Troubleshooting SSL
From cosign wiki
Revision as of 14:13, 30 April 2009
If it appears your cosign-protected web server cannot connect to the weblogin server, try these things to find the cause:
Contents |
Verify the specifed paths are correct
An incorrect path or misspelling of the ChainFilePath, PrivateKeyFilePath, or CAFilePath will prevent the filter from creating a secure connection with the weblogin server.
Verify port 6663 is open
From a command prompt:
telnet weblogin.server.name 6663
You should see a banner and can issue some basic commands:
220 2 Collaborative Web Single Sign-On noop 250 cosign vINTERNAL quit 221 Service closing transmission channel Connection to host lost.
If you get a "connect failed", it could be for a number of reasons, but most likely a firewall is blocking outbound connections from your web server to port 6663.
Make sure you have the CA file for the weblogin server
Not only does the weblogin server verify the identity of the filter, but the filter needs to verify the identity of the weblogin server. Download the latest CA file for your weblogin server, and rehash it. Make sure the filter is configured to point to the *directory* containing the hash.
Make sure certificates are not expired
From a command prompt:
cd C:\Program Files\IISCosign openssl x509 -dates SSL\\server.cert <pre> The output will be something like: <pre> notBefore=Nov 6 20:44:44 2007 GMT notAfter=Nov 3 20:44:44 2017 GMT
If the current date is after the notAfter date, you will need to generate a new CSR for your cert.
Also check the expiration date for the weblogin server's CA certificate:
openssl x509 -dates SSL\\webloginCA.pem
If the notAfter date has passed, you will need to download an updated version of this file.