Trying to resolve SSO SSL issues

[wildmanmatt]

Hi,

I've been battling with trying to get SSL properly setup on the Plesk SSO server.

I'm running plesk 10.1.1 and have SSL installed with no problems in the control panel itself.

I have followed this guide: http://kb.odin.com/en/6138 but am still having problems.

I'm using a Comodo PositiveSSL certificate.

the verify command gives me this output:

> openssl s_client -connect ukserv2.xtradog.com:11444
CONNECTED(00000003)
depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=ukserv2.xtradog.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=ukserv2.xtradog.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=ukserv2.xtradog.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=ukserv2.xtradog.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFLjCCBBagAwIBAgIQNl3fK9rIjQ5Nu3T3+aixBTANBgkqhkiG9w0BAQUFADBx
MQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
VQQHEwdTYWxmb3JkMRowGAYDVQQKExFDb21vZG8gQ0EgTGltaXRlZDEXMBUGA1UE
AxMOUG9zaXRpdmVTU0wgQ0EwHhcNMTEwMjE5MDAwMDAwWhcNMTIwMjE5MjM1OTU5
WjBXMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0ZWQxFDASBgNVBAsT
C1Bvc2l0aXZlU1NMMRwwGgYDVQQDExN1a3NlcnYyLnh0cmFkb2cuY29tMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlns+Jts9rEyJIPkhUwFkvUQXFl2f
5fUe7sK/h7zd73q7nqEVUUWjlY/qlMFAPHEbgj4tc0JthTdkOHz1sxajjYira9AU
ZwCayWU82BiUff5FW6xMe+t/g9mUVGapAtAQNSLv6GHSWzH0nSUFLJxh78TWfU1n
Rk4nVVErl71yhikl1yunxtCskCiRsyh+Vd2uRu5iLfhOBKpLGNXK9z5opHI3KKLV
IQSYTgi5MPGjGFNiyCoTdCaqC4ZDADs0X10DBQjaolFcjFhGy4vOQkf/3j0Dd6VG
5T3kkL5haKJj+6VANhMW6raGeq92kHdj3irPLm21SWI4gHOkkt8+NORSkwIDAQAB
o4IB2jCCAdYwHwYDVR0jBBgwFoAUuMoR6QYxedvDlMboGSq8uzUWMaQwHQYDVR0O
BBYEFPIegv79vIUxE0Xi5b7ahkvPpfuHMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMB
Af8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBGBgNVHSAEPzA9
MDsGCysGAQQBsjEBAgIHMCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cucG9zaXRp
dmVzc2wuY29tL0NQUzBpBgNVHR8EYjBgMC+gLaArhilodHRwOi8vY3JsLmNvbW9k
b2NhLmNvbS9Qb3NpdGl2ZVNTTENBLmNybDAtoCugKYYnaHR0cDovL2NybC5jb21v
ZG8ubmV0L1Bvc2l0aXZlU1NMQ0EuY3JsMGsGCCsGAQUFBwEBBF8wXTA1BggrBgEF
BQcwAoYpaHR0cDovL2NydC5jb21vZG9jYS5jb20vUG9zaXRpdmVTU0xDQS5jcnQw
JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTA3BgNVHREEMDAu
ghN1a3NlcnYyLnh0cmFkb2cuY29tghd3d3cudWtzZXJ2Mi54dHJhZG9nLmNvbTAN
BgkqhkiG9w0BAQUFAAOCAQEAazJa+aZy0GpckxzKK91+8JfBvszMZuiwlPyw7c+E
TtEKmrTMKYkMJ20hphnQOcdZayX3KN8EUoCa2C1/4XFm9o7QmNNPA2NWardlXB8s
w7O0+aZC+byOgfY9vDscLdyhv9fubJEzqYa0YNG4p63HRercsU7+2X3fuaD+EwbO
AqtYw7pBRsVAFQrQJr6Rmv7xShhwxcFxrQgUz+lKA0q2THi3W1rxex6khWv93i5f
5O+/gZwaDvBzzOUzN1P4IFgR9p+a5ht30DoXDJ3lHpl37hbJIAEFfY6hz9TN3BYC
TPzr+GIAfPW6r4MCnWoqijFtlEeBNVXuVgOZywGId0J85g==
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=ukserv2.xtradog.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
---

No client certificate CA names sent
---
SSL handshake has read 1499 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 52429A46E53C780064DF9641FF46AAC0217BDB5EFA7E404FF54EB8845C6C65BC
Session-ID-ctx:
Master-Key: 2118733D6F844B538C43A8DF0DC7F274252121C8E1600FFCAA63E611FF376AD72411440BC995C039BA7F9495C70E68B4
Key-Arg : None
Krb5 Principal: None
Start Time: 1298291991
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---


I have 3 certificate pem files in the /etc/sso folder

sso.pem - containing my RSA Private Key and then my certificate
sso-ca.pem - containing my RSA Private Key and then my CA Root Chain (I think this may be where the problem is)
and
sso-public.pem - containing my certificate

I've tried two different CA Root Chains, but neither seem to work. I've tried the one that I use in my control panel (and which works) which is this:

PositiveSSL.ca-bundle (attached) - this works fine on my panel

And I have tried the Plesk bundle that is on the comodo website which is this:

PositiveSSLPlesk_CA_bundle (attached)


Any help would be really appreciated....

Thanks,

Matt

 

[wildmanmatt]

Some more information that I thought might be helpful is that I have a file called sso_config.ini in the /etc/sso folder which contains the following lines (and some others that I don't think are relevant to this):

; Server's public certificate (used in web server configuraion, it is here mostly for reference)
cert_file = /etc/sso/sso.pem

and

; Certificate authority for SP certificates issued by IdP upon SP registration
cacert_file = /etc/sso/sso-ca.pem


But there is no line referring to sso-public.pem - should there be?


And, information about my system:

Plesk 10.1.1 including billing, CentOS5 x64, Linux ukserv2.xtradog.com 2.6.18-194.32.1.el5 #1 SMP Wed Jan 5 17:52:25 EST 2011 x86_64 x86_64 x86_64 GNU/Linux

Problem description: Can't verify SSL certificate on SSO port using command openssl s_client -connect ukserv2.xtradog.com:11444
Interestingly, I don't get any certificate errors in a web browser since I installed this certificate (I used to). But I do get the panel SSO error of:

Error: Signature is invalid
Warning: The connection to the SSO server failed. You can try to log in to Customer & Business Manager using the local (non-SSO) method or try once againg with SSO.

Which googling has informed me means that my certificate isn't installed properly.


Again, help would be much appreciated

Thanks,

Matt