Metadata download error

Joy Veronneau jv11 at cornell.edu
Thu Apr 3 10:59:06 EDT 2014 

Hi,

I am researching a problem retrieving a vendor's metadata via URL configured in our relying-party.xml file. We are getting a certificate validation error, and I think this is because the certificate refers to a cname for the machine.

In some cases, we are able to download the metadata and in others, not. For example, when I log into the idp and use wget or curl, I get errors. This is on redhat 5. On a redhat 6 machine, we do not get these errors. So I'm guessing there is some library or something I need to update on the redhat 5 machine, can someone please clue me in? Going to redhat 6 is not currently an option...

For now, I have downloaded the metadata to a file and things seem to be working.

Thanks

Joy

wget https://media.library.cornell.edu/saml/index/sp-metadata 
--2014-04-03 10:39:26--  https://media.library.cornell.edu/saml/index/sp-metadata
Resolving media.library.cornell.edu... 38.74.193.98
Connecting to media.library.cornell.edu|38.74.193.98|:443... connected.
ERROR: certificate common name `*.mediaspace.kaltura.com' doesn't match requested host name `media.library.cornell.edu'.
To connect to media.library.cornell.edu insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.

 curl https://media.library.cornell.edu/saml/index/sp-metadata
curl: (51) SSL: certificate subject name '*.mediaspace.kaltura.com' does not match target host name 'media.library.cornell.edu'

Error in idp logs:

javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname validation for name: media.library.cornell.edu 
    at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.verifyHostname(TLSProtocolSocketFactory.java:233) 
    at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:194) 
    at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707) 
    at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361) 
    at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387) 
    at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) 
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) 
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323) 
    at org.opensaml.saml2.metadata.provider.HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:250) 
    at org.opensaml.saml2.metadata.provider.FileBackedHTTPMetadataProvider.fetchMetadata(FileBackedHTTPMetadataProvider.java:154) 
    at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:255) 
    at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider$RefreshMetadataTask.run(AbstractReloadingMetadataProvider.java:508) 
    at java.util.TimerThread.mainLoop(Unknown Source) 
    at java.util.TimerThread.run(Unknown Source)

More information about the users mailing list