Troubleshooting SSL
From cosign wiki
If it appears your cosign-protected web server cannot connect to the weblogin server, try these things to find the cause:
Contents |
[edit] Verify the specifed paths are correct
An incorrect path or misspelling of the ChainFilePath, PrivateKeyFilePath, or CAFilePath will prevent the filter from creating a secure connection with the weblogin server.
[edit] Verify port 6663 is open
From a command prompt:
telnet weblogin.server.name 6663
You should see a banner and can issue some basic commands:
220 2 Collaborative Web Single Sign-On noop 250 cosign vINTERNAL quit 221 Service closing transmission channel Connection to host lost.
If you get a "connect failed", it could be for a number of reasons, but most likely a firewall is blocking outbound connections from your web server to port 6663.
[edit] Make sure you have the CA file for the weblogin server
Not only does the weblogin server verify the identity of the filter, but the filter needs to verify the identity of the weblogin server. Download the latest CA file for your weblogin server, and rehash it. Make sure the filter is configured to point to the *directory* containing the hash.
[edit] Make sure certificates are not expired
From a command prompt:
cd C:\Program Files\IISCosign openssl x509 -dates SSL\\server.cert
The output will be something like:
notBefore=Nov 6 20:44:44 2007 GMT notAfter=Nov 3 20:44:44 2017 GMT
If the current date is after the notAfter date, you will need to generate a new CSR for your cert.
Also check the expiration date for the weblogin server's CA certificate:
openssl x509 -dates SSL\\webloginCA.pem
If the notAfter date has passed, you will need to download an updated version of this file.
[edit] Make sure the private key and certificate are a match
From a command prompt:
openssl rsa -in "C:\\Program Files\\IISCosign\\SSL\\server.key" -noout
The -noout prevents openssl from displaying your private key. If this is successful, the output is a blank line.
[edit] Attempt to create a secure connection manually
From a command prompt:
cd C:\Program Files\IISCosign openssl s_client -connect weblogin.server:6663 -cert “C:\\Program Files\\IISCosign\\SSL\\certname.crt” -key “C:\\Program Files\\IISCosign\\SSL\\certname.key” -CApath “C:\\Program Files\\IISCosign\\SSL” -showcerts -state -debug -crlf -starttls smtp
If things go well, you'll be able to issue commands such as:
CHECk cosign-servicename=abc123
If things don't go well, you will receive some sort of error message indicating why a secure connection could not be established. NOTE: you should also try "runas" or "sudo" as the IIS_WAM or www account before doing this.