Nick Howes wrote:
> Actually, ignore me. I've realised it's not to import it, but to verify
> the certificate that is already in there and valid. I'll keep
> investigating as to why my IdP is actually not working properly.
Hi Nick,
Did you receive the following from me previously? I just checked my
back mail and realised I sent it to a colleague and an internal support
list rather than directly to you as intended, so this may not have
made it through to you:
> I just had a quick look and the proximate cause seems to be a certificate
> issue between the IdP and the SP:
>
> 2008-07-22 15:31:06 INFO SAML.SAMLSOAPHTTPBinding [1409] sessionGet:
> sending SOAP message to https://dev-wsos-shib.warwick.ac.uk:80/idp/profile/SAML1/SOAP/AttributeQuery
> [...]
> 2008-07-22 15:31:07 ERROR SAML.SAMLSOAPHTTPBinding [1409] sessionGet:
> failed while contacting SAML responder: error:14094416:
> SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>
> The SP is believed to have a known-good certificate. When I look at
> that endpoint with a browser it prompts for a client cert. I have
> more than one of those in my browser but it only shows my JANET SCS one.
> Is it possible that the AA port is configured with an SSLCACertificateFile
> at the web server level to requre an SCS certificate, even though it
> is also configured with optional_no_ca? I think that the SP's attribute
> requester cert is not an SCS one, and I've seen setting SSLCACertificateFile
> (rather than leaving it out) defeat optional_no_ca before.
Cheers,
Fiona.
|