Error retrieving metadata from https://idp.ssocircle.com/idp-meta.xml - me too

[gbrost]

Hi,

the example should run out of the box, right? So i just checkout, build with

maven clean install

and run it with

java -jar spring-boot-security-saml-sample-1.4.0.RELEASE.war

Is there anything else do to? I get the error below all of the time. Do i need to add some certificates to the keystore or configure a hostname? When i call the address https://idp.ssocircle.com/idp-meta.xml with my browser, i am fine.

Thanks for any help! Gerd

---

org.opensaml.saml2.metadata.provider.MetadataProviderException: org.opensaml.saml2.metadata.provider.MetadataProviderException: Error retrieving metadata from https://idp.ssocircle.com/idp-meta.xml
    at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:267) ~[opensaml-2.6.1.jar!/:?]
    at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.doInitialization(AbstractReloadingMetadataProvider.java:236) ~[opensaml-2.6.1.jar!/:?]
    at org.opensaml.saml2.metadata.provider.AbstractMetadataProvider.initialize(AbstractMetadataProvider.java:407) ~[opensaml-2.6.1.jar!/:?]
    at org.springframework.security.saml.metadata.ExtendedMetadataDelegate.initialize(ExtendedMetadataDelegate.java:167) ~[spring-security-saml2-core-1.0.2.RELEASE.jar!/:1.0.2.RELEASE]
    at org.springframework.security.saml.metadata.MetadataManager.initializeProvider(MetadataManager.java:412) ~[spring-security-saml2-core-1.0.2.RELEASE.jar!/:1.0.2.RELEASE]
    at org.springframework.security.saml.metadata.MetadataManager.refreshMetadata(MetadataManager.java:238) [spring-security-saml2-core-1.0.2.RELEASE.jar!/:1.0.2.RELEASE]
    at org.springframework.security.saml.metadata.CachingMetadataManager.refreshMetadata(CachingMetadataManager.java:86) [spring-security-saml2-core-1.0.2.RELEASE.jar!/:1.0.2.RELEASE]
    at org.springframework.security.saml.metadata.MetadataManager$RefreshTask.run(MetadataManager.java:1040) [spring-security-saml2-core-1.0.2.RELEASE.jar!/:1.0.2.RELEASE]
    at java.util.TimerThread.mainLoop(Timer.java:555) [?:1.8.0_121]
    at java.util.TimerThread.run(Timer.java:505) [?:1.8.0_121]
Caused by: org.opensaml.saml2.metadata.provider.MetadataProviderException: Error retrieving metadata from https://idp.ssocircle.com/idp-meta.xml
    at org.opensaml.saml2.metadata.provider.HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:274) ~[opensaml-2.6.1.jar!/:?]
    at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:255) ~[opensaml-2.6.1.jar!/:?]
    ... 9 more
Caused by: javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname validation for name: null
    at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.verifyHostname(TLSProtocolSocketFactory.java:233) ~[openws-1.5.1.jar!/:?]
    at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:186) ~[openws-1.5.1.jar!/:?]
    at org.springframework.security.saml.trust.httpclient.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:97) ~[spring-security-saml2-core-1.0.2.RELEASE.jar!/:1.0.2.RELEASE]
    at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707) ~[commons-httpclient-3.1.jar!/:?]
    at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361) ~[commons-httpclient-3.1.jar!/:?]
    at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387) ~[commons-httpclient-3.1.jar!/:?]
    at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) ~[commons-httpclient-3.1.jar!/:?]
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) ~[commons-httpclient-3.1.jar!/:?]
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323) ~[commons-httpclient-3.1.jar!/:?]
    at org.opensaml.saml2.metadata.provider.HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:250) ~[opensaml-2.6.1.jar!/:?]
    at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:255) ~[opensaml-2.6.1.jar!/:?]
    ... 9 more

[schanzen]

As the certificates from ssocircle are quire new (yesterday) and the keystore is static I assume that this is to be expected. You probably need to either update the keystore or allow regular PKIX.

[gbrost]

Indeed, i added the the CA cert of ssocircle to the key store and it works. I will create a pull request.

[MyGuschtl]

Works like charm! Thank you!

[tomwscott]

The certificate has changed again and it looks like it will continue to change every 90 days. I've created another PR (#31) which updates the keystore but also includes a script for updating.

@gbrost - is this the same process you used to update the keystore? Is there anything I've missed?

[schanzen]

I suggest instead adding the "DST Root CA X3". Then all "Lets Encrypt" certs will work which seems reasonable. At least until the DST cert expires in 3-4 years.

BR

[vipulfreightmate]

hy, I am also getting the same issue. I also updated the certificates in keystore , but the issue is same.. please help me

[kunudash]

how can i get CA cert of ssocircle