CAS authentication error

gauburtin · March 25, 2019, 8:46pm

HI, I’m on Pro 6.3.13

I tried activated CAS authentication as in the manual

But after a nice redirect from CAS server i get an error on seahub.

Seahub.log traces

2019-03-25 21:38:37,801 [ERROR] django.request:135 handle_uncaught_exception Internal Server Error: /accounts/cas-login/
Traceback (most recent call last):
  File "/home/cc/seafile/seafile-pro-server-6.3.13/seahub/thirdpart/django/core/handlers/exception.py", line 41, in inner
    response = get_response(request)
  File "/home/cc/seafile/seafile-pro-server-6.3.13/seahub/thirdpart/django/core/handlers/base.py", line 249, in _legacy_get_response
    response = self._get_response(request)
  File "/home/cc/seafile/seafile-pro-server-6.3.13/seahub/thirdpart/django/core/handlers/base.py", line 187, in _get_response
    response = self.process_exception_by_middleware(e, request)
  File "/home/cc/seafile/seafile-pro-server-6.3.13/seahub/thirdpart/django/core/handlers/base.py", line 185, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/home/cc/seafile/seafile-pro-server-6.3.13/seahub/thirdpart/django/views/decorators/csrf.py", line 58, in wrapped_view
    return view_func(*args, **kwargs)
  File "/home/cc/seafile/seafile-pro-server-6.3.13/seahub/thirdpart/django/views/decorators/http.py", line 40, in inner
    return func(request, *args, **kwargs)
  File "/home/cc/seafile/seafile-pro-server-6.3.13/seahub-extra/seahub_extra/django_cas_ng/views.py", line 81, in login
    request=request)
  File "/home/cc/seafile/seafile-pro-server-6.3.13/seahub/seahub/auth/__init__.py", line 56, in authenticate
    user = backend.authenticate(**credentials)
  File "/home/cc/seafile/seafile-pro-server-6.3.13/seahub-extra/seahub_extra/django_cas_ng/backends.py", line 30, in authenticate
    username, attributes, pgtiou = client.verify_ticket(ticket)
  File "/home/cc/seafile/seafile-pro-server-6.3.13/seahub/thirdpart/cas.py", line 158, in verify_ticket
    response = self.get_verification_response(ticket)
  File "/home/cc/seafile/seafile-pro-server-6.3.13/seahub/thirdpart/cas.py", line 169, in get_verification_response
    page = requests.get(base_url, params=params, verify=self.verify_server_ca)
  File "/home/cc/seafile/seafile-pro-server-6.3.13/seahub/thirdpart/requests/api.py", line 75, in get
    return request('get', url, params=params, **kwargs)
  File "/home/cc/seafile/seafile-pro-server-6.3.13/seahub/thirdpart/requests/api.py", line 60, in request
    return session.request(method=method, url=url, **kwargs)
  File "/home/cc/seafile/seafile-pro-server-6.3.13/seahub/thirdpart/requests/sessions.py", line 533, in request
    resp = self.send(prep, **send_kwargs)
  File "/home/cc/seafile/seafile-pro-server-6.3.13/seahub/thirdpart/requests/sessions.py", line 646, in send
    r = adapter.send(request, **kwargs)
  File "/home/cc/seafile/seafile-pro-server-6.3.13/seahub/thirdpart/requests/adapters.py", line 514, in send
    raise SSLError(e, request=request)
SSLError: HTTPSConnectionPool(host='CAS-SERVER.DOMAIN.FR', port=443): Max retries exceeded with url: /cas/serviceValidate?ticket=ST-707dd6f531a799e289856f80e906172ad2291e79cd1ea0a1cb3f799c29aa4492&service=http%3A%2F%2FpSEAFILE-SERVER.DOMAIN.FR%2Faccounts%2Fcas-login%2F%3Fnext%3D%252F (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))
2019-03-25 21:38:38,038 [WARNING] django.request:152 get_response Not Found: /favicon.ico
cc@cchum-epcc-seaf-dev:~/seafile/logs$

Did anyone got this error ?

Do I need to install the CAS certificate on the Apache Vhost Proxy in front of Seafile ?

Any help appreciated

Regards

gauburtin · April 2, 2019, 3:41pm

Hi,

no feedbak about this ?

