SSL Errors

Typical errors on SSL include:

• couldn't set callback. this usually is because the different versions of openssl being used. make sure you have only 1 version of openssl libraries and not conflicting with others
• unable to attach private key to SSL context. is it a valid private key? have you provided the decryption password for your key? make sure you put it on shibboleth.xml, otherwise it won't be able to open your key
• path validation failure: unable to get local issuer certificate. either the public key or its CA is not trusted (i.e. not in metadata)
• SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate. invalid certificate. check if your CN matches your DNS name or whether the cert still valid
• invalid credential. SP presents a trusted cert, but its CN doesn't match SP registration in metadata. Use SP's DNS name on the CN to KeyName^? of this SP on metadata.
• error SSL3_GET_RECORD:bad decompression: this means you have modified your SP but forgot to restart both shibd and apache. If your IdP is on the same box, you also need to restart your tomcat

ERROR SAML.SAMLSOAPHTTPBinding [6] sessionNew: failed while contacting SAML responder: error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate
ERROR shibd.Listener [6] sessionNew: caught exception while creating session: SOAPHTTPBindingProvider::send() failed while contacting SAML responder: error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate

On the Identity Provider:

openssl verify -purpose sslserver  -CAfile ca-bundle.pem mycert.pem

On the Service Provider:

openssl verify -purpose sslclient -CAfile /etc/certs/ca-bundle.pem /etc/certs/mycert.pem
openssl s_client -connect idp.hostname.com:8443 -showcerts -cert mycert.pem -key mykey.pem

(Refer: http://www.bestgrid.org/index.php/Shibboleth_Service_Provider_Setup_-_RHEL4)