Shibboleth Developers

[Scott Cantor <>]

> so I need to give curl a CA bundle holding  the cert being used by 
> apache server....

Well, possibly, it depends on what distro you use. Even if it fails, that
would tell you it connected.

> ... I had pointed my httpd.conf file at the shar.key and shar.cert 
> files included in the target  distribution.....

That's fine.

> ...  but, it now occurs to me, where there a different key/cert 
> combination distributed with the origin, and should I be pointing 
> apache at those? (I'm presuming that when the SHAR runs,and invokes 
> curl, it passes curl a bundle of certs obtained from the trust 
> files.....)

No, nothing like that. They just share some common code. The same key is
distributed on both ends and it doesn't matter which copy you use.

> >  curl -L -o tmp https://localhost/index.html
> curl: (60) Failed to connect to localhost IP number 1: 128

Ah. Hmm, well, that explains the error in the log sort of. I think it
probably just failed once because of the name mismatch, but maybe it dumps
messages in a different order than I expected.

Anyway, there's no way what you're doing is going to work, you're using a
real hostname to connect to a cert with localhost in it.

-- Scott