I found a strange issues on openssl

If i only use -connect parameter, the CN returned is not the same as the server adress

other.domain.fr VS auth.domain.fr

openssl s_client -connect auth.domain.fr:443 -CAfile /etc/ssl/certs/bundle_refid-auth_domain_fr.pem

CONNECTED(00000003)
depth=1 C = NL, ST = Noord-Holland, L = Amsterdam, O = TERENA, CN = TERENA SSL CA 3
verify error:num=2:unable to get issuer certificate
issuer= C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Assured ID Root CA
---
Certificate chain
 0 s:/C=FR/L=Saint-Denis/O=Etablissement public Campus Condorcet/OU=Pole Numerique/CN=other.domain.fr
   i:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3
 1 s:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
---
Server certificate

If i add -server parameter, the CN returned is the same as the server address

auth.domain.fr

openssl s_client -servername auth.domain.fr -connect auth.domain.fr:443 -CAfile /etc/ssl/certs/bundle_refid-auth_domain_fr.pem
CONNECTED(00000003)
depth=1 C = NL, ST = Noord-Holland, L = Amsterdam, O = TERENA, CN = TERENA SSL CA 3
verify error:num=2:unable to get issuer certificate
issuer= C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Assured ID Root CA
---
Certificate chain
 0 s:/C=FR/L=Saint-Denis/O=Etablissement public Campus Condorcet/OU=Pole Numerique/CN=auth.domain.fr
   i:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3
 1 s:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
---
Server certificate

I i use a CURL request, the CN returned is the same as the server address

Presuming that python uses openssl, is there any issue concerning SNI ?

https://major.io/2012/02/07/using-openssls-s_client-command-with-web-servers-using-server-name-indication-sni/

Our CAS Server (NGINX) hosts several server names but supports SNI

If your cert_verify method does not support SNI, i suppose that the only solution is to provide a wildcard certificate :

cf. http://nginx.org/en/docs/http/configuring_https_servers.html

Maybe @daniel.pan could answer this…

Regards

lian · April 3, 2019, 10:01am

Hello, we use Python’s Requests module to send http request (including certificate verify).

Unfortunately, I didn’t find anything about SNI in its document .

But according to this manual, if you make sure that both of your CAS server and Seafile server are secure, you can add the following configuration to ../conf/seahub_settings.py to skip the certificate check.

CAS_SERVER_CERT_VERIFY = False

gauburtin · April 3, 2019, 10:24am

Yes @lian,

With this option, the CAS authentication process is done without problem

If you take a look further in Request doc :

Requests uses certificates from the package certifi. This allows for users to update their trusted certificates without changing the version of Requests.

And then here Trust Database for Humans — certifi v0.0.1 documentation

How do I use it?
Download the raw CA Bundle or one of our distributions packages for Ruby, Node, Python, or Go.
Use an HTTP client of your choice that supports SNI Verification, Like Requests or Curl.
Pass the path to the CA Bundle to the HTTP Client, and verify to your heart’s content!
Sign up for email notifications of new CA Bundle releases.

Then your package supports SNI, isn’it ?

lian · April 3, 2019, 10:59am

After further searching, I found this fap , so I think the answer is YES.

Some other usefull info:

But at the moment we don’t have any experience of how to configure python requests module to support SNI.

We will test it in the last few days.

lian · April 4, 2019, 9:40am

Hello, after some test, I can confirm that Python Requests module supports SNI, without any extra configuration for this module.

This is my test step：

I bind two different domain to the same IP.

image1848×922 197 KB
Two nginx virtual hosts with different server name and certificate.

image1870×1170 385 KB
Then I can get response from both domain without errors.

image1280×356 42.6 KB

gauburtin · April 4, 2019, 12:30pm

Thank you @lian

I did some other tests on NGINX config that may confir what you write

portal.domain.fr and app.domain.fr are on the same server (different vhosts)

When i did

openssl s_client -connect portal.domain.fr:443 -CApath /etc/ssl/certs

anwser is CN=app.domain.fr

It looks like NGINX is looking for the first vhost conf file to retrive the wronfg certificate
I don’t know why because all my hosts have server_name directive set (for SNI)

Renaming portal.conf to 000-portal.conf is a trick to force the good certificate

now

openssl s_client -connect portal.domain.fr:443 -CApath /etc/ssl/certs

answer is CN=portal.domain.fr

But Seafile still gets an error

SSLError: HTTPSConnectionPool(host='CAS-SERVER.DOMAIN.FR', port=443): Max retries exceeded with url: /cas/serviceValidate?ticket=ST-707dd6f531a799e289856f80e906172ad2291e79cd1ea0a1cb3f799c29aa4492&service=http%3A%2F%2FpSEAFILE-SERVER.DOMAIN.FR%2Faccounts%2Fcas-login%2F%3Fnext%3D%252F (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))

SNI, as you say, is not concerned.

Is there any way to debug deeply the SSL process into seafile or request?

gauburtin · April 4, 2019, 4:15pm

But the logout process is compromised, as seafile returns a bad request to the cas server (two SEAFILE.DOMAIN in the request)

https://CAS.DOMAIN.fr/cas/logout?url=http%3A%2F%2FSEAFILE.DOMAIN.fr%2Fhttps%3A%2F%2FSEAFILE.DOMAIN.fr%2F