Are you in the loop? Keep up with the latest by making sure you're subscribed to Community Announcements. Just click Watch and select Articles.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Join now to unlock these features and more

Crowd Apache Connector (mod_authnz_crowd) fails when using https with self signed certificates

Moodle Sysadmin
Moodle Sysadmin Jul 28, 2011

I ran into this problem today and wasted many hours debugging & fixing so I thought I would share with the community..

The issue:

when using self signed certificates for SSL, the apache mod_authnz_crowd module (Crowd Apache Connector) rejects the certificate regardless of configuration on the crowd server.

The symptoms:

when setting CrowdURL to a https value in apache you will receive a 500 error through the browser, looking in the apache error_log you will see: "Failed to send authentication request (CURLcode 60)" - this is returned by the CURL library that the module uses to make its connection, and error code 60 from the CURL library can be found here http://curl.haxx.se/libcurl/c/libcurl-errors.html<br< a=""> />
CURLE_SSL_CACERT (60) - Peer certificate cannot be authenticated with known CA certificates.

A quick look at the CURL manual (http://curl.haxx.se/libcurl/c/curl_easy_setopt.html#CURLOPTSSLVERIFYPEER) reveals: This option determines whether curl verifies the authenticity of the peer's certificate. A value of 1 means curl verifies; 0 (zero) means it doesn't.

The Solution:

Download the source code for mod_authnz_crowd from https://studio.plugins.atlassian.com/svn/CWDAPACHE/tags/2.0.2/ and apply the following patch

--- src/crowd_client.orig    2011-07-29 15:44:46.000000000 +0800
+++ src/crowd_client.c    2011-07-29 15:33:29.000000000 +0800
@@ -517,6 +517,7 @@
 #endif
             || curl_easy_setopt(curl_easy, CURLOPT_HTTPHEADER, headers)
             || curl_easy_setopt(curl_easy, CURLOPT_TIMEOUT, config->crowd_timeout)
+            || curl_easy_setopt(curl_easy, CURLOPT_SSL_VERIFYPEER, 0)
             || (post && (curl_easy_setopt(curl_easy, CURLOPT_POST, 1)
             || curl_easy_setopt(curl_easy, CURLOPT_READFUNCTION, read_crowd_authentication_request)
             || curl_easy_setopt(curl_easy, CURLOPT_READDATA, &read_data)

recompile the module, install over the old one in apache and self signed certificates in crowd are no longer a problem!

shame on you atlassian for not even documenting that we cannot use self signed certificates with this module!

Answer
Watch
Like Be the first to like this
1925 views

2 answers

1 accepted

0 votes
Answer accepted
Moodle Sysadmin
Moodle Sysadmin Jul 28, 2011

See above.

View More Comments
krishnan2
krishnan Aug 10, 2011

Hi Jordan,

I too agree that Atlassian hasn't documented well on Connectors for Windows. Which C compiler you used to compile the source. Can you just share this information how you went about generating a connector from the C source. This will too helpful for others who are following the compilation path to generate connectors.

Thanks and Regards,

Anantha

Like
Moodle Sysadmin
Moodle Sysadmin Aug 10, 2011

Anantha,

I'm doubt mod_authnz_crowd will compile on Windows - it is an apache module that depends on unix/linux development libraries.

I use GCC - the default linux compiler package and related development packages (autoconf etc..)

I actually compiled the package directly to an RPM using the spec file provided by atlassian at https://studio.plugins.atlassian.com/svn/CWDAPACHE/tags/2.0.2/packages/mod_authnz_crowd.spec but the package does include its own Makefile so you could run it through autoconf/make/gcc yourself.

Like
Reply
1 vote
Ratsamy Sourinhong
Ratsamy Sourinhong Feb 24, 2013

Since the underlying mechanism to authenticate of the peer's certificate is CURL, you can get around the issue by updating the certificate bundle that CURL uses with your self-signed certificate. You do not need to apply any patches by doing this.

In RedHat Linux, the file and location is: /etc/pki/tls/certs/ca-bundle.crt

(Note: You will need root privileges to update the file as it is owned by root.)

Steps to import your self-signed certificate into the certificate bundle.

1. Export your certificate into a file and store it as Base-64 X.509.

2. On the linux host, use the following command to import the certificate.

$ openssl x509 -in ./your_certificate -text >> /etc/pki/tls/certs/ca-bundle.crt

Reply

Suggest an answer

Log in or Sign up to answer
Crowd
Crowd
TAGS
AUG Leaders

Atlassian Community Events

See all events