Hi
For something which should be a fairly minor and straightforward thing, this ezproxy certificate issue has become a timewaster of epic proportions. The problem is that its something which is seen by the vast proportion of resource users and therefore generates a high number of library service desk reports from confused people.
It's a shame because everything was going soooo well. The free wildcard certificate was great while it's root was in most (all?) browsers.
The new free wildcard certificate's root is, theoretically, in IE, but how many of your users install the optional updates? It's just too much of a risk and we know for a fact that it's not currently in Firefox.
So, I've had a poke around and decided to remove the wildcard certificate.
I already have a janet scs certificate for libproxy.dundee.ac.uk which is used by EZProxy for the shibboleth authentication, so I changed the SSL configuration to use that too.
And authentication broke, the Idp now throws up a screen saying:
"Error Message: No peer endpoint available to which to send SAML response"
ahh, I've seen this before, that sounds like a metadata issue? And sure enough, upping the logging to debug reveals that:
When you use a wildcard certificate: The ACS is https://login.libproxy.dundee.ac.uk/etcetc
But when you use an ordinary certificate: The ACS becomes https://libproxy.dundee.ac.uk/etcetc
(note that the shibboleth certificate is not changed through all of this)
To be fair the "manage shibboleth" page does show this change of ACS when you change from using a wildcard cert for ordinary SSL, but I missed it!
SO, I changed the local metadata and now everything works (nearly). There are no browser errors when you do most things and so most users are happy. In the rare instances where the remote site changes to https (when you want to do personalisation in ebrary for instance) you do get a browser error to say:
"site.ebrary.com.libproxy.dundee.ac.uk uses an invalid security certificate
The certificate is only valid for libproxy.dundee.ac.uk."
Which we can live with and I think is less of a worry for users. (of whom far fewer will see it)
I hope this is of some use to those of you still working out what to do after the ipsCA debacle, it seems to work for us.
Cheers
Andy
The University of Dundee is a registered Scottish charity, No: SC015096
|