Metadata download error

Cantor, Scott cantor.2 at
Thu Apr 3 11:10:07 EDT 2014

On 4/3/14, 10:59 AM, "Joy Veronneau" <jv11 at> wrote:
>I am researching a problem retrieving a vendor's metadata via URL
>configured in our relying-party.xml file. We are getting a certificate
>validation error, and I think this is because the certificate refers to a
>cname for the machine.

Assuming it's signed (and if it's not, you should definitely not pull it
in real time anyway), you could  turn off the hostname check in the
metadata provider (though due to library issues in Java, that will do so
for all the metadata sources you configure). The cert shouldn't matter,
you're meant to rely on a signature + a validUntil limit.

>In some cases, we are able to download the metadata and in others, not.
>For example, when I log into the idp and use wget or curl, I get errors.
>This is on redhat 5. On a redhat 6 machine, we do not get these errors.
>So I'm guessing there is some library or something I need to update on
>the redhat 5 machine, can someone please clue me in? Going to redhat 6 is
>not currently an option...

That would suggest RH6 has a fairly massive bug in one or more of its
tools. At least curl there is based on the NSS library, not OpenSSL, so
that isn't the same on RH5.

Regardless, you can't make a hostname check work if the cert is wrong, you
have to disable the check or fix the cert.

-- Scott

More information about the users mailing list