testshib issue
jsoto
jsoto at ubiobio.cl
Wed Feb 27 12:58:56 EST 2013
Hi,
is a certificate problem.
El mié, 27-02-2013 a las 17:45 +0000, Chance Cox escribió:
> Below is the error i get. I believe the main issue is 2013-02-27 12:41:17 DEBUG XMLTooling.TrustEngine.PKIX [275]: certificate subject: CN=idp.elon.edu
> but im not sure how to resolve the issue. Any suggestions? i apologize if this is a somewhat basic question.
>
> 2013-02-27 12:41:17 DEBUG XMLTooling.StorageService [275]: inserted record (_83359c540b8a0d7ba2f4371d8fc2c264) in context (MessageFlow) with expiration (1361987115)
> 2013-02-27 12:41:17 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [275]: validating signature profile
> 2013-02-27 12:41:17 DEBUG XMLTooling.KeyInfoResolver.Inline [275]: resolving ds:X509Certificate
> 2013-02-27 12:41:17 DEBUG XMLTooling.KeyInfoResolver.Inline [275]: resolved 1 certificate(s)
> 2013-02-27 12:41:17 DEBUG XMLTooling.KeyInfoResolver.Inline [275]: resolved 0 CRL(s)
> 2013-02-27 12:41:17 DEBUG XMLTooling.CredentialCriteria [275]: keys didn't match
> 2013-02-27 12:41:17 DEBUG XMLTooling.TrustEngine.ExplicitKey [275]: unable to validate signature, no credentials available from peer
> 2013-02-27 12:41:17 DEBUG XMLTooling.TrustEngine.PKIX [275]: validating signature using certificate from within the signature
> 2013-02-27 12:41:17 DEBUG XMLTooling.TrustEngine.PKIX [275]: signature verified with key inside signature, attempting certificate validation...
> 2013-02-27 12:41:17 DEBUG XMLTooling.TrustEngine.PKIX [275]: checking that the certificate name is acceptable
> 2013-02-27 12:41:17 DEBUG XMLTooling.TrustEngine.PKIX [275]: adding to list of trusted names (https://testshib.elon.edu/idp/shibboleth)
> 2013-02-27 12:41:17 DEBUG XMLTooling.TrustEngine.PKIX [275]: certificate subject: CN=idp.elon.edu
You are using a cert for idp.elon.edu in testshib.elon.edu
create a cert for testshib.elon.edu, replace your metadata and register
again in testshib.
> 2013-02-27 12:41:17 DEBUG XMLTooling.TrustEngine.PKIX [275]: unable to match DN, trying TLS subjectAltName match
> 2013-02-27 12:41:17 DEBUG XMLTooling.TrustEngine.PKIX [275]: unable to match subjectAltName, trying TLS CN match
> 2013-02-27 12:41:17 ERROR XMLTooling.TrustEngine.PKIX [275]: certificate name was not acceptable
> 2013-02-27 12:41:17 ERROR OpenSAML.SecurityPolicyRule.XMLSigning [275]: unable to verify message signature with supplied trust engine
> 2013-02-27 12:41:17 WARN Shibboleth.SSO.SAML2 [275]: detected a problem with assertion: Message was signed, but signature could not be verified.
>
>
> On Feb 27, 2013, at 11:39 AM, "Cantor, Scott" <cantor.2 at osu.edu> wrote:
>
> > On 2/27/13 8:35 AM, "Chance Cox" <ccox14 at elon.edu> wrote:
> >>
> >> I have a test idp the entityid is
> >> https://testshib.elon.edu/idp/shibboleth It has worked for months and I
> >> haven't made any changes. I tried to test it with testshib today and im
> >> getting this message.
> >>
> >> Message was signed, but signature could not be verified.
> >
> > The point of testshib is to let you see the logs on the SP so you can find
> > out what it's actually doing and why it might be failing, so I'd suggest
> > checking the logs (I can't say how, but I'm fairly certain the shibd.log
> > is viewable).
> >
> > -- Scott
> >
> >
> > --
> > To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
> >
>
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>
--
Juan Paulo Soto
Departamento Servicios Computacionales
Fono: (56)(41)3111548
Av. Collao 1202 - Concepción
jsoto at ubiobio.cl – http://sti.ubiobio.cl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6153 bytes
Desc: not available
Url : http://shibboleth.net/pipermail/users/attachments/20130227/1b552c70/attachment-0001.bin
More information about the users
mailing list