Since yesterday CS clients fail to verify the IdP certificate

[gtoffoli]

Hi, after several months of normal operation, suddenly (since yesterday afternoon) and simultaneously both CommonSpaces clients fail to do the handshake with the production instance of the IdP. This happens both when the IdP periodically interrogates the clients (every hour), and when a user tries to do the SSO login.

I assume that something has changed in the software or configuration of the IdP, since nothing has changed in the clients. Perhaps, should I too change something in the client configuration?

Anyway, I enclose below examples of the messages that my Django framework sends to me by email to notify the errors occurring. In the github issue tracker of a Python library I'm using I've found a related isssue: https://github.com/IdentityPython/pysaml2/issues/513.

Thank you for any suggestion!

-----
Internal Server Error: /saml2/metadata/
ConnectionError at /saml2/metadata/
HTTPSConnectionPool(host='sso.up2university.eu', port=443): Max retries exceeded with url: /simplesaml/saml2/idp/metadata.php (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))
Request URL: https://cs.up2university.eu/saml2/metadata/
Request URL: https://cs.test.up2university.eu/saml2/metadata/
-----
Internal Server Error: /saml2/login/
ConnectionError at /saml2/login/
HTTPSConnectionPool(host='sso.up2university.eu', port=443): Max retries exceeded with url: /simplesaml/saml2/idp/metadata.php (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))
Request Method: GET
Request URL: https://cs.up2university.eu/saml2/login/?next=/en/oer/video-introduttivo/
-----

[gtoffoli]

Now, following the suggestion in https://github.com/IdentityPython/pysaml2/issues/513 , I have set the global parameter _disable_ssl_certificatevalidation in the configuration of the pysaml2 package (see https://searchcode.com/file/98508865/src/saml2/config.py).

As a result my django application no more notifies me system errors, but the user trying to do an SSO login gets a Metadata not found message on the screen; I enclose its text below.

Welcome
Metadata not found
Metadata not found
Unable to locate metadata for 'https://cs.up2university.eu/saml2/metadata/'
This is most likely a configuration problem on either the service provider or identity provider.
If you are an user who received this error after following a link on a site, you should report this error to the owner of that site.
If you are a developer who is deploying a single sign-on solution, you have a problem with the metadata configuration. Verify that metadata is configured correctly on both the identity provider and service provider.
If you report this error, please also report this tracking number which makes it possible to locate your session in the logs available to the system administrator:
3bdc05e44e

[foobarable]

Hi, the certificate expired so we implemented a certificate rollover last week. Let me check if everthing is in order. Another reason could be, that the rollover procedure, which needs 2 certificates active in the metadata at the same time, is not correctly implmented in the service provider. But let me check IDP side first

[foobarable]

@gtoffoli Do you still have your problems or do you have the new certificate in your SP now?

[gtoffoli]

@foobarable No problems. Now it seems that SSO authentication for CS is working again. I didn't have to make any changes. Thank you!