search

up2university / single-sign-on

Up2U federated authentication service
0 stars 2 forks source link

Unable to authenticate as a new user #38

Closed michzimny closed 6 years ago

michzimny commented 6 years ago

I have authenticated with a new Google account. It ended up with an error code in SSO: 9852040c57

Then, whenever I open either CERNBox or Moodle, I get the stack trace below.

It says that there is a SSL certificate problem, certificate has expired?

SAML2 exception: Responder: SimpleSAML_Error_Exception: GuzzleHttp\Exception\RequestException: cURL error 60: SSL certificate problem: certificate has expired (see http://curl.haxx.se/libcurl/c/libcurl-errors.html) in /var/simplesamlphp/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php:187 Stack trace: #0 /var/simplesamlphp/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php(150): GuzzleHttp\Handler\CurlFactory::createRejection(Object(GuzzleHttp\Handler\EasyHandle), Array) #1 /var/simplesamlphp/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php(103): GuzzleHttp\Handler\CurlFactory::finishError(Object(GuzzleHttp\Handler\CurlHandler), Object(GuzzleHttp\Handler\EasyHandle), Object(GuzzleHttp\Handler\CurlFactory)) #2 /var/simplesamlphp/vendor/guzzlehttp/guzzle/src/Handler/CurlHandler.php(43): GuzzleHttp\Handler\CurlFactory::finish(Object(GuzzleHttp\Handler\CurlHandler), Object(GuzzleHttp\Handler\EasyHandle), Object(GuzzleHttp\Handler\CurlFactory)) #3 /var/simplesamlphp/vendor/guzzlehttp/guzzle/src/Handler/Proxy.php(28): GuzzleHttp\Handler\CurlHandler->__invoke(Object(GuzzleHttp\Psr7\Request), Array) #4 /var/simplesamlphp/vendor/guzzlehttp/guzzle/src/Handler/Proxy.php(51): GuzzleHttp\Handler\Proxy::GuzzleHttp\Handler\{closure}(Object(GuzzleHttp\Psr7\Request), Array) #5 /var/simplesamlphp/vendor/guzzlehttp/guzzle/src/PrepareBodyMiddleware.php(66): GuzzleHttp\Handler\Proxy::GuzzleHttp\Handler\{closure}(Object(GuzzleHttp\Psr7\Request), Array) #6 /var/simplesamlphp/vendor/guzzlehttp/guzzle/src/Middleware.php(30): GuzzleHttp\PrepareBodyMiddleware->__invoke(Object(GuzzleHttp\Psr7\Request), Array) #7 /var/simplesamlphp/vendor/guzzlehttp/guzzle/src/RedirectMiddleware.php(70): GuzzleHttp\Middleware::GuzzleHttp\{closure}(Object(GuzzleHttp\Psr7\Request), Array) #8 /var/simplesamlphp/vendor/guzzlehttp/guzzle/src/Middleware.php(59): GuzzleHttp\RedirectMiddleware->__invoke(Object(GuzzleHttp\Psr7\Request), Array) #9 /var/simplesamlphp/vendor/guzzlehttp/guzzle/src/HandlerStack.php(67): GuzzleHttp\Middleware::GuzzleHttp\{closure}(Object(GuzzleHttp\Psr7\Request), Array) #10 /var/simplesamlphp/vendor/guzzlehttp/guzzle/src/Client.php(277): GuzzleHttp\HandlerStack->__invoke(Object(GuzzleHttp\Psr7\Request), Array) #11 /var/simplesamlphp/vendor/guzzlehttp/guzzle/src/Client.php(125): GuzzleHttp\Client->transfer(Object(GuzzleHttp\Psr7\Request), Array) #12 /var/simplesamlphp/vendor/guzzlehttp/guzzle/src/Client.php(131): GuzzleHttp\Client->requestAsync('POST', Object(GuzzleHttp\Psr7\Uri), Array) #13 /var/simplesamlphp/vendor/gwdg/midpoint-access/src/MidPointAccess.php(33): GuzzleHttp\Client->request('POST', 'createOrUpdateM...', Array) #14 /var/simplesamlphp/modules/serviceaccount/lib/Auth/Process/ServiceAccount.php(234): MidPoint\MidPointAccess->create(Object(MidPoint\MidPointUser)) #15 /var/simplesamlphp/modules/serviceaccount/lib/Auth/Process/ServiceAccount.php(137): sspmod_serviceaccount_Auth_Process_ServiceAccount->createMidPointUser(Array, Array, Array, NULL, Array, NULL) #16 /var/simplesamlphp/lib/SimpleSAML/Auth/ProcessingChain.php(195): sspmod_serviceaccount_Auth_Process_ServiceAccount->process(Array) #17 /var/simplesamlphp/lib/SimpleSAML/IdP.php(331): SimpleSAML_Auth_ProcessingChain->processState(Array) #18 /var/simplesamlphp/lib/SimpleSAML/IdP.php(417): SimpleSAML_IdP::postAuth(Array) #19 /var/simplesamlphp/modules/saml/lib/IdP/SAML2.php(431): SimpleSAML_IdP->handleAuthenticationRequest(Array) #20 /var/simplesamlphp/www/saml2/idp/SSOService.php(19): sspmod_saml_IdP_SAML2::receiveAuthnRequest(Object(SimpleSAML_IdP)) #21 {main}
michzimny commented 6 years ago

Checked with another new Google account. The same issue occurs.

foobarable commented 6 years ago

Yes, its a letsencrypt certificate and we can't renew it currently because the idm server is in an internal network. We would have to switch for other certificates I guess. Can you create some for idm.test.up2university.eu?

michzimny commented 6 years ago 
$ host idm.test.up2university.eu
idm.test.up2university.eu has address 134.76.18.20

@foobarable, the host behind that domain is at yours. I can ping it.

I could be able to generate a cert if I redirected the domain to a host at PSNC. Shall I do this? What will be broken by such action?

foobarable commented 6 years ago

This is the old system, which is now our test instance. Its no longer productive. We currently work with /etc/hosts internally so the switch would go smoothly. We should create a proper internal name and certificates and keep the test.up2university domain out of it

michzimny commented 6 years ago

@foobarable, regarding our discussion 'outside', I assume you will solve the issue on your own.

michzimny commented 6 years ago

Solved, thanks.