZaYLscEOTBlyXC+DxluNR9DGrceXu/FzQhdZkxmc9quTcioIWyQIMQBW
0NOhvlJ4tkxO7S00ec4iUb1Nak40s6zWk2ZFZ9oYcA0TPL9fpKduu6sAVQuIUT7s
suM6uTlWlx623R23RXaa2dDKw6juOy+QLxyGuMeSDG8A6jlwsdFjvPpuotHgrbMk
/0/8yi4BNNgJr1y0LgrvrJbtoA8CZgq7tmKf05Zo0w1VkH77Mz2iNsiawJuY2e/v
d6l8W1JPX1YbvGph2RR8IWO/1NPgaJkG8BE+rLCi6QWmgsLFUTa9blYG/QmWf470
jw25AgMBAAGjITAfMB0GA1UdDgQWBBSXuwOaGMkEo/fFW5czE1l19ceawjANBgkq
hkiG9w0BAQsFAAOCAQEATLCK/mUwLvcDMJtFyz+pPZbGcbEhifhlUQEsJfzdh7iB
N+qGj3HKn/aGyQIZVBQimZGMbL2q2lvU5Q5PCBU98GCSb0JLcmXkWf77cY/IU5Fj
jtmF6LqT6Yh8OBDi4H2aoNqTH23MKr4/O/U1nJ4Dy7pq1qnFE53Wph3nYLLhOa7f
ztOlKBmq1ivsqSeKwZtBbFmvBGyq7/lXq3zdMffl6FFTwTyAPu0HEj/gO1IkNmuR
siuOkOznaqopJXE5pbKg5K4/INIqQISUErp8+y4ATZMU+AARa5a/ONI3azNlXxzs
dn7fxygWHo6tOAtrNLSIQ5UV+5LZD/5C1UglrjBA6Q==
-----END CERTIFICATE-----
subject=/C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=localhost
issuer=/C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=localhost
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1379 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: C8D76966EDC390476AD7EF2FA3BEE81ACB4E16BBB54509851AA11E5DEFC3033D
    Session-ID-ctx: 
    Master-Key: 13B3CE82396EED396659B0128E85DE41969841600F81F1FAD6DB58D859DF8903D1F9B20376C099092F056047DD94AB79
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1586376650
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---

Tried both: CASCertificatePath /opt/certificates/selfsigned.cer and CASCertificatePath /opt/certificates/selfsigned.jks Forgot to say that I'm really appreciating your help.

dhawes commented 4 years ago

Both curl and s_client seem to have issues with /opt/certificates/selfsigned.crt . What are the contents of that file? Is it a PEM encoded cert?

dhawes commented 4 years ago

I noticed that your localhost cert did not have the CA:TRUE constraint and that your curl is compiled against NSS. I installed CentOS7 to play with this setup a little.

If I use curl from packages that uses NSS and set up a server with a self-signed certificate with CA:FALSE, I get:

* NSS error -8156 (SEC_ERROR_CA_CERT_INVALID)

If I use a certificate with CA:TRUE, curl works as expected.

If I use a curl compiled against OpenSSL, both self-signed certificates can be verified.

I recommend you try either:

Generating a new certificate for your CAS server that has CA:TRUE set. This should work provided CentOS7 defaults:

openssl req -newkey rsa:2048 -x509 -nodes -out cert.pem -keyout key.pem -days 365

Using curl compiled against OpenSSL.

veskoz commented 4 years ago

Sorry for the late answer I really really appreciate your help! I used both your solutions and i can say it works ? :) Screenshot from 2020-04-15 15-28-08

dhawes commented 4 years ago

Excellent, I'm glad it's working.

apereo / mod_auth_cas

self signed certificate not working #183